There has been a virtual firestorm over the Firesheep add-in for Firefox browser by Mozilla. There have been many weighing in on the problem, but what about Mozilla itself?
According to the director of Firefox development, Mike Beltzner, the problem is not theirs. He sees it a problem for the sites that allow it to happen, and almost sounds, in an interview covered in ComputerWorld, as though he might be doing those insecure sites a service, by forcing them to remove the problems, saving them from not-so-blatant attacks.
Mozilla today said it wouldn’t — or couldn’t — pull a "kill switch" to disable the Firesheep add-on that lets anyone steal log-on and account access information to Facebook, Twitter and other major Web services.
Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — a coffee shop’s Wi-Fi network, for instance — visits any insecure site on a list that includes the microblogging service Twitter and the hugely-popular Facebook social networking site.
Mozilla has a "blocklist" mechanism that it can, and has in the past, applied as a last-resort defense against potentially-dangerous browser add-ons. The blocklist automatically cripples or uninstalls unwanted extensions that have been added to Firefox.
But Mozilla either can’t or won’t add Firesheep to the blocklist.
One wonders why, as there appears to be no “socially redeeming value” to the add-in.
"[Firesheep] demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers," said Mike Beltzner, director of Firefox, in an e-mail reply to questions about Mozilla’s possible moves.
Beltzner did not respond to questions about whether Mozilla is technically able to cripple Firesheep, or simply chooses not to.
As Beltzner pointed out, Firesheep is not an officially-approved Firefox add-on, but was "created and distributed by a third-party developer."
Most Firefox add-ons are obtained by users from the browser’s Add-On center, which hosts Mozilla-vetted extensions.
This is fine for those obeying the rules, but what about the “bad guys”? How are they to be stopped? Is it fair to force websites to change, or people who visit them to stop doing so, simply because someone has allowed a means so that the worst tendencies of many individuals are aggravated, and brought to the fore?
In earlier instances when Mozilla has dealt the blocklist "kill switch" card, it’s done so for add-ons that the company had previously approved, but later discovered were stealing information or distributing malware. In July, for example, it yanked a password-stealing extension that had been available from Firefox’s gallery for more than a month before its malfeasance was detected.
The add-on, called "Mozilla Sniffer," contained code that intercepted login data submitted to any site, then sent that information to a remote server. Firesheep does some of the same, but it doesn’t show what it finds to anyone but the tool’s user.
In May 2008, Mozilla acknowledged that a worm had gone unnoticed in Firefox’s Vietnamese language add-on for months, and last February it warned users that the Sothink Web Video Downloader 4.0 and all versions of Master Filer were infected with a Trojan horse.
As with Mozilla Sniffer, those add-ons had also been offered in the Firefox add-on center.
Firesheep has proved very popular. Since its Sunday debut, the add-on has been downloaded nearly 320,000 times, or an average of about 79,000 downloads per day. That puts it within striking distance of the Firefox’s most popular add-on, Adblock Plus, which has averaged just over 80,000 downloads daily during its lifespan.
So the difference seems to be that the add-in is a non-recommended one, so that seems to relieve Mozilla of any responsibility. Is that really the right thing to do? Disallowing blame, what should be done?
Using Firesheep may be a criminal offense under U.S. law, suggested Chet Wisniewski, a senior security adviser at antivirus vendor Sophos. "[Firesheep] isn’t illegal, but using this tool is a crime in the U.S.," he said. "It would be considered wiretapping. You can play with it on your own network, use it for research, but not to invade the privacy of others."
Yes, that’s certainly helpful. Almost as good as the fire warnings in Southern California announced on the news, that invariably bring out the firebugs, and the wildfires they start. If the idiots on the news would have a cup of STFU, many wildfires would be prevented, as the typical moron starting them might otherwise have no means of telling when the time was right. If it was warned right after a torrential downpour, these cretins would follow the word from the news and be out trying to ignite wet grass.
While testing the tool, Wisniewski said he was careful only to use it on his own wireless network.
Wisniewski’s analysis, however, may be on shaky ground. According to federal wiretapping statutes, it’s not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public."
By making the add-in, the accessibility to the general public has been assured. Case closed.
During the dustup over its harvesting of information from insecure Wi-Fi networks using its Street View vehicles, Google cited the statute to claim that it had not broken the law.
Some disagreed with Google at the time. In a June story published by the Security Threat site in June, Marc Rotenberg, executive director of the Electronic Privacy Information Center, said he believed Google’s actions amounted to wiretapping, and asked the Federal Communication Commission (FCC) to investigate.
Rotenberg did not immediately reply to a request for comment on Firesheep, and whether its packet sniffing activities are similarly illegal.
Eric Butler, who created Firesheep, has defended releasing the add-on, saying that warnings by others of the site insecurities that the tool exposed have been ignored. "[Sites have] been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure Web," Butler wrote in a blog post on Sunday. "My hope is that Firesheep will help the users win."
I understand this thinking, but I’m not sure I can condone the use of this type of tool to force change. It is similar to those people who try to persuade Microsoft to change something before an exploit gets into the wild – it usually does not happen, as Microsoft is basically lazy, and changes nothing not according to its own plan.
Butler and his colleague, Ian Gallagher — the two led a Firesheep presentation at last weekend’s ToorCon security conference — have declined Computerworld‘s requests for interviews. Instead, Gallagher said in an e-mail Tuesday, the pair plan to use Butler’s blog to answer media inquiries.
Mozilla’s Beltzner suggested that Firefox users could protect themselves against Firesheep sniffing and hijacking by installing Force-TLS to force the browser to use an encrypted HSTS (HTTP Strict Transport Security) connection when it accesses certain sites.
The problem here is, will people remember to do so, on known problem sites, and further, who will assemble a list of problem sites, and disseminate it to the greater internet-using public?
"Mozilla recommends that Web sites start supporting HSTS, which will be supported by default in Firefox 4," Beltzner added.
On Tuesday, security experts offered several other strategies for defending against Firesheep snooping.
Perhaps we should all visit the site in that last link. I’d also reconsider my browser choice – if I were a user of a Mozilla product.
≡≡≡≡≡≡≡≡≡≡ Ḟᴵᴺᴵ ≡≡≡≡≡≡≡≡≡≡