The Firesheep Test?

My guess is that the author of Firesheep doesn’t have any malicious intent. By putting out a simple plugin that lets you intercept unencrypted login information for many popular sites as it flows over public wi-fi networks, and then assume the identity associated with a login, he is laying down a challenge: prove to me that you care about the security / privacy of your users!

Using HTTPS / SSL is obviously an easy way to prevent this session hijacking, but encrypting all traffic in and out of a site like Facebook / Twitter isn’t cheap, in fact i’d be amazed if its even possible without a massive resizing / scaling outlay.

It’s one of those issues that is easy to dismiss: never trust an open network; it’s only twitter / facebook / etc. but i suspect it won’t go away quietly as people can easily imagine what it would be like to lose control of a web mail account, or some ‘professional networking site’ (think someone hi-jacking your LinkedIn account and spamming your connections with links to porn sites…)

My feeling is that we are witnessing the start of a fight for a right to online protection from snooping, and ultimately meaningful privacy protections. Governments are going to fight this tooth and nail because they are afraid of everything they can’t control / spy on / coerce, but it’s coming. We have the crypto tools to start skirmishing in this war… Who’s up for a key swapping party?