How to protect yourself from Firesheep

[Firesheep]( is a Firefox extension that allows users to steal login cookies on popular websites, which allows the user to login as you if you are browsing on the same network. It was release last week and has already forced sites like Facebook to issue statements addressing security. I downloaded it just now to test it out, and ran it while I logged into Facebook, Gmail, Amazon, Twitter, and other sites I frequent often. Here's what Firesheep sniffed out:

Firesheep can login to a lot of the sites I use

Double clicking on an avatar or account in the sidebar immediately opened a browser session as me, logged into the website shown. Anyone running Firesheep on an open network can sniff out and login as anyone on the network who is actively using the websites Firesheep knows about.

To combat this attack, everyone should immediately install the [HTTPS Everywhere]( extension for Firefox or the [Use HTTPS]( extension for Google Chrome. These plugins redirect you to secure versions of supported websites, preventing you from ever accessing them the normal (insecure) way. If you are not using Firefox or Chrome, you should switch.

It won't protect you on sites that don't support site-wide HTTPS like eBay, Amazon, and others, but it's a start.

EFF's HTTPS Everywhere for Firefox secures these sites by default

You can tell if your session is secure by looking for "https://" in the location bar, or by looking for visual cues like a lock icon (Chrome) or a green background (Firefox).

A secure browsing session in Firefox

A secure browsing session in Chrome

This is not a new problem, but it is the first time there has been an easy way for anyone to exploit the issue. It's likely that every major website will now have to address the way their session information is stored, but it may be some time before they can react.

Good luck staying secure!