Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Releasing Firesheep: Right Intention, Wrong Action: Page 2 of 2

Firesheep makes it so easy, even a caveman could do it. And that means many users--perhaps even the the majority of web users--are totally helpless to protect against the attack. Tech Crunch points  to a potential workaround using another Firefox extension, Force-TLS which tries to force the browser to use TLS, but how many users will actually use it? For that matter, how many sites will Force-TLS be useful on?

The potential for damage is probably as big as the DNS bug that Dan Kaminsky found  in 2008. Kaminsky worked with DNS server vendors and providers to figure out a workable solution, to get the solution deployed, and develop software patches.  This gave everyone time to address the problem before it had a chance to spread.

Granted, the situation with session cookies is different. The problem is already known and being actively ignored by Web sites that don't using SSL/TLS to encrypt Web sessions. I understand why Bulter released the tool. I get frustrated by Web sites or companies that fail to address security issues unless they are forced to. But I think it was the wrong move. Let's remember that there is a victim here. I suspect there will be an increase in sidejacking but that doesn't mean web sites will do anything about it. In this case, I don't think any real good will come from this full disclosure.