Mozilla: No 'kill switch' for Firesheep add-on
It won't -- or can't -- yank session hijacking add-on from Firefox
Computerworld - Mozilla today said it wouldn't -- or couldn't -- pull a "kill switch" to disable the Firesheep add-on that lets anyone steal log-on and account access information to Facebook, Twitter and other major Web services.
Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open network -- a coffee shop's Wi-Fi network, for instance -- visits any insecure site on a list that includes the microblogging service Twitter and the hugely-popular Facebook social networking site.
Mozilla has a "blocklist" mechanism that it can, and has in the past, applied as a last-resort defense against potentially-dangerous browser add-ons. The blocklist automatically cripples or uninstalls unwanted extensions that have been added to Firefox.
But Mozilla either can't or won't add Firesheep to the blocklist.
"[Firesheep] demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers," said Mike Beltzner, director of Firefox, in an e-mail reply to questions about Mozilla's possible moves.
Beltzner did not respond to questions about whether Mozilla is technically able to cripple Firesheep, or simply chooses not to.
As Beltzner pointed out, Firesheep is not an officially-approved Firefox add-on, but was "created and distributed by a third-party developer."
Most Firefox add-ons are obtained by users from the browser's Add-On center, which hosts Mozilla-vetted extensions.
In earlier instances when Mozilla has dealt the blocklist "kill switch" card, it's done so for add-ons that the company had previously approved, but later discovered were stealing information or distributing malware. In July, for example, it yanked a password-stealing extension that had been available from Firefox's gallery for more than a month before its malfeasance was detected.
The add-on, called "Mozilla Sniffer," contained code that intercepted login data submitted to any site, then sent that information to a remote server. Firesheep does some of the same, but it doesn't show what it finds to anyone but the tool's user.
In May 2008, Mozilla acknowledged that a worm had gone unnoticed in Firefox's Vietnamese language add-on for months, and last February it warned users that the Sothink Web Video Downloader 4.0 and all versions of Master Filer were infected with a Trojan horse.
As with Mozilla Sniffer, those add-ons had also been offered in the Firefox add-on center.
Firesheep has proved very popular. Since its Sunday debut, the add-on has been downloaded nearly 320,000 times, or an average of about 79,000 downloads per day. That puts it within striking distance of the Firefox's most popular add-on, Adblock Plus, which has averaged just over 80,000 downloads daily during its lifespan.
Using Firesheep may be a criminal offense under U.S. law, suggested Chet Wisniewski, a senior security adviser at antivirus vendor Sophos. "[Firesheep] isn't illegal, but using this tool is a crime in the U.S.," he said. "It would be considered wiretapping. You can play with it on your own network, use it for research, but not to invade the privacy of others."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts