I spoke with Chris Palmer, director of technology for the San Francisco based Electronic Frontier Foundation about Firesheep, HTTPS and web security:
LK: Why do we need HTTPS anyhow?
CP: Because it's the best available protocol for web applications that provides any security at all. Remember, HTTPS is the bare minimum baseline for web security.
LK: If it's so vital, why haven't websites focused more on implementing HTTPS across their sites?
CP: There are several reasons.
1. If they are aware of the problem at all, web app developers continue to believe, incorrectly, that passive and/or active network attacks are difficult, expensive, and/or rare. In fact, passive and active network attacks are (and have been for some time; nevermind Firesheep) cheap, easy, and not uncommon. Therefore, developers don't realize they need to seek a solution.
2. Developers and business people incorrectly believe that "encryption is computationally expensive", and that therefore deploying HTTPS would require vastly more server resources. In fact, symmetric encryption performs on par with functions like compression that are universally understood to be affordable; web applications are I/O-bound, not CPU-bound; and most web sites pay an I/O cost far higher than necessary. Although HTTPS does incur some additional network I/O, most HTTP sites do more (or much more) network I/O than is necessary --- thus, HTTPS is not the problem.
The result is that, if operators really do care about cost and performance, they can tune their sites to be faster and cheaper to run even with HTTPS.
LK: Is it technically challenging to implement HTTPS?
CP: Not inherently. However, sites that have accumulated "technical debt" may have a high cost of change. The cost is not specific to HTTPS; technically indebted software always has a high cost for ANY change. Developers who labor for 5 - 10 years under the belief that HTTP is secure will have embedded that assumption into the core of their software, and un-doing the mistake can be expensive. But again, that is not specific to HTTPS.
LK: There has recently been talk of Blacksheep, a browser plugin that alerts users when someone on the same network is using Firesheep. Does this offer protection from Firesheep?
CP: No.
LK: Eric Butler, the creator of Firesheep, has opened a can of worms. Is this his fault?
CP: The worms were already legion and crawling around all over the place. Firesheep merely grabs some of the already-present worms and puts them in your cereal. The real problem is that site operators have chosen to pass on the risk of using the Internet to their users, by not deploying a minimum standard of safety engineering. We users, security experts, and security activists should make maximum use of the Firesheep brouhaha to pressure site operators to meet the minimum safety standard.
Actually using Firesheep on non-consenting people is of course unethical, but I would not put the blame for such misuse on the Firesheep developers.
LK: What can we do to protect ourselves while surfing the web on open Wi-Fi networks?
CP: HTTPS Everywhere attempts to make maximal use of HTTPS for some sites that make HTTPS service available, and the latest release also secures the cookies for some sites. However, be aware that HTTPS Everywhere is necessarily limited; basically it is working in spite of site operators who have chosen not to deploy HTTPS correctly or completely.
This is why EFF, Access Now, and others urge people to contact site operators and demand HTTPS service. I would hold GitHub.com up as an example of how operators should respond to the news that HTTP is unsafe.
37.7749295 -122.4194155
HTTPS Everywhere can help protect you while surfing the web.Last month, a Firefox plugin called Firesheep was released onto the web. It allows anyone on an unsecure Wi-Fi network to see when another person on that network is using a service like Facebook or Twitter, and hijack their login to appear as that user.