A Woolly Decision

If you haven’t heard about Firesheep yet, then it may be too late. The Firefox add-on created by Eric Butler has enabled inexperienced hackers to successfully hijack Facebook, Twitter, and, when first released, PayPal accounts. While his motivation to promote more security-savvy web browsing was appropriate, the mode of release was damaging and undermined his goal.

Butler claims on his webpage that “[websites have] been ignoring this responsibility [to protect users] for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.” However, the move by Butler compromised the privacy of thousands who found their accounts hijacked without warning. This kind of security breach—granting access to private messages, photos, contact information, and monetary accounts—is unacceptable.

Instead, Butler should have publicized that he had created this plug-in, warning people and websites of its imminent release and of the dangers to come if they failed to boost security protocols. This would have yielded the benefits that Butler intended since it would have created the impetus for more secure and savvy web surfers, but it would have avoided the abundant risk of the technology’s actual release.

While forgoing due warning was ill-conceived, Butler did raise awareness in a very powerful way about the risks of open networks and the serious lack of security provided by some major websites, including Facebook and Twitter. The success of these websites is dependent on users’ sense of security, and such basic lapses in security should have been corrected long ago. Websites must bear the blame for leaving users unprotected, and  now that the plug-in is out there, sites need to work at full speed to repair these holes and protect their users.

Additionally, the general public would do well to recognize the dangers of open networks and work to avoid taking serious risks. At Harvard, students must realize our wireless network is open, despite the requirement of a Harvard PIN, and should take precautionary measures whenever possible. Specifically, we encourage students to use a wired connection or mobile phone when making online purchases or providing private information.

Given the available measures to improve security, students should not continue to browse unprotected. Even if they don’t care about their own privacy, individuals must recognize that the privacy of friends depends on their actions, given that friends’ information can be accessed through others’ Facebook accounts, for instance. Virtual private networks and automatic redirects to https, with add-ons like HTTPS Everywhere, are easy methods to better protect against this mode of hacking.

In light of the events surrounding Firesheep’s release, we applaud Mozilla and the open-source community for generating a timely remedy. No longer do we need to wait for private companies to fix web-browser security issues. While Facebook says it hopes to have an SSL option, a security protocol that encrypts data, in the coming months, the open-source community already has produced protective add-ons, including HTTPS Everywhere and the aptly-named FireShepherd.

Butler’s choice to release Firesheep was certainly a lapse in judgment, since it put so many in harm’s way, but doing so has brought home the crucial importance of Internet security. We hope that, in the face of Firesheep, users and websites take the necessary steps to ensure it does as little damage as possible.