Okay I admit it. Although I have lived in Silicon Valley for over ten years, I wasn't much of a San Francisco Giants fan until they started making their recent run in the playoffs. It was fun to root for a collection of young talent and season veterans working together as a team. Fear the Beard, Let Timmy Smoke, Kung Fu Panda, and other characters made the team very consumable. Well I have another bandwagon to jump on, the discussion of Firesheep.
There have been several articles regarding a guy at Starbucks in New York City that used Firesheep to "educate" people on the risks of using free public WiFi. In a nutshell, Firesheep is an extension to Firefox which allows you to collect other people's cookies that have been sent over WiFi. This is not a particularly new vulnerability; since much of Internet traffic is unencrypted it is straightforward to monitor wireless Internet traffic. So a software developer Gary LosHuertos goes into a local Starbucks, starts up Firesheep and collects identities of several other patrons. He then sends them messages from their own Facebook account warning them of the danger of their browsing. His story has been picked up by a number of websites including The Register and McAfee Labs.
Clearly there are steps that a user should take when operating on a public WiFi. However for someone that works in the area of data center security the ownership for this type of exposure is on the businesses. Businesses should be offering their websites with encryption, particularly when credentials are exposed, including cookies; and the encryption should be default. The problem exposed by FireSheep would be avoided if the website used HTTPS (SSL/TSL) whenever login information is required. This is not 1995; modern day computers can easily handle the encryption, particularly the recent generation of PCs and servers. So please, as a consumer all you e-businesses and social sites out there, could you implement more encryption in your services. And for those websites that have shown the leadership to implement version of these sites with HTTPS, make the encrypted version default. This latter case can be addressed by another Firefox plug-in from the Electronic Frontier Foundation called HTTPS Everywhere. This plug-in forces logins to HTTPS when they exist. So even if we forget and type in Facebook.com, it will direct us to https://www.facebook.com rather than the default http://www.facebook.com. Same for Google and other websites that have a HTTPS version.
What do you think? Do you think more data centers should implement HTTPS on their servers? What are the barriers for broader adoption of HTTPS? Or like our NYC Samaritan do you feel it is fruitless "No matter how many security measures we provide to the world, there will always be people who leave the door open, even after they've had an intruder. The weakest link in security has been, and always will be, the user's judgement."