Mozilla has once again done what it has been doing every six weeks for over a year now. Confused? Well, we’re talking about the highly controversial tri-fortnightly practice of bundling up a handful of new Firefox features, tweaks and bug fixes, and pretending that the ensuing software package is significant enough to be rolled out as a major version update. In other words, Mozilla has once again updated its flagship browser.
If the idea of sending your shady search queries into the ether makes you a little nervous, Google is coming to the rescue with a plan to encrypt searches. In the next few weeks, users that are signed into their Google account will automatically be directed to the HTTPS search page for secure searches.
Twitter has added a new security option that lets you enable using Hypertext Transfer Protocol Secure (HTTPS) by default when accessing the microblogging service. According to Twitter, this should help ease your mind when logging into the service from an unsecured Wi-Fi connection, like a public hotspot. The ability to use HTTPS to access Twitter has actually been around for some time, just in the past you had to manually navigate to https://twitter.com.
"Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, or schools. The option will exist as part of our advanced security features, which you can find in the Account Security section of the Account Settings page," the company wrote in a blog post. Eventually, HTTPS will be made the default setting.
Social authentication is another new security feature introduced by the company: “Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are.”
These security updates come close on the heels of two high-profile hacks. FB founder Mark Zuckerberg and French President Nicolas Sarkozy have both had their official fan pages hacked in the last few days.
“Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.”
Is that true? Well, test the waters yourself with Eric Butler's Firesheep extension for Firefox--a one-button way to collect the unsecure logins and passwords being thrown across open Wi-Fi networks!
Hacking into someone else’s Facebook or Twitter account is now as easy as installing a browser extension. Firesheep is a new Firefox extension designed to hijack sessions belonging to 26 online services, including Amazon, Facebook, Foursquare, Google, Twitter, and Yahoo. The packet sniffing tool springs into action the moment someone logs in to any of the supported sites over an open Wi-Fi connection.
The extension’s uncomplicated interface occupies a sidebar on the left side of the Firefox window. Once enabled through the “Start Capturing” option, Firesheep begins displaying names and photos associated with different accounts being accessed using the open Wi-Fi network. Double clicking on an account puts you in complete control as “you're instantly logged in as them.”
Despite its increasing popularity among amateur hackers, the extension is only meant to raise awareness about the need for “end-to-end encryption, known on the web as HTTPS or SSL.”
“Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Eric Butler, Firesheep’s co-author, wrote in a blog post.
Meanwhile, Mozilla has made it clear that it does not intend to block the extension as it merely exposes “a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers.”
Security is important, yo. While a lot of sites on the ol' World Wide Web might support HTTPS connections, that doesn't mean that typing www.sitename.com into your browser will always pull up an encrypted connection between you and your final location. But don't take my word for it. Quoth the Electronic Frontier Foundation:
"Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site."
So how, then, do we address this problem? Step one is staring at the little lock icon within your browser. If the lock ain't locked, then you're not rocking a secure connection. Easy as that.
Use of https by Gmail users has been an option since 2008. Google’s Gmail blog says it’s a matter of speed versus security, with https being more secure because mail is encrypted while traveling between browser and server, but slower for the same reason. You, the end-user, got to make the choice. But now that things are getting nasty, Google sees some wisdom in setting the default to the more secure setting.
Google isn’t going to force you to use https if you don’t want to. You can opt out by changing your Gmail browser connection setting to “Don’t always use https”. Google will still retain encryption on the Gmail login page, however, so your password remains protected.