We at Security Innovation were happy to hear on Wednesday that Facebook will be rolling out transport encryption as an option for your entire session, not just during the password exchange (http://blog.facebook.com/blog.php?post=486790652130).
We recommend that if you use Facebook you follow the instructions in the blog to set the option to turn it on when it becomes available to you. The reason we are particularly gratified is that the Firesheep tool our consultants played a part in putting together was one of the reasons the project got the attention it deserved, according to a recent article in SC Magazine.
This was exactly why Firesheep was created -- to bring attention to an issue that was well known by security professionals, but not more generally known by consumers of web commerce and social media content. We should not forget, many other sites still have the same problem. Before you use a site or application that contains personal information, be sure your entire session is encrypted if the option exists.
What is particularly illustrative about this case is the amount of time it took for Facebook to get to the point of announcing it, and it is still not rolled out. Firesheep was made available over four months ago, and Facebook said at the time they were already looking at the issue. If a company with the resources and visibility of Facebook can have its most high profile page hacked and not deal with one of the most basic of security issues for months, what chance does everybody else have?
This case illustrates what we at Security Innovation do every day. The cool hacks and attack techniques might get the attention, but it’s the detailed technical work that needs to be done by application developers as part of their day by day responsibilities that is where the real improvements in security are going to come from.
By working with experts in the field and using the learning that’s available, this work does not have to increase the cost or time it takes to develop applications. Fixing it after the fact will definitely cost. The team at Facebook just did some of that work. If you don’t have the development resources of Facebook (and who does?), we can help you do the same.