[LINK] Firesheep

[Paul Brooks]

On 18/02/2011 9:35 PM, stephen at melbpc.org.au wrote:
> Firesheep
>
> http://codebutler.com/firesheep
[SNIP]
> The only effective fix for this problem is full end-to-end encryption, 
> known on the web as HTTPS or SSL. 

This may be a (yet another small) driver towards IPv6 - the growing demand for IPSEC
authentication or encryption at the session layer.
IPSEC operates at the IP layer, and protects all protocols above it, while HTTPS only
protects HTTP traffic, and SSL generally only protects a small number of protocols
such as HTTP,  FTP and email.

IPv6 requires all endpoints to implement IPSEC, where for IPv4 IPSEC support is optional.
 
This doesn't mean IPv6 is more secure - at the end of the day, its up to the software
at each end to actually *use* the IPSEC capability, just because the capability is
guaranteed to be there doesn't mean everyone will be guaranteed to take advantage of
it. That said, if the popular websites such as Facebook etc enabled IPSEC encryption
for all incoming connections then takeup would grow as more and more people became
aware of the issue - and just maybe eventually it might become a default configuration
for end user installations.

That said, for now I use a plugin called "HTTPS-Anywhere" which attempts to make a
HTTPS connection to every site, whether the URL asks for it or not - and which falls
back to HTTP only if the HTTPS attempt fails - which should protect me against this
Firesheep - or would, in the unlikely event I used Facebook.

P.