Security Alert: Firefox Add-On Enables Hijacking of Web Sessions
This news item expired December 31, 2010. It may contain out-of-date information.
November 9, 2010 12:00 a.m. CST
A new Firefox add-on called Firesheep allows users to monitor unencrypted Wi-Fi networks for unencrypted web sessions. A point-and-click interface enables hackers to hijack web sessions and assume someone else's identity. This allows even people with little technical expertise to become effective hackers.
NOTE: Logging into someone else's account knowingly and without permission is a violation of both Iowa and Federal laws.
More information about session hijacking
More information about Firesheep
Although Iowa State's network is unencrypted, important ISU applications are encrypted using SSL. A URL that begins in ’HTTPS:“ rather than ’HTTP:“ and a small padlock displayed in the browser indicates that you are using SSL.
Examples of SSL-protected applications include those that you access through the Single Sign-On for the Web login page. This includes CyMail, Iowa State's official email application for students. Outlook Web Access (OWA), AccessPlus, and WebCT are also protected.
If you are using a third-party web-based email service, you will need to take steps to protect your email from being compromised. Here are tips for securing some popular third-party web-based email services:
- Gmail: Under Settings --> General --> Browser connection, make sure that "Always use https" is selected.
- AOL: There is no option to use SSL in the AOL webmail client. To ensure that your email is secure, read your AOL mail with the AOL software or an email client such as Outlook Express, Thunderbird, or Mac OS X. Instructions are available here.
- Yahoo Mail: There is no option to use SSL in Yahoo Mail. If you have purchased Yahoo Mail Plus, you can use secure POP access with Outlook Express, Thunderbird, or another email client. More information is available here.
Your browser sessions can be hijacked regardless of which operating system (e.g., Windows, Mac, or Linux) or which browser (e.g., Internet Explorer, Firefox, Chrome, etc.) you are using. Please make sure that your email is protected, and use caution when browsing the internet on any unencrypted Wi-Fi network.
More information about how to protect yourself on unencrypted networks