Hijacking Facebook with FireSheep; What is the best solution, and how does it work?

Question

Regarding this security issue: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/

Is it true to say "any time a user logs into a site, and isn't redirected to SSL/TLS/HTTPS connection, that the session cookies are vulnerable"?

What is the best solution to protect a Facebook credentials, and how does it work?

Is there any way to have a secure session and not have SSL/TLS? In other words, is there any way to make it so that cookies on one machine can't be replayed on another?

The reason the last question is important is because Google AdSense does not support SSL/TLS and therefore will force the designer to expose all cookies. This will in turn affect every site that relies on AdSense

Answer 1

The problem is the cookies and send in clear on the network if you don't have SSL/TLS.

Anyone listening to the TCP/IP traffic can read unencrypted data and can read you cookies.

When you have them you can copy it on your own computer and it will work...

You need SSL/TLS !

Answer 2

For your own sites, you can design cookies to be more secure: http://jaspan.com/improved_persistent_login_cookie_best_practice

But because Facebook hasn't done this, the only option if to use SSL.

Answer 3

When you are transmitting data in the open (unencrypted) there is NO WAY to protect your information, especially not using a cookie which is a well-known and widely used protocol for storing insensitive user information. You may try tricks and hacks to assert that only the person to whom the cookie was issued is the one who can use it, but that is not what cookies were designed for. COOKIES ARE NOT A SECURITY FEATURE!

If you want privacy, use encryption. It's as simple as that. SSL certs are cheap (as low as $10 per year). If security and privacy are a requirement, there is no excuse not to use SSL.