If you are a active Twitter and Facebook user you may have already heard the buzz about Firesheep Firefox extension created by a developer,Eric Butler which allows to hijack twitter and Facebook accounts by stealing cookie information via open Wi-Fi networks.So one developer creates an extension that exposes security loopholes in twitter and Facebook and in other sites.Fortunately there is already a Firefox extension called Force-TLS available to protect this happening for you from Firesheep.
When you login to a website by entering your username and password that website’s server checks your username and password whether matches actual account.If correct then replies back with a “cookie” which is used by browser for subsequent requests.
Since lot of websites uses HTTP protocol instead of HTTPS it makes easier for an attacker to get user’s cookie which is called HTTP session hijacking or sidejacking and attacker can do anything a user can do on that website.
Firesheep extensi0n just exposes this problem.
After installing Firesheep extension,connecting to any busy open Wi-Fi network and clicking start capturing button.When some one visits insecure websites known to Firesheep the name and photo will be shown.
Double clicking on someone will log you into his account.
So whole world knows about this extension and users with bad intentions and specially hackers starts to hack twitter and Facebook accounts of users from insecure open Wi-Fi connections. So Force-TLS Firefox extension comes to recue.
Force-TLS forces all websites to connect via HTTPS .All you need to do is install Force-TLS extension .
1.After installing the extension , from Tools>ForceTLS Configuration
2.In the ForceTLS settings for address of website add you domain names you want to make always connect via HTTPS , make sure you checked Force subdomains too.
3.Restart Firefox .
The good news for Firefox lovers is upcoming Firefox 4 will be shipping with HTTP Strict Transport Security (Force HTTPS ) support which forces Firefox 4 browser to visit websites via HTTPS only. via [TechCrunch]