If you’re reading this and are not already browsing Facebook using HTTPS (secure HTTP), you need to go to Facebook RIGHT NOW and enable the option (lest you fall victim to Firesheep). In in your Account Settings under Account Security -> Secure Browsing (https). If you need more help, Gizmodo has a great tutorial about how to do it.

Firesheep is a Firefox extension that allows users to steal login cookies on popular websites, which allows the user to login as you if you are browsing on the same network. It was release last week and has already forced sites like Facebook to issue statements addressing security. I downloaded it just now to test it out, and ran it while I logged into Facebook, Gmail, Amazon, Twitter, and other sites I frequent often. Here’s what Firesheep sniffed out:

Firesheep can login to a lot of the sites I use

Double clicking on an avatar or account in the sidebar immediately opened a browser session as me, logged into the website shown. Anyone running Firesheep on an open network can sniff out and login as anyone on the network who is actively using the websites Firesheep knows about. (read more »)

This is an security problem that has been rehashed numerous times, but I’ve found that none of my friends seem to know that it is an issue. Note that if you’re someone who keeps all of your passwords on a sticky attached to your monitor, you probably won’t care about any of this.

I love Firefox and rely on it heavily, but one thing that has always bothered me is that its password manager stores passwords in plain text and by default, allows anyone at your computer to see them. You can see this for yourself, and if you’re like me, it will probably freak you out to actually see your password written out.

In Firefox, go to Preferences->Security:

Click on Saved Passwords, and then Show Passwords. Firefox will ask you if you’re sure. Click Yes, because that’s what someone snooping around on your machine would do.

Surprise! All of your passwords are there, in plain text.

Note that Firefox does offer a “Use a master password” option in its security dialog. This does prevent the casual snooper from seeing your passwords, but it also prompts you for a password every time a webpage wants to auto-fill a password field once per session. In my world, that happens 20-30 times a day (if not more). Unacceptable. [Corrected: John Lilly wrote me to let me know that Firefox only asks once per session. This behavior is totally usable, but there are still some issues. When I launched Firefox with more than one tab open, it prompted me once for each tab.]

Solutions:

1. Uncheck Remember passwords for sites and use 1Password. I swear by 1Password, and everyone I’ve demoed it for starts to use it.

2. Switch to Safari, Chrome, or Camino, all of which use Mac OS X’s Keychain to store passwords securely.

I’m going to stick to Firefox — for now — but it is a huge convenience FAIL that I have to turn off the feature to save passwords. As more plugins start to appear in Chrome, I’m more and more tempted to Switch; this security issue is the number 1 reason.

I just reinstalled PGP Whole Disk Encryption (WDE) on my MacBook Pro 17″ running Mac OS 10.5.8. I’m not using it to encrypt my entire drive, but I used to use it to encrypt entire backup volumes so the data on them cannot be used if the drive itself is stolen (when traveling, mostly).

I’m embarrassed to be a FileVault user, but I don’t see any other way to have certain parts of my disk remain fast, while keeping other parts encrypted (and slow). (read more »)

I did some research yesterday on website password managers for Mac OS X. A good place to start is Alex King’s blog; he has written two thought-provoking articles about why you shouldn’t use the same password for everything, and how software can help your password / login workflow (Passwords, More on Passwords).

Really, it should just be common sense to not use the same password for everything; after all, you have no idea how a particular website is going to store your super-secret password. What if your password is stored in plain-text on a server with a gaping security hole? What if the website likes to email you a password reminder — in plain text — every month? I’ve seen sites that do all sorts of bad things, and if you use the same password at an insecure site as you do at your bank’s website, you’re asking for trouble. And even if you use different passwords, you need a secure way to store them all. The worst I’ve seen is someone who kept all of their passwords and financial account numbers in an Excel document on their notebook computer’s desktop. I suspect that sort of thing isn’t as rare as it might seem to be. (read more »)

I just came across a particularly disturbing article about Facebook’s ad policy, which by default allows the use of your face in advertisements targeted at your Facebook friends (via @johnolilly).

Facebook occasionally pairs advertisements with relevant social actions from a user’s friends to create Facebook Ads. Facebook Ads make advertisements more interesting and more tailored to you and your friends. These respect all privacy rules.

To turn this off, go to Settings -> Privacy -> News Feed and Wall -> Facebook Ads -> Appearance in Facebook Ads and select “no one.”

Note that this privacy page doesn’t appear in Firefox 3.5 if you use AdBlock Plus extension. Even selecting “disable on this page only” in AdBlock Plus and refreshing the page won’t make the controls appear. I had to completely disable AdBlock Plus and refresh to the page in order to see them. Alternatively, you could use another browser (e.g. Safari, Chrome).