The recent flutter about Firesheep, prompted us to do something we really should have done a long time ago: Transition our entire site to SSL.
Of course, our password, payment and other sensitive pages were always https, however the vulnerability that Firesheep exploits takes advantage of the cookie your browser presents when you visit http pages after logging in through an https page.
What is Firesheep?
Firesheep is a Firefox extension that intercepts web traffic traveling over unencrypted connections and makes it easy for users steal the cookies of any user visiting an unsecured web page. The users can then use the Facebook, Twitter, etc. account of anyone else on that connection. The wikipedia entry has a great writeup on the actual mechanics of the exploit, and this PC World article provides a great how-to users guide as well.
The vulnerabilities that Firesheep exploits aren't new - its just that Firesheep very visibly exposed the vulnerability to a larger audience.
Any website that requires a login and has http-only pages within their logged-in area is vulnerable. That includes Linkshare, ShareASale, Pepperjam and our competition. Commission Junction and Google Affiliate Network do not appear to be vulnerable.
How do I protect myself?
Firesheep depends on unencrypted, shared Internet connections. Basically, wifi connections that don't have a password. The easiest step is to be cautious around these connections.
The next step is to use SSL versions of sites where they are supported. Both Twitter and Facebook make this possible. Just visit https://www.twitter.com and you'll be using their SSL version. There is even a FireFox extension published by the Electronic Frontier Foundation that does this automatically (and is certainly one of the better options).
However, sites that don't support SSL on all pages remain vulnerable. At this stage your options are limited if you absolutely must use that unencrypted wifi connection at the coffee shop. Either you don't use the hotspot, or you tunnel your connection through a VPN or other encrypted channel.
We hope you enjoy the new security at BrandVerity. Feels safer already doesn't it?