See if this helps answer your questions, http://www.schneier.com/blog/archives/2010/10/firesheep.html

If not, how about you do a write up about it for the EH community answering the questions you posted. I know I'd be interested to know more.

I will try to give a full picture on firesheep..

Wireless packets are encrypted using WEP/WPA keys. On a public wifi connection, the packets that are sent and back forth are unencrypted. The unencrypted wifi packets are perfectly normal and not the focus of the problem here.

A wireless card set in promiscuous mode would be able to sniff all the packets in the network. As by default HTTP packets are not encrypted, session cookies can be stolen making it possible to hijack sessions. Okay this scenario has been known for several years now, but the tool to make this look easy was not available. Firesheep exactly did that. The focus of the problem is popular sites(Facebook, Twitter) not offering HTTPS by default and the author made the tool and made it public to force these sites.

Remember that the scenario is same for all other tcp protocols that do not use SSL layer - ftp, pop, smtp, imap etc and so on. Believe me its not hard to write a tool for sniffing passwords and I am sure there are plenty available now(cain and abel?).

Regarding the working.. I think its pretty simple
1)Steal the cookie from HTTP requests
2)Send a new request to the site with the stolen cookie

Yes and No. If it steps down to HTTP and pass the cookies in HTTP,  its still vulnerable to session hijacking. For instance, you might think that static images does not require HTTPS, but the request to static images will still contain the cookie header and if it is transmitted in HTTP, then it is vulnerable to session hijacking.

Yes, there are sites that goes between HTTP and HTTPS.


Yes.