Over the last 24 hours the world has been abuzz with talk about a small Firefox extension. Usually Firefox extensions don’t make headlines, but in this case one did. Why? This extension is called Firesheep, and it’s scary.
The Firesheep plugin can hijack your Facebook, Twitter, and Flikr sessions while you are connected to unsecured wifi. What do we mean hijack? We mean that it can steal your sessions, pretend to be you, and you won’t even know it.
Yeah, wow.
There is a lot of discussion about the ramifications of releasing something that is simple enough to let anyone become a hacker, and TUAW has some good suggestions for how to guard against Firesheep, but I want to give you my take on it and what practical steps you can take.
First off I want to tell you about my day yesterday (it relates, trust me). Sitting at home working on articles for this joint, I get a call from one of my friends at the CBC. “Have you heard about Firesheep?” I said I saw some headlines, but I hadn’t really looked at it. “Could you look at it and talk about it on camera?”, umm…sure….when? “How about an hour?” Eek. Sure…why not.
I dash to one of my favourite coffee places close by (which I also knew had open wifi) after getting Firesheep all loaded up (it took less than a minute). I order a latte, settle in and …
Holy crap.
Just like everyone said, running Firesheep I could see who was logged into Facebook and a bunch of other sites and with a double-click be that person.
Holy crap.
I’m not usually a terribly paranoid person online, but this gave me the willies. Anyone could have this running and you’d never know it. Oh sure, packet sniffers have been around for a while (that’s how it works), but packet sniffing isn’t easy for most people. Firesheep is easy enough for a kid to use. So how do you combat this? Well let’s get to that now…
First thing, if you have a wireless network at home and you haven’t set up a WPA (or even WEP) password on it, do it now.
Next, for all the businesses that have open wifi, now is the time to bite the bullet and put a password on the network. No, I’m not talking about a “gatekeeper” password that lets you in for a period of time, but WPA/WEP. Encryption. Yes, I know it’s a hassle for people to ask, but just make it obvious. This isn’t about access control, it’s about safety. I showed the manager of the place where the CBC segment was shot what the risk was and he was pretty shocked.
If you frequent a place that has open wifi, ask them to put a password on it. If you lock down your wireless network, then that’s it. Firesheep isn’t a problem. If you’re slightly techie and know how to do this, offer to help. For free.
In the meantime, you can try Firefox extensions like Force-TLS or HTTPS Everywhere or Chrome a extension like KB SSL enforcer all of which force the site you’re on to load the HTTPS (encrypted) version of the site. The problem I ran into with KB SSL today was that a lot of sites don’t have their HTTP and HTTPS versions working together very well. I had to shut it off to read some things…so what does that do? These solutions are only a stop gap as far as I’m concerned.
For those of you lucky enough to have a mobile data stick or can tether your phone for access—both of those are nice and secure. What about your WiFi only mobile devices? Those I don’t have good solutions for. Myself I have both my iPhone and iPad set not to just autoconnect to available networks and I’m going to have them both “forget” several of the local places I go to that don’t have secured wifi. Yes, mobile devices are also vulnerable because this isn’t a vulnerability in a browser or device it’s while how you can the sites connect to each other.
This is what bugs me the most about the whole Firesheep problem. Websites like Facebook and Twitter could force everyone to https like gmail does, but they choose not to. Until now, the risk hasn’t been that huge, but now…now I don’t think they can say that.
From now on, if it’s unsecured WiFi, I’m not using it. Period. If I absolutely have to, then I’ll run a proxy. Yeah, it’s harsh, but even the Firefox and Chrome extensions are only a partial solution. They aren’t 100% and they don’t work with all sites equally well. All you need to do is forget to turn them on or have an application notifier running in the background and …
Done like dinner.
My last tip is for the rather geeky of you who happen to have a web host who lets you have an SSH (shell or terminal) connection (both Dreamhost and Bluehost do) is to use this awesome trick for setting up a secure/encrypted proxy. I use this one all the time, it takes just a moment to set up, but is very, very secure.
If you want to see the entire CBC piece (which gives the right level of urgency I think), the video is up on the CBC site now.
And if you have more suggestions…please let us know in the comments.
It’s funny to think that people are saying to just go out and get a Mac or not use Firefox and you’ll be right. It’s more then that, as you’ve said it’s to do with websites not using https.
I think firefox should however take down the plugin, and force an update to all firefox browsers that uninstall it.
Demanding Firefox take down the plugin does nothing beside go against open source principles. It’s already on the web and it doesn’t disable the exploit, and I seriously doubt Mozilla would do something as controversial as uninstall something remotely.
While it isn’t great that it’s out there…Mozilla can’t really stop people from creating extensions like this. Also I think it’s good to have raised the issue and maybe something can be done to fix things.
There are a few different approaches that people can take to protect themselves. However, most are over the technical abilities of the majority of users unfortunately.
One simple option is a Firefox plug-in http://www.getCocoon.com and it provides secure SSL encryption on any connection and is literally just download and go, instant protection. Full disclosure, I do work for the company, but the product is in beta and free, so give it a try. It also protects your privacy via a proxy and has a bunch of other tools as well. If you try it out, please share your feedback, we’d love to know what you think. Thanks! David
The other lesson people should take from this: Don’t use the same password for low value sites as you do for high value sites like your bank. It’s one thing for someone to get your twitter log-in info, and entirely different thing if it’s your bank…
This is the first time that I heard about this Firesheep. And yes, I’m one of those who frequent establishments with free wifi. Thanks for this post. Will have to share this to my friends.
Putting a password on a public WiFi network does very little to secure you against this sort of exploit. It does lock out a “drive-by” sniffing, sure — but does absolutely nothing to protect you against all the other people in the cafe / hotel / wherever. Is the duty manager who’s handing out the password really going to vet all the people who ask for it? To *your* standards?
Oh, and BTW — one has to log in here on TNW to comment. Does TNW encrypt session cookies? Or are we just as vulnerable here as we are on the other sites mentioned in the article? (I’ve tried using “https” to access this article, and that certainly doesn’t work…)
My understanding from going through the Firesheep slides was that WPA would protect you because the stream is encrypted client to router. So even if you’re on the same network the data is protected. Here is link to his slides: http://codebutler.github.com/firesheep/tc12/#1 and from the slides:
“Use only secure wifi. WPA2 designed to protect clients from each other.”
As for the session cookies here … that’s a great question I’ll have to ask. I think it’s safe to say that it’s a new world now with this easy exploit in the wild.
Thanks for the reply. I can’t get those slides to work, unfortunately. But Eric Butler’s blog seems to indicate otherwise (http://codebutler.com/firesheep-a-day-later).
Much of the coverage of this vulnerability is focusing on the big sites like Facebook. And, to be fair, being impersonated on Facebook might be more damaging than being impersonated on (for example) TNW, just because of the number of connections, private messages, and personal information stored on Facebook by most people. But *loads* of sites ask users to log in — to comment, to submit to marketing spam… er, sorry, to receive personalised content — and many if not most of them will be using this insecure implementation.
Agreed.
roboschro is totally right, enabling encryption does nothing else than blocking passers-by from snuffing, but users who have access are still able to use the plugin.
Oh and WEP encryption won’t even solve the first problem, there are pretty good and simple to use programs that calculate a WEP password in under 2 minutes with an single click.
Patrick, see the link to the slides from the extension author. It has been my experience that WPA2 does encrypt end to end and doesn’t expose your data to anyone else.
As for WEP, yes I know it’s is easily cracked, but it’s better than I sharp stick in the eye if you have no other options. It’s not great, but if someone is just able to run this extension, it would probably slow them down.
I wrote a Chrome extension today that will both redirect to HTTPS for the sites you specify, but also re-write the existing cookies to set the secure bit to on (which means your session info is not leaked on the initial requests, unlike some other plugins).
More info in my blog post about it:
http://nikcub.appspot.com/fidelio-a-browser-plugin-for-secure-web-browsing
Cool Nik! I’ll go check it out.
This is only really an issue if you’re logging in to unsecured sites on open WiFi. If you’re just checking the news, weather or other “light” activities you don’t have to worry about this. Also, Eric Butler’s point on WPA2 in his slides seems to be that this encryption only provides a false sense of security, he states on his website:
“A password-protected (WPA2) wireless network or even a wired network just requires that attackers perform one more step to carry out this attack. This might be ARP poisoning or DNS spoofing, neither of which are difficult to carry out. Go and download Cain & Abel and try it out on your network, it’s not that much harder than using Firesheep, and it’s been around for nearly a decade. There are other tools that’ve been around longer.”
http://codebutler.com/firesheep-a-day-later
True. This isn’t a simple, cut-and-dry issue. However, all that said, I think for the time being I think the easiest thing is to turn on WPA2 (not perfect, I know), avoid open wifi, and pressure sites to make the appropriate changes.
Well then the guy hasn’t included it in his software, but most packet sniffers (f.ex. wireshark) can decrypt wep, wpa and wpa2 (they need the password to access wpa/wpa2, so from the passers-by point of view you’re safe)… But again, Wireshark is easy to use, not as easy as Firesheep but still…
Looks like they are on the ball there dude.
http://www.anonymize.it.tc
I think regardless of whether WPA2 is enough or any Firefox or Chrome extension can help…the real impetus should be on sites to manage cookies and data better.
wireshark, ethereal, and all that are definitely not as easy to use as firesheep. firesheep really brings the tool to the hands of kids and dumb malicious hackers. wpa2 is definitely enough and some extensions do help.
i still think the best way is to use a vpn
https://www.privateinternetaccess.com/
Agreed. I recently made some changes to our companies VPN to create a profile that doesn’t allow access to the company network but simply tunnels internet access from the office – perfect for places like cafes and airports where you are using wifi.
Go back 10 years and you can see that this is not a new issue. For a decade now, browsers have offered the use of a web proxy. whenever I’m using a public wifi, I tunnel my web traffic through SSH by creating a proxy tunnel.
I wrote a doc on how to do this for MacOSX clients.
http://www.defaultroute.com/articles/tunnel-under-firesheep-script-kiddies/
Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network.
http://koowie.com