This is NOT a matter of insecure networks.

It’s a matter of cavalier handling of information by WEBSITES.

There’s an extension that can, in large part, prevent Firesheep from getting your info:

https://www.eff.org/https-everywhere

But the wireless networks are not to blame.

This, from the author of Firesheep:

“It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win. ”

So don’t blame the wi-fi. Blame the site. :)

Crazy how easy that is. Imagine what could happen at conferences. That’s why my lil Sprint hotspot is my best friend in the mobile world.

Except for a few points, Mark.

I tried the EFF Everywhere plugin – You know the first thing that happened? Facebook assumed I was trying to hack my own login, and challenged me with five questions to prove who I was. Including asking me who people were in tagged photos. Took two hours and four phone calls to figure it out.

I agree wholeheartedly that the SITE is at fault. But think of it this way – What incentive does Facebook have to SSL their logins? NONE.

SSL takes up more bandwidth, costs FB more $$
SSL will screw up a lot of people who will then try and ask FB for Tech support – costs FB more $$

SSL logins WILL protect us. Sadly, not one company seems to be rushing to install them. So until they do, I stand by my statement. Get a Wi-fi card. In the end, it comes down to how much you trust that “You won’t get hit.”

If you ARE hit, and everything you have is deleted or posted publicly, that’s not going to cause FB any worry. Only you.

Agreed wholeheartedly. I didn’t have that problem with the EFF extension, tho…. worked perfectly right out of the box…. but then again, it’s not like FB operates with a tremendous amount of consistency. :)

The one downside I experienced with the plug-in is that it slowed attachment uploads for gmail – a LOT.

I should have said, and didn’t – thank you for bringing this to people’s attention. So now I said it. :)

all I can say is holy smokes.

If we use apps, instead of browsers, to access information on wi-fi networks will that protect us?

We believe its possible to build secure open wifi networks:

http://blogs.iss.net/archive/WirelessSolution.html

I fully agree with the lack of security on free Wi-Fi networks. Were I a full time road warrior, I’d get the 3G modem. For those who don’t want yet another bill, or can’t charge it back/write it off, you can get 3G wireless data using an Android phone.

I travel about once every 3 weeks, and when I am waiting at the airport, I tether my Android (T-Mobile Vibrant/Samsung Galaxy S) using PdaNet software, which cost $20. I understand that v2.2 of Android has tethering out of the box, but TMo hasn’t pushed that update yet. (You can’t tether an iPhone without jailbreaking it.)

I never have to worry about finding a hotspot. Even Boingo’s daily use service can be a pain to log on to – they keep steering you to the monthly plan. I can still take calls on my bluetooth, and my text messages pop up on my notebook like IMs.

Peter,

Your points about the extra costs to FB and others is at the heart of the issue.
For those that can’t pony up the money for a mobile BB device, there are couple of free forced HTTPS add-ons that I’ve tested and work without what you experienced with the EFF tool:

For Firefox users – Force-TLS http://bit.ly/9CzNPE

For Chrome users – KB SSL Enforcer http://bit.ly/d5thKD

I’m actually in Dallas shooting a news segment for this very subject!

That’s so scary I may dress up as Firesheep for Halloween.

Wow. That’s – if you’ll pardon the pun – some scary sheep. I don’t leave home without a VPN connection, and if the locale I’m at blocks said VPN connections then the locale I’m at loses my business. I recognize it’s not foolproof, but for $80/year I’ll take it.

I also agree with the previous commenters – the issue isn’t solely public wi-fi (although that is part of the issue), but the websites themselves. And I would also agree that there’s little incentive for Facebook, Yahoo! and others to secure the networks as fully as they’d need to…unless we (users) walk away from them if they don’t. And I don’t see that happening, unfortunately.

Question – you are talking about Firefox. What about Chrome? Any extra protections?

Hey… just a quick update: since I installed that EFF extension – the Google search page automatically resorts to full SSL!!!!

Unfortunately, Images and maps aren’t part of Google SSL – yet.

Last pipe-up from me:

1: Mozilla refuses to put the brakes on Firesheep:

http://www.computerworld.com/s.....geNumber=1

And…

Liz – as far as I know – the vulnerability has nothing to do with Firefox… the hacking tool is a Firefox add-on.

You just convinced me to buy a hotspot. THANK YOU.

@Robert Durand: the iPhone can tether now without jailbreak. I’ve been using it successfully for a while.

@Paul: Google’s gmail service offers full SSL with a single checkbox selection. They don’t rely on you to type “https://” either. It’s forced. We are huge proponents of Google Apps for our business. The more attention this issue receives, and once people start mentioning Google Apps as a secure alternative, the others will change.

A VPN service is the answer. It not only secures your connection across insecure links, but also obfuscates your location. Therefore, unless you explicitly tell a site where you are, they don’t know… as opposed to using the location information for behavioral models without your knowledge. (Note: I don’t believe behavioral models are evil… just their creation, sharing, and use without user consent.)

But Peter… hmmm… how many people now have the login password for your blog? I hope you posted via your Sprint card!

Wow, this is mind blowing! Thanks for doing this Peter. I know you’re busy, but do you know if hotel internet is just as unsecured?

So I am guessing that you are not a big fan of Wi-Fi on airplanes either?

@ Vince Stross – thanks for the update – I was not aware that iPhones could legally tether now. It’s a great feature – perfect for the occasional traveller like me.

I disagree and it’s hard to justify this type of expense for the working poor. I’d rather see developers make sure that these type of holes are kept to a minimal. It should be a part of their manifesto to not allow security breaches and these aren’t even edge cases this is just sheer lack of thought.

As always I believe that there are solutions out there that just have to be thought of. SSL might not be the answer, maybe it’s a better encryption handshake bound to something else. MicroVPN’s bound to mac addresses. The idea is there is a problem to solve, don’t damn the transportation. Especially if it gives greater access to many individuals. If we do that I could say that since I can hack a wifi encryption in 30minutes to your home should you stop your home wifi? I can also pop your bluetooth open with an app. Edge cases for security breaches and the knowledge to do so is out there on multiple tiers. We can also hack your macbox, your windows box, etc. Where do you draw the line? Inform, crowdsource solutions, have a healthy debate, post a bounty for a fixes, but common.. “No Free Wifi due to Twitter/FB hax0ring..” seriously?

It should be noted that if you understand the risks as well as methods to secure WiFi traffic, you can (more) safely use free Wifi. You can stick with services that use https (gmail, google docs all redirect to that now – and not just for login), or use a VPN/tunnel to secure your traffic to non-SSL sites.

Yes, that ventures into a fairly technical realm; however, it still is possible to use open WiFi in a relatively safe way.

This is ri-goddamn-diculous!!

Andy: I agree with you. But here’s a challenge for you:

Call your mom, and tell her “Hey, mom, before you use Facebook the next time, I’d like you to install an add-on to your browser, then, I’d like you to make sure that all your connections are secure.”

How well do you think that’s gonna work? And this isn’t a diss to your family, replace “mom” with 99.9% of the people who use Facebook.

Again – There is currently NO incentive for Facebook to make this change, nor is there any incentive for them to tell their users how to do it. In FB’s mind, it’s “Why scare them away?”

Have you noticed any response from FB regarding Firesheep?

The problem isn’t Firesheep as my other smart commenters have pointed out. The problem is that until all the sites adopt encryption as a standard, we are NOT safe using open Wi-Fi networks. And that adoption isn’t coming anytime soon.

It’s like trying to breed a Tiger that won’t kill you. It takes lots and lots of time. Until then? Put up a fence.

What? Something that is being offered as a free service is not as secure as something that is monitored by paid, trained professionals? I’m agast…..Do you seriously believe that, just like with your mommy and daddy, you should be given everything for free, be instructed how to use it, and have all the bugs worked out it first? Grow up….and whom, other than a 6 year old who has never used the internet would be stupid enough to post something personal or confidential on the web.

Peter: I have the EVO as well (love it). Are you saying that as long as i use my Phone’s hotspot, and tether it to my computer then i should be safe from this security issue?
I’d also like to know what kind of security do we really have on our personal devices (phones/iPads) that can keep us safe? It seems like a new frontier of hacking and security issues? What can the avg consumer do?

What’s funny is you think my mom even knows how to sign on to an open wifi network anywhere but her home that was pre-setup by a tech or myself. Maybe it’s a mountain vs a molehill. If you are competent enough to scan and jump on Amtrak’s wifi or are keen enough to own a laptop and jump from coffee shop to coffee shop surfing and sipping, aren’t you already nearly qualified to with a little nudge protect yourself?

With every backlash it takes time for the professions to get to work finding a solution. First responders see all the carnage but it takes Toyota 6 months to issue a recall. Nothing moves fast in this world except those on the edge and we expect the behemoths to catch up overnight. It’s a beautiful thought but it’s not realistic.

I think it’s good to have this awareness but I think it’s too early to be canning mediums because of it. Let’s digest the issue and find some solutions that might not be evident because we have time to think over it.

So, there is a big error that’s still being missed here. I am a techie and I do speak it fluently so bear with me.

The issue is the visibility of your data. That data is visible across any domain in which it is not encrypted. A VPN doesn’t really work unless you happen to have a VPN endpoint in the domain of the website you are using. Otherwise that data has to get unencrypted before going to the website in any case. SSL is the site’s way of giving you a “VPN.” Your hotspots and other connection methods are just ways to transfer the domain responsibility. Gallagher and Butler (the guys who wrote and released firesheep) spoke about it during their talk.

If you don’t have end to end encryption you are still going to be vulnerable. Two ways to get that: SSL/TLS and a VPN into the website’s domain (and that assumes that someone in facebook.com doesn’t want your data).

All of the non-public wifi options mentioned make it a little harder but that’s all. And, btw, you’ll continue to be at the mercy of your coworkers all day long … and your boss that wants to see what you wrote about him on facebook, etc. etc (because you’re in the same domain).

Aren’t we missing another important component in this issue, the responsibility every user should assume for their own information and behavior? Why is this laid entirely on the shoulders of the Wi-fi provider and/or the website in question?

If you are in a free wi-fi zone you should take some personal responsibility for your own security and make wiser choices. Don’t login to ANY site from such a location. If you must, you should be responsible for taking what ever precautions are necessary to protect yourself.

If you assume others will look out for your best interest you are looking at the world with rose colored glasses…

Scare-mongering and disinformation in one post – well done. The easy solution is not to use unecrypted connections when you’re logging in via an unfamiliar wireless network. SSL prevents any kind of snooping whatsoever, period. Sites starting in Https are your friend…

“If you are competent enough to scan and jump on Amtrak’s wifi or are keen enough to own a laptop and jump from coffee shop to coffee shop surfing and sipping, aren’t you already nearly qualified to with a little nudge protect yourself?”

I haven’t used Windows in years, so maybe it’s different, but on the Mac, I open the lid, choose a network from the drop down in the menu bar, and launch my browser. That’s it. All the configuration happens behind the scenes, and most open wi-fi require almost nothing in the way of logins – at the coffee shop near my house, you simply click the “I agree” button at the bottom of the page (after you’ve “read” the TOS).

And I’m tech savvy – I was building my own machines ten years ago and I did a stint as a network admin at Mission Control, NASA. I’m not saying that to brag (the job sounds a lot cooler than it was) but to point out that sometimes people aren’t savvy enough to protect themselves, and even those of us that are might not think of it each time we connect.

The sites need to get with the program. I know, they have no incentive. But still.

Sooooo… are you defining “free wifi” as any unprotected un-passworded wifi connections? What about shops offering “free wifi” by putting a password on their inhouse routers and giving passwords to folks to logon? I’d think this sort of work around would be affordable and fairly easy to maintain, right?

Pete: I approved your insult to take you to task:

We have 500 million + people on Facebook.

I’ll give you a shiny penny for each one you teach to correctly look for an SSL login, an SSL encrypted Wi-Fi device, and a “safe” way of surfing.

Ready? Quit your job, and GO!

It’s not going to happen. You can’t change the masses immediately, and you won’t. The best defense until WEBSITES DO THIS AUTOMATICALLY, (which is a Looooong time coming, because there’s no money in it for them to SSL Grandma’s Facebook connection) is to teach people how to avoid the most COMMON problems.

The COMMON problem is logging on to a free Wi-Fi line and assuming you’re OK.

You’re NOT.

How’s that teaching coming? Explain to a hundred people yet what to do?

I have no connection to any wireless company. I’ve consulted for Sprint in the past, but they don’t pay me to say anything for or against. My blog has always been my own.

The problem as I see it, is that if I’m hacking for fun, (or even to cause trouble,) I’ll start at the LCD. (Lowest Common Denominator.) For most, that’s the free coffee shop wireless network they’re on. If you can avoid that, chances are, you’re a ton safer, because you’re letting the other idiots get hit first.

There’s nothing to make anything 100% safe. Get the strongest safe in the world. With enough time and resources, I can get to what’s inside when I’m not supposed to. But wouldn’t you prefer to have that safe, as opposed to a cardboard box with no door?

This comment was checked and found to be INSULT FREE. :)

Rick: I’m defining free wifi as “Coffee shop” wifi. Airports, planes, trains, lounges, etc. I’m NOT saying corporate networks are as bad.

Peter: no no, I am, too. Have friends who are running a coffeeshop, so this is actually THEIR free wifi setup at present. But in that shop, would Firesheep be stopped by simply adding the password to the router? Or would it work since everyone’s still on the same network? That’s the gist of my question before I suggest they look further to protect their customers.

I’m more dumfounded by the fact that one can call Facebook

Rick-

Last night, a friend shared with me that her son had demonstrated the hack for her, between two laptops, on their secured, shared wi-fi at home. So I suspect that if two people are on that shared wi-fi connection with the password from the cafe, one can use Firesheep on the other.

Uhm, aren’t what you are really saying is that if you use the Internet in general, there is always a potential that someone can access it?

Hasn’t this always been the case from time to time?

I don’t really see this as a free wifi issue, if free wifi existed and you never used the Internet there would be no problem. Conversely, if you had secure wireless you could be hacked or have your passwords stolen. I’m thinking you should consider changing this post or writing another post, unless I missed something?

How is this possible on a switched network? Other than ARP and other broadcasts, all traffic outbound from the switch is destined only to the host, and vice-versa.

I’m going to give this tool a try myself in a laboratory environment. I’m skeptical that a web browser plugin can somehow alter the rules of TCP/IP and grab traffic not bound for it’s host right out of the air.

Regardless, your point about insecure WiFi is well taken and good advice. I would also include mobile devices as potential tagets as well.

@charity.. good question. From quick tests, the answer seems to be no.

hrmm.. looks like i spoke too soon. The apps cannot save you(us?) unless the RESTful/WS api support secure connections.

Thank you Amar, for checking into it. Looks like I’ll be getting a hotspot for myself. I’m looking at the Cradlepoint PHS300 for an AT&T usb connection… it seems like the best option of the choices available.

Kevin: Good point. I didn’t mean to say that using a Tunnel/VPN would make accessing non SSL sites ‘secure’, just that it would secure the data over the WiFi network.

It is important to note that while this particular Firefox Plugin shows how HTTP traffic can be intercepted over a WiFi link, when you access HTTP sites (facebook, twitter, etc) over your own ‘secure’ home connection, or your ‘secure’ work connection – all that traffic is open to your employer, your coworkers, your ISP, the site’s ISP, etc.

Again, good point Kevin.

As someone whos Gmail & twitter was just hacked into, this has taken my security paranoia to a new level. Crap.

My Mom sent me another article on this yesterday, but Peter yours really shares it in a crystal clear, non-geeky fashion.

As an entrepreneur and author on the go, I do regularly use free wifi at Starbucks, airports, The Library, etc., but other than surfing, I will no longer log into anything, and I’m going to get my own encrypted hotspot ASAP.

I’ve always said that if these talented people would just use their powers for good instead of mischief and evil, think what advances we could make in society! But no, instead they have to use it to mess with everyone–what a waste.

@Gary H Steadman

Free? Are you calling FaceBook Free? It may not cost money, but you pay with your willingness to give them a treasure trove of your (and your friends’) demographic data and your willingness to look at the ads they have in the app. I use Facebook, btw, but understand there is no such thing as total privacy online. Thank god facebook didn’t exist when I was in college is all I can say.

Interestingly, in some countries (like Canada, where I live) there are privacy regulations which require companies to protect the private data of their users/customers. The privacy regulators take this stuff pretty seriously and it will be interesting to see if this causes any backlash/followup (by anyones standards, a company that allows such easy access is not protecting their users’ data).

Here’s my initial response, after my “holy $&!1″ moment.

We provide ‘free wifi’ service to around 10 million different users a year through our hotel and public networks. There definitely needs to be some clarification on the term ‘free wifi’. Professionally designed free-wifi networks like ours enable end-user isolation and will prevent programs running behind our network like Firesheep from doing any damage. Users have a direct path out to the Internet, and cannot network with, cannot access files of, or even ping other users on the network. It appears to their computer that they are the only device on that network.

We’ve been trying to drill the importance of end-user-isolation-enabled networks into venue owners, major hotel brands, and hotel owners for nearly a decade, but before now, ‘hackers’ have been limited to a relatively smaller group of people; so while that threat was admittedly present, it was previously thought not to be substantial enough to justify the costs associated with building a professional network. Hopefully this is a bit of a wake-up call to the naysayers.

That said, I completely agree that it’s just not feasible to think that every network everywhere is going to be secure. It is also not feasible for ‘free’ sites like facebook and google to assume the bandwidth costs associated with SSL traffic, which definitely tacks some size on to that data packet. Lastly, it’s not feasible to pronounce that free wifi is evil and we should all go buy 3g/4g cards. (I do love mine, however) I think the answer, if there is one, lies in a combination of all three.

I really like the idea behind Firesheep because it creates awareness and forces network admins and webmasters all over the world to take this issue seriously. However, I would caution anyone thinking of using it that there could be some serious legal ramifications if you do in fact use it inappropriately.

oops – meant to say @Senior IT Professional (not @Gary) regarding the following…

Free? Are you calling FaceBook Free? It may not cost money, but you pay with your willingness to give them a treasure trove of your (and your friends’) demographic data and your willingness to look at the ads they have in the app. I use Facebook, btw, but understand there is no such thing as total privacy online. Thank god facebook didn’t exist when I was in college is all I can say.

Interestingly, in some countries (like Canada, where I live) there are privacy regulations which require companies to protect the private data of their users/customers. The privacy regulators take this stuff pretty seriously and it will be interesting to see if this causes any backlash/followup (by anyones standards, a company that allows such easy access is not protecting their users’ data).

This is seriously intense stuff… I’m glad I typically tether off of my iPhone… Thanks for this post!

The folks over at Fox25 in Boston had me on about this very issue this morning. I demo’ed it on the air – it’s 100% real.

http://www.blueskyfactory.com/firesheep/

Great post, thanks for sharing it!

Lots of security types have been saying this for years, but I’m glad that someone with a little more mass appeal has jumped on to raise awareness. Free wi-fi is tremendously dangerous and without precautions, it should really only be used for simple web surfing. Anything that requires a login really should not be accessed via free wi-fi unless you are 100% sure that whole transmission is protected via SSL.

There is no such thing as a completely safe way to access the web. But, cybercriminals/hacker types (being lazy) will consistently focus on the easiest, most potentially profitable targets. Sending critical credentials via free (or poorly protected) wi-fi is the lowest of the low hanging fruit.

I think it really stinks that you are taking friction for this post. You did a service and what you said is spot on accurate. Take care and thanks!

Pete – thanks for the warning, and memories of Amtrak trips up/down the East coast. I think the “scare” factor is in direct proportion to how sensitive the data you’re accessing really is, but that said there are some less expensive and easily accessible options available. For those who can’t afford the data card (hence why they drove to the coffee shop for free WiFi to begin with) there are free and for-cost encrypted proxy options. “A what?” you ask? Here is a great lifehacker article on what it is and how to “hack” it and do it yourself for free:
http://lifehacker.com/237227/g.....ocks-proxy

There are also proxy sites you start from that provide secure browsing as a service. They range from free (read: slow browsing experience) to typically $8 – $10/month (read: faster browsing, cheaper than data card). Some examples are below (note: I am not recommending any in particular), but you can search for more and try them out on your laptop at your favorite WiFi spot for speed, features and usability.

http://www.the-cloak.com
http://www.megaproxy.com
etc.

Surf more, fear less and save the questionable activities for live interactions. ;)

Thanks for the info! Very eye opening…I plan to share with my network and friends.

Thanks for the warning, you’re doing a great service Peter! Not that any of us are that surprised but it’s definitely a wakeup call. Now, must get my Verizon hotspot immediately.

I had just one more statement to make. All of this is well and good but how many of you use TLS to log into your email (google users aren’t allowed to answer this)? Do you encrypt with a certificate or even sign the email?

Did you know that your email contents and the username/passwords are all just as vulnerable (if not moreso) than your facebook info. And you don’t need firesheep to get at it. $tcpdump -nnqi any | grep passwd will get every one on the network.

So now what are you going to do about your email?

The reaction to this is really not very proportional. These attacks are not new. In fact, Defcon has run what they call the Wall of Sheep for some time now. The wall is a running visual of the users that use insecure methods of logging in to services on untrusted networks i.e. the Defcon network. Firesheep just points out one more insecure service (or set of services). Even the specific attack isn’t new. The risk hasn’t changed. You all are now just aware of it.

Also, for those that have been naysaying the writers of the plugin, they didn’t invent the vulnerability they just made you aware of it. Lots of folks have known how to do this for years. Now you know that others know how to do this and you can adjust your actions accordingly.

Remember, wifi isn’t the issue. It’s a technology. The visibility of your data is the issue. Last I looked at Cox cable they put whole residential groups in the same domain. One could sniff all of their neighbors. That’s just as insecure as the wifi at your local coffee shop, moreso. At least at the local coffee shop I could sniff the network and see if someone else logged in as me and then confront them personally because that person is likely in the same room as you.

Push your services to use persistent SSL or stop using them. Facebook is not a necessity. Would you use online banking if they were at risk?

Those web sites are now fixing that security breach.
It’s NOT the end of free wi-fi.
It’s the end of unsecured web site login cookies.

Electronic Frontier Foundation (http://eff.org) has done their homework on this and it’s not so much a problem with Firesheep as it is with sites not using secure http (those websites that start with https:// instead of http://)

You really wouldn’t need a $50 a month card and could keep on using free wifi if sites understood & implemented proper security.

Just tried it in a lab environment. Sure as sh*t, it does what it advertises. From what I can tell it’s using winPCAP to simply follow a TCP stream. My initial impression was that there was no way a stand-alone web browser plugin could do this, but once I saw it uses winPCAP, it made sense to me it was possible.

While I understand the developer’s intention, the danger of this app is that it takes the need for the understanding of TCP/IP (or really any other technical know-how) out of the equation. How many of you use these social networking sites, and how many of you use the same password on these sites as you do your bank account, email, 401K account, etc?

Thanks for sharing the information with us.

Two things about which I wasn’t clear:

1. Are hackers still able to acces your information even after you’ve logged off the site and/or network? Or can they only mess around with things as long as you’re logged in?

2. Would I have to be using Firefox for someone to use Firesheep to hack my accounts? Or is it not restricted to the particular browser I’m using?

Thank you!

VPN. Takes care of the issue.

I have passed this on to everyone I know, and I posted it on Facebook, too. (And my friends are now sharing it as well) This scares the heck outta me. I’m going to order Virgin Mobile Broadband2go – no monthly fee, just pay for the time you need and add more as needed.
Thanks SO much for this!

@Beata:
1. The actual ability of “hackers” to access your site is closely related to you log on / log off sequence but not exactly tied to it. This is because your laptop/ipad, etc hold on to the connection for a little while longer (typically order of minutes) before they let it die. So their access will die a few minutes after you log out.

2. This has nothing to do with what browser you are using. It is based on two things:
a. how are you connecting to the website/service (wifi, proxy server, vpn, etc)
b. are you using a secure connection or not (https or not)

1. This is not a new vulnerability. Firesheep has just made exploiting the vulnerability trivial. Malicious hackers have been exploiting this vulnerability for over a decade.
2. While public Wi-Fi is the easiest place for malicious hackers to exploit the vulnerability, it’s dangerous to think it’s the only place. Your personal hotspot is not much more secure.
3. This is not a Firefox vulnerability. All web browsers are inherently effected.
4. Firesheep is not the bad guy here. In fact, t’s the good guy: it’s helping to make everyone aware of the issue. In the short term, some people can use Firesheep to exploit the vulnerability; but the long-term benefit of fixing the vulnerability is worth it.

The issue is an HTTP connection versus an HTTPS ( the “S” stands for “secure”) connection to a web site. Most people probably don’t notice whether a web site address begins with “http” or “https”, but the difference is immense.

An HTTP connection to a web site from a desktop computer is like a phone call from a phone booth. You know that someone could be hearing every word you’re saying if they were wire-tapping, but chances are they’re not. An HTTP connection on a public wireless network is like a phone call from a train station. You know that many people can hear every word you’re saying if they bother to listen and if they can parse your words from all the others. Listening to someone else’s network/Internet traffic is called “packet sniffing”.

You wouldn’t tell someone your online bank account username and password in a busy train station, because a malicious person might hear you and exploit the information. Likewise, you shouldn’t send such private credentials across a public wireless network via HTTP.

The problem is a little worse for HTTP, though. When you log into a web site, you only supply your username and password once, right? But then how does the web site know who you are when you click on a link 5 minutes later? The answer is cookies. When you first log into a web site, it sends your web browser a “cookie” containing a session ID. A session ID is basically a really long number that statistically no one would ever guess in the amount of time it’s actually valid. (Every time you log into a web site, you get a different session ID.) The cookie with your session ID is sent to the web site automatically every time you make a request; that’s how the web server knows who you are. Session IDs typically expire after about 20 minutes.

So did you catch the security hole yet? Did you figure out how Firesheep works? On a public network, a malicious hacker can easily see the session ID that your browser is sending every time you make a request to the web site. If they start communicating with the web site using the same session ID, then as far as the web server is concerned they’re you. Hackers have been doing this for years, but Firesheep makes it one-click simple.

The solution to this problem is HTTPS. When the address of the web site you’re visiting begins with “https”, that means that every piece of information that travels to or from the site is encrypted, and can’t be understood by others even if they see it. Think of the encryption as a special language that you and the person you’re talking to made up especially for that conversation; by the time anyone figures it out, the conversation is long over.

Unfortunately, many web sites do not support HTTPS because truthfully providing the next Farmville will attract and keep far more users. It’s just not a priority.

Some other things to think about:

- Since session IDs stay valid for as long as they’re in use. So long after you close your netbook or put your iPhone away (ha!), someone can still be snooping around on your account without having to change. They won’t be forced out until you manually log out (which typically invalidates the session ID).

- Depending on the network configuration at your office, packet sniffing may be just as easy. That creepy guy three floors up from you could be watching everything you do.

- The major browsers now make it more obvious when you’re visiting a web site securely by decorating the address bar. Some show a shield, others turn the bar green, etc. It’s worth paying attention to.

Jimminy Stinking Crickets … a bit over the top with the hyperbole here I’d say.

As others have stated, VPN is your friend. Learn it, love it, don’t leave home without it.

Oh, and perhaps let’s be a little less naive on some of the plug-ins we play with and install.

The problems stems from some websites not having secured connections. In the past I did a Cisco networking course and we regularly learnt how to crack networks to find pieces of data. When I use free wifi I make sure that my connection to certain sites (like banks) is secured. If so data sent will be scrambled.

Does anyone have a list of all of the unsecured websites? I don’t utilize Facebook, but I do use WordPress. Granted, it’s from home, but still, I want to be sure not to log into any site that is unsecured when I’m not at home by accident.
It sounds like Gmail & other Google products might be safe, am I right to assume that?

@Sarah, there are billions of web sites, and most of them do not support HTTPS. So a list would be impractical. However, you can tell whether your connection to a web site is secure or not by looking at the beginning of its address: if it begins with “https://”, then you are secure; if it begins with “http://”, then you are not.

Also keep in mind that it’s not necessarily valuable for EVERY web site to be secured in this way; only the ones where privacy is an issue. For example, there’s no reason to have an HTTPS connection when you’re reading the New York Times online.

all the more reason for the AV software you use (*mcafee,norton, kaspirsky, avira are you listening? How about IBM, Core, Rapid7– you guys aware of this?)
This situation could not only take down personal computers but destroy business data that is critical to the life of any business: small, medium or large. Given what I have seen since the Fake AV Scareware initiative, nothing surprises me anymore.

Peter– anyone else out there– got any ideas on what to use to lock down your computer safely particularly in light that we all tend to do work + personal stuff on the go.

@Stevie Wilson, anti-virus software will never protect you from this issue. It’s not a vulnerability of your wireless device. Rather, the web sites you’re visiting have neglected to provide you a secure way of talking to them.

If you’re doing work on the go, your company should strongly consider setting up a VPN.

Yikes! Thanks for the excellent information, Peter! Who knew????

I’ll be sure to pass this on. As you say, I’m sure most people never question whether or not free wi-fi is safe because they’ve never been told it’s not.

Scary!

@Douglas Paul

Sorry to be like this, but this statement is not entirely correct:

“The solution to this problem is HTTPS. When the address of the web site you’re visiting begins with “https”, that means that every piece of information that travels to or from the site is encrypted, and can’t be understood by others even if they see it. Think of the encryption as a special language that you and the person you’re talking to made up especially for that conversation; by the time anyone figures it out, the conversation is long over.”

HTTPS is not a solution, it just makes things a little more difficult. HTTPS can still be beat by Man in the Browser or (more commonly) Man in the Middle attacks. Man in the Browser works because information is not encrypted while it is being entered – it is only encrypted once it reaches the operating system’s encryption provider (this almost always happens on submit). Man in the middle attacks work because they involve a criminal impersonating the authorized web site and sitting right in the middle.

The third sentence, especially this part “by the time anyone figures it out, the conversation is long over” is especially troublesome. The moment an encryption algorithm is cracked (this happens frequently), every single communication encrypted with that algorithm becomes vulnerable. So, a criminal could sit and run Wireshark on a network (or several networks), save all encrypted traffic for several years, then decrypt it once the various algorithms used have been beat. This is one of the many reasons why password reuse (especially password reuse over several years) is incredibly dangerous!

Point being, there is no such such thing as true security (at least not with the current implementation of TCP/IP). But there are ways that people can reduce the amount of risk they are under when they send/receive information over the web. Some of these ways include:

- having a different, strong password for every single web site you use
- doing homework and making sure that every site you use uses secure login methods (exactly as you said)
- being very, very careful of what organizations get what information
- being diligent about monitoring your credit reports/bank statements
- pressuring the sites you use to keep track of (and show you) your login history
- changing your credit card numbers/bank account numbers/online banking credentials (including your user name) frequently
- using prepaid credit cards when you shop online
- using Linux Live CDs if you have to enter a social security number on a web interface

I would like to link to Douglas Paul’s comment a few above mine, but I don’t know how to do so as there is no permalink for it. That’s a real shame.

I never logged in to sites on free wifi networks anyway, but now I am completely paranoid about any online activity beyond the most basic browsing. I’m not sufficiently techie to know whether using Outlook to check my emails or a Yahoo desktop IM client would allow a hacker using Firesheep or similar to easily gain access to email or IM content. If no-one can give me an answer, I’d rather err on the safe side.
Thanks; I guess it’s back to reading books and sleeping on long train journeys again!

Late to the game, with a question: If one’s cell phone gets poor reception in a particular location, is it safe to assume a personal wireless connection on the same provider will also get poor reception in that place? It’s a function of the building structure–lots o’steel between me and the airwaves.

thx

This is really scary. And to think a lot of people have been using free wifi without knowing these things. Thanks for sharing this info! I hope many would read this so they will be aware.

You couldn’t be more wrong about free WiFi. Though Firesheep is a real thing, there are about 4 Firefox add-ons you can get that will force websites like facebook, etc to use SSL and https throughout the session and not just on the login page. on of them is called ForceTLS. This essentially makes you invulnerable to Firesheep, which as I’m sure many other people have pointed out – is only automating a task that has been possible for years. However, its given session hijacking a much higher profile, and i’m guessing that the big social networking sites are in a rush to fix this, since they don’t want to have people thinking twice before they log onto their sites in a coffeeshop, or alienate all the urbanites out there who don’t bother paying for broadband service because they have access to an open network. this problem is pretty easily fixed on both ends, and in less than a year, no one will have any use for Firesheep, I have no doubt.

@ Peter Shankman

I also think the likelihood of people going out and buying wifi hotspots is even less than them learning to use something like Force TLS, which is free and easy to use. People just need to realize that Open wifi networks aren’t safe and never were, and that everywhere you go there are vulnerabilities.
I would like to point out that the people who do this kind of stuff on open wifi networks are the same type of people who buy stuff off of amazon and ebay using an app on their cellphone, which is about 10,000 x less secure. So when everybody that is stupid just wakes up one day smart, all this will be way less of a problem, until then though, they are low hanging fruit for people who know how to get their information.

Totally shocking, are all sites covered all just selected social networking sites like facebook, twitter, etc…

There is now a BlackSheep add-on that detects anyone using FireSheep on the same network. What do you guys think?

“There is now a BlackSheep add-on that detects anyone using FireSheep on the same network. What do you guys think?”

Okay, but what do you *do* with it? Just knowing that someone is using FireSheep doesn’t protect you from it.

Amazing how easy it is. Imagine what could happen at conferences. Therefore, my access point Lil Sprint is my best friend in the mobile world.

I had no idea – this IS truly scary!

I would imagine this also makes the government’s job pretty easy to watch you with no warrant.

Why aren’t people shutting down FireSheep?

Better question: Why would anyone want to do something so unethical – build a business/a program that exposes everyone so vulnerably? This could destroy lives, businesses.

Are there no ethic rules for the internet – for forming a business that can’t potentially cause harm or destruction to someone or their life/business? There should be. This it just purely wrong in my eyes.

A very big THANK YOU for letting us know this stuff Peter!

It’s not the company or business’s responsibility to secure your connection, it’s yours…and there are plenty of ways to secure your connection through a free wifi hot-spot. All you have to do is arm yourself with a little knowledge about what you’re doing. That knowledge is free and not that hard to come by, too. In the end, free wifi won’t disappear, sites like evernote, facebook and others will just have to “up” their game and start encrypting their connections with users, not because it’s their responsibility, but because the vast majority of their users are just too lazy to care and do it for themselves!

You bring up a great point. Although I have not read through the dozens of comments above, I think someone one should point out that Facebook has recently made changes that encrypt their users account.
Also, for users who are interested in being protected they can simply download Fire Sheep themselves and keep it open when they use a public connection. As a fire sheep user ( hopefully they don’t use it to hack, but only to monitor ) they be notified if their own accounts pop up in the program.
Ultimately, thank you for sharing this important safety concern. I am glad people are staying educated on the topic.