This is NOT a matter of insecure networks.

It’s a matter of cavalier handling of information by WEBSITES.

There’s an extension that can, in large part, prevent Firesheep from getting your info:

https://www.eff.org/https-everywhere

But the wireless networks are not to blame.

This, from the author of Firesheep:

“It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win. ”

So don’t blame the wi-fi. Blame the site. :)

all I can say is holy smokes.

We believe its possible to build secure open wifi networks:

http://blogs.iss.net/archive/WirelessSolution.html

Peter,

Your points about the extra costs to FB and others is at the heart of the issue.
For those that can’t pony up the money for a mobile BB device, there are couple of free forced HTTPS add-ons that I’ve tested and work without what you experienced with the EFF tool:

For Firefox users – Force-TLS http://bit.ly/9CzNPE

For Chrome users – KB SSL Enforcer http://bit.ly/d5thKD

I’m actually in Dallas shooting a news segment for this very subject!

Wow. That’s – if you’ll pardon the pun – some scary sheep. I don’t leave home without a VPN connection, and if the locale I’m at blocks said VPN connections then the locale I’m at loses my business. I recognize it’s not foolproof, but for $80/year I’ll take it.

I also agree with the previous commenters – the issue isn’t solely public wi-fi (although that is part of the issue), but the websites themselves. And I would also agree that there’s little incentive for Facebook, Yahoo! and others to secure the networks as fully as they’d need to…unless we (users) walk away from them if they don’t. And I don’t see that happening, unfortunately.

Hey… just a quick update: since I installed that EFF extension – the Google search page automatically resorts to full SSL!!!!

Unfortunately, Images and maps aren’t part of Google SSL – yet.

You just convinced me to buy a hotspot. THANK YOU.

A VPN service is the answer. It not only secures your connection across insecure links, but also obfuscates your location. Therefore, unless you explicitly tell a site where you are, they don’t know… as opposed to using the location information for behavioral models without your knowledge. (Note: I don’t believe behavioral models are evil… just their creation, sharing, and use without user consent.)

But Peter… hmmm… how many people now have the login password for your blog? I hope you posted via your Sprint card!

So I am guessing that you are not a big fan of Wi-Fi on airplanes either?

I disagree and it’s hard to justify this type of expense for the working poor. I’d rather see developers make sure that these type of holes are kept to a minimal. It should be a part of their manifesto to not allow security breaches and these aren’t even edge cases this is just sheer lack of thought.

As always I believe that there are solutions out there that just have to be thought of. SSL might not be the answer, maybe it’s a better encryption handshake bound to something else. MicroVPN’s bound to mac addresses. The idea is there is a problem to solve, don’t damn the transportation. Especially if it gives greater access to many individuals. If we do that I could say that since I can hack a wifi encryption in 30minutes to your home should you stop your home wifi? I can also pop your bluetooth open with an app. Edge cases for security breaches and the knowledge to do so is out there on multiple tiers. We can also hack your macbox, your windows box, etc. Where do you draw the line? Inform, crowdsource solutions, have a healthy debate, post a bounty for a fixes, but common.. “No Free Wifi due to Twitter/FB hax0ring..” seriously?

This is ri-goddamn-diculous!!

What? Something that is being offered as a free service is not as secure as something that is monitored by paid, trained professionals? I’m agast…..Do you seriously believe that, just like with your mommy and daddy, you should be given everything for free, be instructed how to use it, and have all the bugs worked out it first? Grow up….and whom, other than a 6 year old who has never used the internet would be stupid enough to post something personal or confidential on the web.

What’s funny is you think my mom even knows how to sign on to an open wifi network anywhere but her home that was pre-setup by a tech or myself. Maybe it’s a mountain vs a molehill. If you are competent enough to scan and jump on Amtrak’s wifi or are keen enough to own a laptop and jump from coffee shop to coffee shop surfing and sipping, aren’t you already nearly qualified to with a little nudge protect yourself?

With every backlash it takes time for the professions to get to work finding a solution. First responders see all the carnage but it takes Toyota 6 months to issue a recall. Nothing moves fast in this world except those on the edge and we expect the behemoths to catch up overnight. It’s a beautiful thought but it’s not realistic.

I think it’s good to have this awareness but I think it’s too early to be canning mediums because of it. Let’s digest the issue and find some solutions that might not be evident because we have time to think over it.

Aren’t we missing another important component in this issue, the responsibility every user should assume for their own information and behavior? Why is this laid entirely on the shoulders of the Wi-fi provider and/or the website in question?

If you are in a free wi-fi zone you should take some personal responsibility for your own security and make wiser choices. Don’t login to ANY site from such a location. If you must, you should be responsible for taking what ever precautions are necessary to protect yourself.

If you assume others will look out for your best interest you are looking at the world with rose colored glasses…

“If you are competent enough to scan and jump on Amtrak’s wifi or are keen enough to own a laptop and jump from coffee shop to coffee shop surfing and sipping, aren’t you already nearly qualified to with a little nudge protect yourself?”

I haven’t used Windows in years, so maybe it’s different, but on the Mac, I open the lid, choose a network from the drop down in the menu bar, and launch my browser. That’s it. All the configuration happens behind the scenes, and most open wi-fi require almost nothing in the way of logins – at the coffee shop near my house, you simply click the “I agree” button at the bottom of the page (after you’ve “read” the TOS).

And I’m tech savvy – I was building my own machines ten years ago and I did a stint as a network admin at Mission Control, NASA. I’m not saying that to brag (the job sounds a lot cooler than it was) but to point out that sometimes people aren’t savvy enough to protect themselves, and even those of us that are might not think of it each time we connect.

The sites need to get with the program. I know, they have no incentive. But still.

Peter: no no, I am, too. Have friends who are running a coffeeshop, so this is actually THEIR free wifi setup at present. But in that shop, would Firesheep be stopped by simply adding the password to the router? Or would it work since everyone’s still on the same network? That’s the gist of my question before I suggest they look further to protect their customers.

Rick-

Last night, a friend shared with me that her son had demonstrated the hack for her, between two laptops, on their secured, shared wi-fi at home. So I suspect that if two people are on that shared wi-fi connection with the password from the cafe, one can use Firesheep on the other.

How is this possible on a switched network? Other than ARP and other broadcasts, all traffic outbound from the switch is destined only to the host, and vice-versa.

I’m going to give this tool a try myself in a laboratory environment. I’m skeptical that a web browser plugin can somehow alter the rules of TCP/IP and grab traffic not bound for it’s host right out of the air.

Regardless, your point about insecure WiFi is well taken and good advice. I would also include mobile devices as potential tagets as well.

hrmm.. looks like i spoke too soon. The apps cannot save you(us?) unless the RESTful/WS api support secure connections.

Kevin: Good point. I didn’t mean to say that using a Tunnel/VPN would make accessing non SSL sites ‘secure’, just that it would secure the data over the WiFi network.

It is important to note that while this particular Firefox Plugin shows how HTTP traffic can be intercepted over a WiFi link, when you access HTTP sites (facebook, twitter, etc) over your own ‘secure’ home connection, or your ‘secure’ work connection – all that traffic is open to your employer, your coworkers, your ISP, the site’s ISP, etc.

Again, good point Kevin.

My Mom sent me another article on this yesterday, but Peter yours really shares it in a crystal clear, non-geeky fashion.

As an entrepreneur and author on the go, I do regularly use free wifi at Starbucks, airports, The Library, etc., but other than surfing, I will no longer log into anything, and I’m going to get my own encrypted hotspot ASAP.

I’ve always said that if these talented people would just use their powers for good instead of mischief and evil, think what advances we could make in society! But no, instead they have to use it to mess with everyone–what a waste.

Here’s my initial response, after my “holy $&!1″ moment.

We provide ‘free wifi’ service to around 10 million different users a year through our hotel and public networks. There definitely needs to be some clarification on the term ‘free wifi’. Professionally designed free-wifi networks like ours enable end-user isolation and will prevent programs running behind our network like Firesheep from doing any damage. Users have a direct path out to the Internet, and cannot network with, cannot access files of, or even ping other users on the network. It appears to their computer that they are the only device on that network.

We’ve been trying to drill the importance of end-user-isolation-enabled networks into venue owners, major hotel brands, and hotel owners for nearly a decade, but before now, ‘hackers’ have been limited to a relatively smaller group of people; so while that threat was admittedly present, it was previously thought not to be substantial enough to justify the costs associated with building a professional network. Hopefully this is a bit of a wake-up call to the naysayers.

That said, I completely agree that it’s just not feasible to think that every network everywhere is going to be secure. It is also not feasible for ‘free’ sites like facebook and google to assume the bandwidth costs associated with SSL traffic, which definitely tacks some size on to that data packet. Lastly, it’s not feasible to pronounce that free wifi is evil and we should all go buy 3g/4g cards. (I do love mine, however) I think the answer, if there is one, lies in a combination of all three.

I really like the idea behind Firesheep because it creates awareness and forces network admins and webmasters all over the world to take this issue seriously. However, I would caution anyone thinking of using it that there could be some serious legal ramifications if you do in fact use it inappropriately.

This is seriously intense stuff… I’m glad I typically tether off of my iPhone… Thanks for this post!

Great post, thanks for sharing it!

Lots of security types have been saying this for years, but I’m glad that someone with a little more mass appeal has jumped on to raise awareness. Free wi-fi is tremendously dangerous and without precautions, it should really only be used for simple web surfing. Anything that requires a login really should not be accessed via free wi-fi unless you are 100% sure that whole transmission is protected via SSL.

There is no such thing as a completely safe way to access the web. But, cybercriminals/hacker types (being lazy) will consistently focus on the easiest, most potentially profitable targets. Sending critical credentials via free (or poorly protected) wi-fi is the lowest of the low hanging fruit.

I think it really stinks that you are taking friction for this post. You did a service and what you said is spot on accurate. Take care and thanks!

Thanks for the info! Very eye opening…I plan to share with my network and friends.

I had just one more statement to make. All of this is well and good but how many of you use TLS to log into your email (google users aren’t allowed to answer this)? Do you encrypt with a certificate or even sign the email?

Did you know that your email contents and the username/passwords are all just as vulnerable (if not moreso) than your facebook info. And you don’t need firesheep to get at it. $tcpdump -nnqi any | grep passwd will get every one on the network.

So now what are you going to do about your email?

The reaction to this is really not very proportional. These attacks are not new. In fact, Defcon has run what they call the Wall of Sheep for some time now. The wall is a running visual of the users that use insecure methods of logging in to services on untrusted networks i.e. the Defcon network. Firesheep just points out one more insecure service (or set of services). Even the specific attack isn’t new. The risk hasn’t changed. You all are now just aware of it.

Also, for those that have been naysaying the writers of the plugin, they didn’t invent the vulnerability they just made you aware of it. Lots of folks have known how to do this for years. Now you know that others know how to do this and you can adjust your actions accordingly.

Remember, wifi isn’t the issue. It’s a technology. The visibility of your data is the issue. Last I looked at Cox cable they put whole residential groups in the same domain. One could sniff all of their neighbors. That’s just as insecure as the wifi at your local coffee shop, moreso. At least at the local coffee shop I could sniff the network and see if someone else logged in as me and then confront them personally because that person is likely in the same room as you.

Push your services to use persistent SSL or stop using them. Facebook is not a necessity. Would you use online banking if they were at risk?

Electronic Frontier Foundation (http://eff.org) has done their homework on this and it’s not so much a problem with Firesheep as it is with sites not using secure http (those websites that start with https:// instead of http://)

You really wouldn’t need a $50 a month card and could keep on using free wifi if sites understood & implemented proper security.

Thanks for sharing the information with us.

Two things about which I wasn’t clear:

1. Are hackers still able to acces your information even after you’ve logged off the site and/or network? Or can they only mess around with things as long as you’re logged in?

2. Would I have to be using Firefox for someone to use Firesheep to hack my accounts? Or is it not restricted to the particular browser I’m using?

Thank you!

I have passed this on to everyone I know, and I posted it on Facebook, too. (And my friends are now sharing it as well) This scares the heck outta me. I’m going to order Virgin Mobile Broadband2go – no monthly fee, just pay for the time you need and add more as needed.
Thanks SO much for this!

1. This is not a new vulnerability. Firesheep has just made exploiting the vulnerability trivial. Malicious hackers have been exploiting this vulnerability for over a decade.
2. While public Wi-Fi is the easiest place for malicious hackers to exploit the vulnerability, it’s dangerous to think it’s the only place. Your personal hotspot is not much more secure.
3. This is not a Firefox vulnerability. All web browsers are inherently effected.
4. Firesheep is not the bad guy here. In fact, t’s the good guy: it’s helping to make everyone aware of the issue. In the short term, some people can use Firesheep to exploit the vulnerability; but the long-term benefit of fixing the vulnerability is worth it.

The issue is an HTTP connection versus an HTTPS ( the “S” stands for “secure”) connection to a web site. Most people probably don’t notice whether a web site address begins with “http” or “https”, but the difference is immense.

An HTTP connection to a web site from a desktop computer is like a phone call from a phone booth. You know that someone could be hearing every word you’re saying if they were wire-tapping, but chances are they’re not. An HTTP connection on a public wireless network is like a phone call from a train station. You know that many people can hear every word you’re saying if they bother to listen and if they can parse your words from all the others. Listening to someone else’s network/Internet traffic is called “packet sniffing”.

You wouldn’t tell someone your online bank account username and password in a busy train station, because a malicious person might hear you and exploit the information. Likewise, you shouldn’t send such private credentials across a public wireless network via HTTP.

The problem is a little worse for HTTP, though. When you log into a web site, you only supply your username and password once, right? But then how does the web site know who you are when you click on a link 5 minutes later? The answer is cookies. When you first log into a web site, it sends your web browser a “cookie” containing a session ID. A session ID is basically a really long number that statistically no one would ever guess in the amount of time it’s actually valid. (Every time you log into a web site, you get a different session ID.) The cookie with your session ID is sent to the web site automatically every time you make a request; that’s how the web server knows who you are. Session IDs typically expire after about 20 minutes.

So did you catch the security hole yet? Did you figure out how Firesheep works? On a public network, a malicious hacker can easily see the session ID that your browser is sending every time you make a request to the web site. If they start communicating with the web site using the same session ID, then as far as the web server is concerned they’re you. Hackers have been doing this for years, but Firesheep makes it one-click simple.

The solution to this problem is HTTPS. When the address of the web site you’re visiting begins with “https”, that means that every piece of information that travels to or from the site is encrypted, and can’t be understood by others even if they see it. Think of the encryption as a special language that you and the person you’re talking to made up especially for that conversation; by the time anyone figures it out, the conversation is long over.

Unfortunately, many web sites do not support HTTPS because truthfully providing the next Farmville will attract and keep far more users. It’s just not a priority.

Some other things to think about:

- Since session IDs stay valid for as long as they’re in use. So long after you close your netbook or put your iPhone away (ha!), someone can still be snooping around on your account without having to change. They won’t be forced out until you manually log out (which typically invalidates the session ID).

- Depending on the network configuration at your office, packet sniffing may be just as easy. That creepy guy three floors up from you could be watching everything you do.

- The major browsers now make it more obvious when you’re visiting a web site securely by decorating the address bar. Some show a shield, others turn the bar green, etc. It’s worth paying attention to.

The problems stems from some websites not having secured connections. In the past I did a Cisco networking course and we regularly learnt how to crack networks to find pieces of data. When I use free wifi I make sure that my connection to certain sites (like banks) is secured. If so data sent will be scrambled.

@Sarah, there are billions of web sites, and most of them do not support HTTPS. So a list would be impractical. However, you can tell whether your connection to a web site is secure or not by looking at the beginning of its address: if it begins with “https://”, then you are secure; if it begins with “http://”, then you are not.

Also keep in mind that it’s not necessarily valuable for EVERY web site to be secured in this way; only the ones where privacy is an issue. For example, there’s no reason to have an HTTPS connection when you’re reading the New York Times online.

@Stevie Wilson, anti-virus software will never protect you from this issue. It’s not a vulnerability of your wireless device. Rather, the web sites you’re visiting have neglected to provide you a secure way of talking to them.

If you’re doing work on the go, your company should strongly consider setting up a VPN.

@Douglas Paul

Sorry to be like this, but this statement is not entirely correct:

“The solution to this problem is HTTPS. When the address of the web site you’re visiting begins with “https”, that means that every piece of information that travels to or from the site is encrypted, and can’t be understood by others even if they see it. Think of the encryption as a special language that you and the person you’re talking to made up especially for that conversation; by the time anyone figures it out, the conversation is long over.”

HTTPS is not a solution, it just makes things a little more difficult. HTTPS can still be beat by Man in the Browser or (more commonly) Man in the Middle attacks. Man in the Browser works because information is not encrypted while it is being entered – it is only encrypted once it reaches the operating system’s encryption provider (this almost always happens on submit). Man in the middle attacks work because they involve a criminal impersonating the authorized web site and sitting right in the middle.

The third sentence, especially this part “by the time anyone figures it out, the conversation is long over” is especially troublesome. The moment an encryption algorithm is cracked (this happens frequently), every single communication encrypted with that algorithm becomes vulnerable. So, a criminal could sit and run Wireshark on a network (or several networks), save all encrypted traffic for several years, then decrypt it once the various algorithms used have been beat. This is one of the many reasons why password reuse (especially password reuse over several years) is incredibly dangerous!

Point being, there is no such such thing as true security (at least not with the current implementation of TCP/IP). But there are ways that people can reduce the amount of risk they are under when they send/receive information over the web. Some of these ways include:

- having a different, strong password for every single web site you use
- doing homework and making sure that every site you use uses secure login methods (exactly as you said)
- being very, very careful of what organizations get what information
- being diligent about monitoring your credit reports/bank statements
- pressuring the sites you use to keep track of (and show you) your login history
- changing your credit card numbers/bank account numbers/online banking credentials (including your user name) frequently
- using prepaid credit cards when you shop online
- using Linux Live CDs if you have to enter a social security number on a web interface

I never logged in to sites on free wifi networks anyway, but now I am completely paranoid about any online activity beyond the most basic browsing. I’m not sufficiently techie to know whether using Outlook to check my emails or a Yahoo desktop IM client would allow a hacker using Firesheep or similar to easily gain access to email or IM content. If no-one can give me an answer, I’d rather err on the safe side.
Thanks; I guess it’s back to reading books and sleeping on long train journeys again!

This is really scary. And to think a lot of people have been using free wifi without knowing these things. Thanks for sharing this info! I hope many would read this so they will be aware.

@ Peter Shankman

I also think the likelihood of people going out and buying wifi hotspots is even less than them learning to use something like Force TLS, which is free and easy to use. People just need to realize that Open wifi networks aren’t safe and never were, and that everywhere you go there are vulnerabilities.
I would like to point out that the people who do this kind of stuff on open wifi networks are the same type of people who buy stuff off of amazon and ebay using an app on their cellphone, which is about 10,000 x less secure. So when everybody that is stupid just wakes up one day smart, all this will be way less of a problem, until then though, they are low hanging fruit for people who know how to get their information.

There is now a BlackSheep add-on that detects anyone using FireSheep on the same network. What do you guys think?

Amazing how easy it is. Imagine what could happen at conferences. Therefore, my access point Lil Sprint is my best friend in the mobile world.

It’s not the company or business’s responsibility to secure your connection, it’s yours…and there are plenty of ways to secure your connection through a free wifi hot-spot. All you have to do is arm yourself with a little knowledge about what you’re doing. That knowledge is free and not that hard to come by, too. In the end, free wifi won’t disappear, sites like evernote, facebook and others will just have to “up” their game and start encrypting their connections with users, not because it’s their responsibility, but because the vast majority of their users are just too lazy to care and do it for themselves!