Posted on 11/08/2010 8:19:41 PM PST by Gomez
Firefox extension created to shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse.
Most people know that public Wi-Fi hotspots aren't the safest connections in the world and probably aren't the best place to be doing things like online banking. But you probably didn't realize just how easy it is to steal logins for email and services like Facebook from other people on a hotspot.
Well, thanks to a new Firefox extension called Firesheep, anyone can easily view other people on their network and, with a click of a button, assume another person's identity and login credentials from any non-secure site that the unwitting person is logged into.
Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.
To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.
And don't think that because a webmail site or ecommerce site uses SSL for the login page that you're safe. If SSL isn't enabled for the entire session, someone using Firesheep can still take over your account after you've logged in.
Also, this problem isn't limited to Wi-Fi hotspots. Someone using Firesheep can see and steal the login information from anyone on a shared network segment, whether that's a hotspot, a home network, or a company network.
So what can you do to avoid the dangers of Firesheep (and the older sniffing tools familiar to real hackers)?
For those traveling or using public networks and hotspots, a VPN is probably your best option, as it will encrypt your entire Internet connection. But not everyone has access to a VPN, especially when it comes to non-business users.
The second best option is to make sure that the site you are using has https enabled throughout the entire session. Some sites, like Google Gmail, now do this by default, but that isn't the case for every site.
Browser extensions such as HTTPS Everywhere and Force-TLS will make sure that your browser uses a secure connection when it is available.
However, not every site has the capability to run under HTTPS for an entire session. Some sites use it only for login (which doesn't protect you against Firesheep) and some don't use it at all.
In these cases, if you don't have a VPN handy, then I would advise not using these sites or services at all when you are on a network that you don't trust 100%.
Of course the best solution would be for all sites that need to protect user information, whether they are webmail, social networks, or ecommerce sites, to use HTTPS all the time.
And with the threat of Firesheep out there, they all might finally do that.
I’m on a ethernet wire from a WiFi router. Does that protect me from this problem, when the router itself is open?
So-called "Security By Obscurity" does not work as well as fixing the security problem itself. Releasing this tool publicly makes tons of people aware of it that otherwise would not be. Not releasing it would mean that only the bad guys would have the tool.
Same as with firearms. If you don't allow the law-abiding public to have firearms, then only the criminals will have them. Banning guns does not keep them away from criminals. Banning tools like this does not keep them away from nasty interwebbers.
I read the article someone posted, but dont’ think I quite understood. I guess I will have to ask my son. Drat. I dont’ want to have to be a geek just to surf.
I agree. People should not have to speak Geek just to use a computer. So be careful if you go to someplace like Starbucks and use their wireless public connection to the Internet. If you want to go for the coffee, that's OK, but don't use their network.
If you have a wireless home network, and it uses the best security available, and you trust everyone on your home network, you are OK.
ping
I do trust my husband, and he’s the only one on our network. ;) And we have a password for our wireless. Does that make it secure from this? I NEVER use wifi out of the house. But husband does when he travels. He thought an ethernet card made it safe? I admit, the technology has passed me by. I was so hip and cool back in the days of DOS....
What I meant to say, and may not have made clear is, our home router has a password on it, as awhile back we suspected a neighbor was getting on our internet.
Looks like someone already has.
LOL. Me too!
I do trust my husband, and he’s the only one on our network. ;) And we have a password for our wireless. Does that make it secure from this?
This is the point where, unfortunately, we have to talk Geek. Your wireless network needs to use the best encryption available these days. That is something called WPA2. If you have a password for your wireless home network using WPA2, and only you and your husband are using it, you are safe.
I NEVER use wifi out of the house.
That is wise.
But husband does when he travels. He thought an ethernet card made it safe?
No, simply an ethernet card does not make him safe. It depends upon the type of encryption the websites he connects to are using. That also goes for email. As far as I know, only gmail would be secure by default.
That's good. You definitely need a password on your home network. But it also needs to be using WPA2. The older encryption for wireless networks is WEP. That is not completely secure. So make sure you are using WPA2.
I don’t know what WPA2 is. Maybe my personal geek (son) does. I will ask him, he set it up for us. The bad thing is, the bad guys are out there every day figuring out how to get around everything.
We don’t do any banking etc online, but I dont’ want them on my FB or email etc either.
Thank you, I will pass that on.
Yes, WEP key is what we have. So, I will talk to my son and see about a WPA2. I’m sure he knows. Drat. See? No matter what we do, they are a step ahead. Darn bad guys. They take the fun out of all our fun. I envision a day we can find them and cane them.
Make sure that your WIFI router is not open. Secure it. Password protect it. Don't use a password that can be found in any dictionary. Limit the number of IP addresses that can connect to the number of computers you have. Make your computers and other wireless devices that you choose to connect static IP addresses on your own LAN and then only allow those addresses on your WIFI router. Use strong encryption. If you want to share Internet connection with guests, sandbox them from your LAN. These are all steps you can take to assure your wireless network is as secure as YOU can make it.
It depends on how old your router is. It may give you a choice between WEP and WPA2. If so, all you have to do is change the configuration to WPA2.
Darn bad guys. They take the fun out of all our fun. I envision a day we can find them and cane them.
LOL
OK, thanks for the help. :)
Basically, to evade this problem on a public WiFi connection, you’d need to pay for a service or set up your home router as a VPN router.
With that last option, you would connect to your home router securely and then route all of your traffic from your cafe WiFi out through your home router again, with all the resulting web pages being fed back to your portable at the cafe, still encrypted.
Another option is to bypass public WiFi using your cell phone, either with a cable, via Bluetooth, or via WiFi (but make sure you have your phone’s WiFi set to a good level of encryption so people can’t break in—use WPA with AES or WPA2).
Ask me for more details if needed.
Some information in post #38.
My understand is that WEP in totally insecure now, and WPA with TKIP is broken within an hour, but that WPA with AES is still fine.
WPA2 is better yet, but my prior router didn’t handle it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.