Posted on 11/08/2010 8:19:41 PM PST by Gomez
Firefox extension created to shine a light on the problem of unencrypted websites fails, because rather than offering a solution, it only makes it worse.
Most people know that public Wi-Fi hotspots aren't the safest connections in the world and probably aren't the best place to be doing things like online banking. But you probably didn't realize just how easy it is to steal logins for email and services like Facebook from other people on a hotspot.
Well, thanks to a new Firefox extension called Firesheep, anyone can easily view other people on their network and, with a click of a button, assume another person's identity and login credentials from any non-secure site that the unwitting person is logged into.
Firesheep was created by two developers who are hoping to shine a light on the problem of websites that don't use SSL encryption throughout an entire user session. It has always been easy for the bad guys to view and steal login information from users accessing non HTTPS-secured websites and Firesheep is just making that a whole lot easier.
To a certain degree this is a worthwhile cause. Too many sites put users at risk of giving away their login information by their failure to use secure connections. However, I wish the Firesheep developers could have made their point without putting this tool in the hands of bad guys, cranky teens, and disgruntled employees everywhere.
And don't think that because a webmail site or ecommerce site uses SSL for the login page that you're safe. If SSL isn't enabled for the entire session, someone using Firesheep can still take over your account after you've logged in.
Also, this problem isn't limited to Wi-Fi hotspots. Someone using Firesheep can see and steal the login information from anyone on a shared network segment, whether that's a hotspot, a home network, or a company network.
So what can you do to avoid the dangers of Firesheep (and the older sniffing tools familiar to real hackers)?
For those traveling or using public networks and hotspots, a VPN is probably your best option, as it will encrypt your entire Internet connection. But not everyone has access to a VPN, especially when it comes to non-business users.
The second best option is to make sure that the site you are using has https enabled throughout the entire session. Some sites, like Google Gmail, now do this by default, but that isn't the case for every site.
Browser extensions such as HTTPS Everywhere and Force-TLS will make sure that your browser uses a secure connection when it is available.
However, not every site has the capability to run under HTTPS for an entire session. Some sites use it only for login (which doesn't protect you against Firesheep) and some don't use it at all.
In these cases, if you don't have a VPN handy, then I would advise not using these sites or services at all when you are on a network that you don't trust 100%.
Of course the best solution would be for all sites that need to protect user information, whether they are webmail, social networks, or ecommerce sites, to use HTTPS all the time.
And with the threat of Firesheep out there, they all might finally do that.
I think my brain just exploded! Man, what a mess, my keyboard is all yucky! Let me get back to you!
The newer routers will give you a choice. You are right; WPA2 is definitely the way to go.
But there is also the question of the speed of your wireless network. You definitely want a dual-band router. That way your fast devices will work at a faster network speed appropriate for them, and your slower devices will work at a slower speed appropriate for them. But if you have a single-band router, the slowest device on your network will determine the speed for all devices on your network. Not good.
I love these threads. Thanks to advice seen here, I upgraded my router from WPA with TKIS to WPA2 with AES and a strong mnemonic password with upper, lower, numbers n symbols last week. Remember, you don’t have to outrun the bear, just outrun the other guys.
It doesn’t work that way, and none of that even matters if you are using your router as a VPN router, as your external connection from a cafe is slower round-trip than any local devices to each other.
Dual-band wireless routers are only useful for speeding up the data throughput of locally connected devices, and then only up to the maximum throughput of the two devices connected to each other, with the limiting factor being the slower device.
That said, if you have a “slow” device at 54 Mbps, and three devices at 100+Mbps, the slow device only slows down communications when another directly talks with it, not when the other devices to the others.
Often, the dual-band wireless feature isn’t fully utilized, as the fallback in congested neighborhoods is to instead migrate communication to the least used bands, even if it means you aren’t using a bonded, dual-band setup under Wireless N.
:-) You are getting it.
There are different ways to have a VPN setup like this at home with (hopefully) your current router.
1. Have a VPN connection with your home router via PPTP.
2. Have a VPN connection with your home router via OpenVPN or other software.
3. Have a VPN connection with a server in your home using a VPN pass-through on your router.
4. Have a VPN pass-through connection but remote control your home computer to connect IT to your choice of internet pages, etc.
Number “1” above is the easiest router-based fix, and directions for using DD-WRT (a free firmware upgrade for many routers) to do this is available here:
http://www.dd-wrt.com/wiki/index.php/VPN
DD-WRT is a free, Linux-based, open source firmware that works on many brands of routers. It is considerably more powerful and flexible than normal router software.
Number “2” above can be walked through here (but is rather more complex):
http://www.dd-wrt.com/wiki/index.php/OpenVPN
Number “3” above can be done with about any router with a computer acting as a VPN server (using OpenVPN or other software).
Number “4” above might be the easiest all-round fix, but it may mean the home computer won’t be useful for a home user during that time.
You may be right, but that is not the understanding I got from this article: How To Buy a Wireless Router: The Short Version - Speed, Choose Type, Products
I would still spend a little more and go with the dual-band, dual radio model.
Your router is a switch. Those are point-to-point and don’t go through a bottleneck of the “slowest” device.
Yes, I understand the difference between a switch and a hub. But this is a wireless network, not ethernet cables to a switch. Here is what the article says to do:
Another way to separate the client types is to use a dual-band, dual-radio N router. You would connect your G devices to the 2.4 GHz radio and your dual-band N devices to the 5 GHz radio. But this has the downside of shorter range for the 5 GHz band devices.
It is my understanding that some wireless routers do this automatically, for example Apple's AirPort Extreme.
Here is another article: How-to: set up dual-band WiFi (and juice your downloads)
The article also gives instructions to set up two wireless routers: one router at 5GHz for your faster devices using 802.11n and another router at 2.4GHz for your slower devices using 802.11g.
ping for future info
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.