Over the last week you may have heard references to some techie topic that used the term “Firesheep” and wondered briefly what that was. You might also have heard that it deals with hacking, a security loophole in WiFi, or any number of other things. I’ve been looking at this for a few days and wanted to pass along what I’d learned.
Firesheep is an add-on application to the widely-used browser application FireFox. Firesheep permits a user who logs on to an open WiFi network (such as a local Starbucks or any other location offering free WiFi) to see the connections of other users on that same network when they connect to such popular social networking sites as Facebook and Twitter. Then, in a process known in the industry as “sidejacking,” that Firesheep user can virtually become the target user and gain full access to that user’s accounts. If that scares you, that was the intent.
Actually, the intent of the author, Eric Butler, was to scare the management at Facebook and Twitter (and anyone else who might be running a web service in a manner Butler considers to be insecure) into implementing the necessary changes to secure every users’ access to their site. The fact that his tool puts your information and account access in jeopardy is just collateral damage, he assures everyone. In order to understand that notion you need to have a basic idea of what he’s talking about, so bear with me while we get a bit technical.
The idea that there are certain conversations to be had on the Internet that need to be kept private is both old and basic. When you log into your online bank, for instance, or enter a credit card to pay for something, you don’t want that information traveling in plain view of everyone else out there. To protect that kind of transmission, you use encryption to make the transmission unreadable by anyone but those in possession of the necessary keys. The technology in use in literally every browser application worthy of the name is called SSL (Secure Socket Layer). An SSL conversation is started when your browser requests it from the web server you’re trying to visit. The actual process is something I’ll leave to your research but the final result is that your system and the web service generate encryption keys for your session and use those keys to encrypt and decrypt all the traffic they send to each other. Any person listening in on the conversation won’t be able to understand what’s being said because they lack the encryption keys. (Yes, encryption can be broken but it’s not trivial to do so and most malicious folks out there lack the resources to do it.) Thus, you have a secure connection for the duration of your visit. Most browsers actually have an indicator for when they are engaged in a secure conversation like this. It usually takes the form of a padlock icon in the lower left or right of the browser window.
Of course, you can have connections that are not secured in this fashion. In fact, most of the web browsing you do at news sites, blogs, YouTube, etc., are held “in the clear,” meaning that anyone on your same network could see those conversations if they had the right tools and the know-how to use them. As you might have guessed by now, both Facebook and Twitter have their communications with you “in the clear.” Not when you log on to those sites, as you can verify by looking for that icon I mentioned. But once you’ve actually logged in, they actually transition you off of a secure conversation and out into the clear. This is what security-minded people like Butler have a problem with. They believe that all such conversations should be secure and stay secure for as long as you’re logged into the service.
So how does this involve the local coffee shop’s WiFi? When you’re connected to a shared network – whether it’s via a wire connected to a hub or via a wireless network – all of the traffic you send and all of the traffic any other user of that same network sends is visible to all of the users all of the time. The network protocols in use dictate what traffic your system actually pays attention to and what it ignores but all of the traffic is, in fact, visible. If you have an application running that monitors all of the traffic – an application called a “packet sniffer” – then you can see that traffic in progress. Downloading and running a packet sniffer is simple. Knowing what you’re looking at isn’t, at least not with the expertise most people have in this subject. And then actually using that traffic to impersonate someone else is even more complicated still. So while these tools have existed for some time and these security holes have been there for a while, it remained beyond the abilities of the vast majority of people to actually use them to any ill effect.
Until now, of course. Now it’s a matter of downloading an add-on to a very popular web browser and settling down at the local brew-shop. There are technical issues raised by this and there are ethical issues. I’m going to deal with the ethical issues in another post. For now, let’s look at the technical issues.
There is no question that what Firesheep has resulted in is a dramatically more hostile environment for users of public WiFi. Since there is no method available to detect when a person is using Firesheep (or any of the more virulent variations most certainly coming soon) no user will have any warning that someone’s about to sidejack them. This has all but completely interdicted any public or open WiFi for common use. Thanks to Mr. Butler’s addition to Firefox, literally any cackling punk who can download a software application can now execute attacks on your accounts and information that only seasoned hackers (more accurately, crackers) could perform before. This multiplies the threat hundreds if not thousands of times. This has made using open WiFi a rather hazardous proposition.
There are ways to mitigate this threat. If you, like me, are a professional “road warrior” who uses these public WiFi locations to conduct your business, then you need to make use of your company’s VPN (virtual private network) facilities each and every time you access a public WiFi. This usually involves getting attached to the WiFi and then running a VPN client to establish an encrypted tunnel back to your company’s systems. Any traffic you send will be encrypted on the way out of the laptop and sent out that way. Firesheep won’t be able to see what traffic you’re sending at all and neither will anyone else. If your company doesn’t have this kind of function, you should be asking your IT department why not. If you’re the boss of a small company then you should look into implementing a VPN for yourself and/or any employees. There are small VPN appliances available that can provide this functionality. There are also services you can buy that provide VPN for as little as $7-$15 a month. Have a look at these pages on how to protect yourself against Firesheep for more detail.
Another way – and the method Butler is trying to force – is to only access such web services as Facebook and Twitter via a secure connection with SSL. Did you know you can actually do that? The typical link to Facebook looks like “http://www.facebook.com” and you’ll notice it starts with “http”. That’s an unsecured connection, one made “in the clear.” However, try using “https://www.facebook.com” and note the change from “http” to “https”. This one is a secure connection. I just tried it as I was writing this and it does come up. My browser is reporting that not everything on the page
I see is coming encrypted so it’s not perfect by any means. I would imagine it’s better than nothing. Personally, I don’t see any downside to using this one over the “regular” one.
One last item is a protection that exists in the network side of things rather than in the application. Now, I know Butler is aiming at Facebook and Twitter to make them use SSL for the connections and that he likely couldn’t care less about the network security. But there’s a method to shut down Firesheep completely on the WiFi part of the network: don’t leave the WiFi open. There are a couple of protocols in common use today that protect the wireless transmissions from the access point to the end device (the laptop or whatever), WEP and WPA. WEP is a ridiculously bad encryption protocol and I no longer recommend it at all. These days any decent device will support both and there’s no reason to use the one that’s been cracked so many times it might as well not even exist. I recommend WPA (or WPA2 more strongly, in fact) and putting it in use is very easy. WPA uses a similar technique to SSL. It establishes session-level encryption keys to secure the communications for each and every user connected to the WiFi. It doesn’t matter if they’re all using the same password, the session keys are unique to the individual laptop. If the Starbucks or whomever in question would simply turn this security on and post, publicly, the password, then every user attached would have their transmissions secured from each other. Firesheep gets nothing.
Of course, what applies to Starbucks applies to you, too, if you’re not running your home wireless router with security turned on. If you left it off or turned it off to avoid having to configure your laptops and other devices you’re as vulnerable to Firesheep as any public WiFi. And worse, the people who are trolling neighborhoods for open WiFi connections are usually the people with the expertise to do a lot more than sidejack your Facebook connection. Get it turned on, and I recommend you do it today.