(Signal Boost) Firesheep: Open Season for Nosy Parkers
I am soooo not amused.
Thanks to ms_danson (as she noted in this post), I have found out that a new add-in for Firefox called “Firesheep” allows the user to sniff packets from a WiFi link and grab a copy of the “Session ID” that is used to keep you logged in after you enter your userID and password. And swiping the “Session ID” is all that is required for them to masquerade as you over that link. At that point, it’s Game Over - and you won’t even know about it till Much Too Late.
For good reasons, packet-sniffing programs such as “Firesheep” are banned by most ISPs, workplaces, colleges and so forth. If you get caught running this program without a good reason [i.e. as Head of Security], you almost certainly will be fired, expelled or otherwise rejected. Considering the scope the add-in offers to Nosy Parkers, they have enough reason!
Note that open, unencrypted WiFi links are the most vulnerable to this kind of stunt. However, most kinds of wireless encryption are almost as vulnerable, as the encryption itself has been “hacked” and cracked rather thoroughly. Only the latest type of WiFi encryption, known as “WPA2”, may be free of that secondary threat. Since upgrading to this new level of encryption usually requires a major upgrade to the wireless transceiver’s firmware if not the actual hardware, a lot of older laptops and other systems will simply not be able to keep up. The same holds true if the WiFi provider is short of funds; I doubt that many local libraries, for example, will be able to perform such an upgrade at the WiFi server end. Be aware that it is essential that both ends of the wireless connection have the upgrade for the updated WiFi encryption to work.
The best solution to this issue, as has been noted by others, is to force servers to send all their web-pages to you via SSL and HTTPS, especially when a WiFi link is involved. Since SSL apparently has been decidedly tougher than most kinds of wireless encryption (e.g. WEP or WPA) to break or “hack”, you will want to ensure that all connections (especially those over WiFi) are through HTTPS and not HTTP - check the beginning of any URL (in the address bar) to tell which one you are using. Many websites, but not all [LiveJournal apparently does not, except for the initial login], will support you using or switching to HTTPS throughout your session, from the initial login to the logout. Also, be sure to explicitly logout when you are finished with a connection to any website, especially over a wireless connection.
The good news is that this is primarily an issue with WiFi or wireless connections; if you use an Ethernet cable or wire and a recent model router, you are much better off. Newer routers will “switch” packets to each recipient, so a packet sniffer program like “Firesheep” cannot get at them. But this problem still holds for most kinds of wireless connection, even if it is the unencrypted WiFi link (and when dealing with websites that don’t support SSL) that is most vulnerable.
For more details, consult this post by 'alasdair' and another post by 'siderea', who are both friends of ms_danson. UPDATE: for a more professional viewpoint on this mess, consult this article. It emphasizes the same point I made earlier: most WiFi encryption is pretty much useless. Since then (on Thursday), another post has been made by 'siderea' on why encryption is often not available.
I should add the following quote from alasdair:
(Just in closing, I should probably note that the chap who wrote and released Firesheep wasn’t doing it just to cause trouble - or rather he was, but with noble motives. He wasn’t doing it to make hacking easy, he was doing it to force companies [and websites] to ... improve their security all round.)
What do others think? As always, this well-perched philosopher would like to know.