• Take precautions against FireSheep

    Over the last 24 hours the world has been abuzz with talk about a small Firefox extension. Usually Firefox extensions donít make headlines, but in this case one did. Why? This extension is called Firesheep, and itís scary.

    The Firesheep plugin can hijack your Facebook, Twitter, and Flikr sessions while you are connected to unsecured wifi. What do we mean hijack? We mean that it can steal your sessions, pretend to be you, and you wonít even know it.

    Yeah, wow.

    There is a lot of discussion about the ramifications of releasing something that is simple enough to let anyone become a hacker, and TUAW has some good suggestions for how to guard against Firesheep, but I want to give you my take on it and what practical steps you can take.

    First off I want to tell you about my day yesterday (it relates, trust me). Sitting at home working on articles for this joint, I get a call from one of my friends at the CBC. ďHave you heard about Firesheep?Ē I said I saw some headlines, but I hadnít really looked at it. ďCould you look at it and talk about it on camera?Ē, ummÖsureÖ.when? ďHow about an hour?Ē Eek. SureÖwhy not.

    I dash to one of my favourite coffee places close by (which I also knew had open wifi) after getting Firesheep all loaded up (it took less than a minute). I order a latte, settle in and Ö

    Holy crap.

    Just like everyone said, running Firesheep I could see who was logged into Facebook and a bunch of other sites and with a double-click be that person.

    Holy crap.

    Iím not usually a terribly paranoid person online, but this gave me the willies. Anyone could have this running and youíd never know it. Oh sure, packet sniffers have been around for a while (thatís how it works), but packet sniffing isnít easy for most people. Firesheep is easy enough for a kid to use. So how do you combat this? Well letís get to that nowÖ

    First thing, if you have a wireless network at home and you havenít set up a WPA (or even WEP) password on it, do it now.

    Next, for all the businesses that have open wifi, now is the time to bite the bullet and put a password on the network. No, Iím not talking about a ďgatekeeperĒ password that lets you in for a period of time, but WPA/WEP. Encryption. Yes, I know itís a hassle for people to ask, but just make it obvious. This isnít about access control, itís about safety. I showed the manager of the place where the CBC segment was shot what the risk was and he was pretty shocked.

    If you frequent a place that has open wifi, ask them to put a password on it. If you lock down your wireless network, then thatís it. Firesheep isnít a problem. If youíre slightly techie and know how to do this, offer to help. For free.

    In the meantime, you can try Firefox extensions like Force-TLS or HTTPS Everywhere or Chrome a extension like KB SSL enforcer all of which force the site youíre on to load the HTTPS (encrypted) version of the site. The problem I ran into with KB SSL today was that a lot of sites donít have their HTTP and HTTPS versions working together very well. I had to shut it off to read some thingsÖso what does that do? These solutions are only a stop gap as far as Iím concerned.

    For those of you lucky enough to have a mobile data stick or can tether your phone for accessóboth of those are nice and secure. What about your WiFi only mobile devices? Those I donít have good solutions for. Myself I have both my iPhone and iPad set not to just autoconnect to available networks and Iím going to have them both ďforgetĒ several of the local places I go to that donít have secured wifi. Yes, mobile devices are also vulnerable because this isnít a vulnerability in a browser or device itís while how you can the sites connect to each other.

    This is what bugs me the most about the whole Firesheep problem. Websites like Facebook and Twitter could force everyone to https like gmail does, but they choose not to. Until now, the risk hasnít been that huge, but nowÖnow I donít think they can say that.

    From now on, if itís unsecured WiFi, Iím not using it. Period. If I absolutely have to, then Iíll run a proxy. Yeah, itís harsh, but even the Firefox and Chrome extensions are only a partial solution. They arenít 100% and they donít work with all sites equally well. All you need to do is forget to turn them on or have an application notifier running in the background and Ö

    Done like dinner.

    My last tip is for the rather geeky of you who happen to have a web host who lets you have an SSH (shell or terminal) connection (both Dreamhost and Bluehost do) is to use this awesome trick for setting up a secure/encrypted proxy. I use this one all the time, it takes just a moment to set up, but is very, very secure.
    Comments 9 Comments
    1. EyeCandy's Avatar
      EyeCandy -
      Who still uses that bloatware, firefox? I thought everyone used Chrome now... Hell even IE9 beta is better than firefox
    1. anon's Avatar
      anon -
      Quote Originally Posted by EyeCandy View Post
      Who still uses that bloatware, firefox?
      I think that's not the point of the article.

      What's the source for this post, Aby?
    1. Shinzen's Avatar
      Shinzen -
      Why is such an old article being posted now ?
    1. whatcdfan's Avatar
      whatcdfan -
      @EyeCandy:
      what ya talkin abt man FF is the best browser out there and opera is the second best both IE and chrome sucks but having said that browsing habits differ from one person to another so its just my opinion.
    1. Expeto's Avatar
      Expeto -
      @EyeCandy
      Firefox and opera are real browsers satisfies the needs of power users. Chrome is a toy
    1. Funkin''s Avatar
      Funkin' -
      Quote Originally Posted by EyeCandy View Post
      Who still uses that bloatware, firefox?
      Tons of people who still think FF is the best. But as anon mentioned, that's the not the point of this article.

      Anyways, good thing I don't use any of the mentioned sites.
    1. iLOVENZB's Avatar
      iLOVENZB -
      Quote Originally Posted by whatcdfan View Post
      @EyeCandy:
      what ya talkin abt man FF is the best browser out there and opera is the second best both IE and chrome sucks but having said that browsing habits differ from one person to another so its just my opinion.
      Well your opinion sucks. Chrome .
    1. unclemilty74's Avatar
      unclemilty74 -
      Quote Originally Posted by iLOVENZB View Post
      Quote Originally Posted by whatcdfan View Post
      @EyeCandy:
      what ya talkin abt man FF is the best browser out there and opera is the second best both IE and chrome sucks but having said that browsing habits differ from one person to another so its just my opinion.
      Well your opinion sucks. Chrome .
      Seriously, Chrome? What is with you google fags? Yeah I tried it and it couldn't load half the sites I went to. Sucks dick. I bet you have google voice, too, and can't wait to get google o/s. yeah good luck with that.
    1. Cabalo's Avatar
      Cabalo -
      I was a die-hard firefox fan, and I switched to Chrome. It's way faster rendering pages, amongst other things.
      It is not yet as top notch and so add-on rich as FF, but it's a damn good browser.