Over the past several months or so, the Internet has been abuzz about sheep, yes sheep. Let me explain. On October 22 2010 at ToorCon 12 http://sandiego.toorcon.org/ a Firefox plugin was released called Firesheep. Firesheep is a tool that makes it very easy for HTTP session hijacking (also called sidjacking) to occur. The tool allows the attacker to capture the session cookie and then log in using that cookie to have full control of the account to do things such as change your Facebook photos, update your Twitter status, etc.
The primary attack vector is on open WiFi hotspots, like those in coffee shops, airports, and other public places. This is not an exploit in Firefox or your operating system, but rather the problem of open WiFi and the website your connecting to. Firesheep does nothing new and can not be patched. This can be done with any packet sniffing tool for your platform. What it does do is make it very easy for just about anyone to launch a Firesheep attack on an open WiFi hotspot.
The ultimate solution to end all Firesheep attacks is the use of SSL on more than just login pages. On most websites this is something that the the website must first make the internal changes and then the end user must implement with a setting change. This is not ideal (as it should be on by default but its better than nothing). Facebook says they are evaluating implementing this. The first major website that has made changes (Source) to protect its users from Firesheep is Microsoft with Hotmail and many of the other Live services. However this setting is not on by default; users must enable it in their settings. I hope that with time all websites with private, or user data will make this change a default, like Google has done with Gmail.
Many web companies cite the increased cost in implementing full time SSL connections for their users. While it is true that an SSL connection does increase the server load the difference is very small. Google was really the first major Internet service to move a very large service to be encrypted with SSL by default for the entire session with Gmail. A Google engineer has talked about the cost of switching over to full SSL for all Gmail users in this blog post here http://techie-buzz.com/tech-news/google-switch-ssl-cost.html
“all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.”
They concluded that there was not a significant increase in cost or server utilization by implementing this. That being said Google has a ton of servers and a lot of resources to work with so this may not be true for every website. However the myths of the past that this would be an incredibly expensive process and not worth it are simply not true anymore. Implementing SSL for the entire session (versus just at log-on now) is the only true solution to this problem. Many websites say they are working on this now and plan to implement it. This is a good thing.
Here are some solutions that you can do to prevent being a victim of a Firesheep attack.
Be aware of the network you are on.
Know that if you’re on a open hotspot that you’re vulnerable to attack. It’s probably not the best idea to be logging into sensitive websites, checking email, Facebook, paying bills, etc. If you do need to do these things consider some of the options below.
Use a minimum of WPA encryption.
While everyone in their homes should be running a minimum of WPA (preferibly WPA2) many businesses and other public places offer free WiFi that is unencrypted. Users need to put pressure on business owners and administrators to implement the WPA protocol to protect users. WPA offers an individualy encrypted session between the user and the router by default. This does not protect you 100% but protects you from local Firesheep attacks which are the main threat. Many businesses have in the past not wanted to do this because of not wanting to be asked thousands of times per day what the password is or dealing with any complications; however it must be done today because of this and other security risks. Listening to Security Now podcast #273 they came up with a great solution: put the password in the SSID. For example the SSID might be (Joe’s Coffee Free WiFi-Password = Joe) or something similar. This would allow a user who is browsing for the free WiFi to see the password and be secure. It was suggested that the best way to do this would be to demonstrate the attack to a shop owner; heck, maybe you would get a free drink out of it too.
Some websites that have the option to force SSL (Secured Socket Layer) through the entire session but do not have it turned on by default (Microsoft Hotmail for example) so enable it. This can be enabled on the security tab of the settings page. Regardless of if you’re on an open or encrypted hotspot, SSL protects you and is the ultimate solution.
Signing out is something everyone should be doing anyways. Since this tool exploits a session cookie, if you end your session, the cookie that the attacker may have caught becomes worthless. It is also just the proper way to close a session and is a must on any public computer.
HTTPS Everywhere is a plugin for Firefox that is produced by the Electronic Frontier Foundation (EFF) that forces encryption with many major websites. The EFF is a foundation thats goal is to defend your digital rights. This includes Net Neutrality, privacy and security. Many websites support full HTTPS traffic but make it difficult to use. HTTPS Everywhere makes this process nearly seamless for the websites it supports. This is a project that is still in development but is stable and works well. I have been using it for a few weeks now and noticed no ill effects. It works on the following websites: Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com Blogs, New York Times, Washington Post, Paypal, EFF, Tor, LXQuick, and others. You must install this plugin directly from the EFF’s website https://www.eff.org/https-everywhere as it is still in beta. Once the plugin goes to a 1. release I expect to see it on Mozila’s plugin page as well. I hope they will be coming out with a Chrome version soon as well.
Is a Firefox addon that monitors for Firesheep activity on the network . It does this by broadcasting fake credentials to sites that are know to be targeted by Firesheep and then when someone does try logging into these fake sites it alerts you with a drop down box in the browser. It is little more than a notification and offers no real protection to your personal information. You can download it here if you are interested http://www.zscaler.com/blacksheep.html
VPN’s offer secure tunnels back to a connection that you trust such as your home or office. All traffic will flow through this connection so you avoid someone who might be spying on the open hotspot at the airport your on. They require some setup but are what enterprises use to securely connect users back to the office. They work just as well for the average user as well. There are many free and paid ways to do this so here are a free ways to do it. OpenVPN Other options compiled by Lifehacker http://lifehacker.com/5487500/five-best-vpn-tools
In conclusion this is a big deal. Everyone should be aware of it as you travel this holiday season. Often times travelers hunt out free WiFi connection anywhere they can. Open WiFi is dangerous, it always has been but with Firesheep it becomes much easier for someone to exploit for nefarious reasons. To protect yourself, consider setting up a VPN connection to your home, if you must use open WiFi connections to check sensitive email or social media websites.
Other Sources not specifically listed in the article but used