NEWS FROM THE LAB - Monday, October 25, 2010

Firesheep: Making the Complicated Trivial Posted by Mikko @ 14:12 GMT

Surfing the web with an unencrypted HTTP connection is not safe, especially if you're doing it over an unencrypted Wi-Fi connection: anybody else at the same hotspot can use special tools to monitor your traffic.

Surfing the web with an encrypted HTTPS connection is much better. Using Wi-Fi with strong encryption is also safe. However, these options are usually not up to the end user to decide. Most open hotspots have no encryption at all, and many popular sites only use HTTPS for the login procedure, if at all.

And even if the login session is encrypted, many popular sites (such as Facebook, Twitter, Amazon) will simply give your browser a cookie which is used for all subsequent requests. If somebody can steal the cookie, they can steal your session in the service.

People have been living under the impression that capturing a session by stealing a cookie can only be done by skilled hackers with special tools.
This has now changed.

A paper called Hey Web 2.0: Start protecting user privacy instead of pretending to was presented in Toorcon last weekend by Ian Gallagher and Eric Butler. Their slides are available here.

They also released a tool called Firesheep.

Firesheep is a Firefox browser extension designed to demonstrate this problem.

Firesheep will scan local Wi-Fi networks. It will locate users who are logged into Facebook, Twitter, Google, Amazon, Dropbox, Evernote, Wordpress, Flickr, bit.ly and other services. It will show you their icon, and it will allow you to become them. You can continue their open session, post things, delete stuff. You can do anything they could do themselves.

This is pretty serious stuff. Suddenly something that has been hard to do is trivial to do.

Do note that using Firesheep under Windows still requires some skill — namely, to install WinPcap packet capture software.

Will Firesheep be misused? Absolutely.

Will it cause some of the above sites to go fully SSL? We hope so. Gmail did it earlier this year.

What can users do right now? Force SSL on if you can. Don't use Wi-Fis without encryption. Or, use a VPN.

Most corporate laptops come with a corporate VPN installed on it. But many of the users only turn it on when they need it. This is a bad idea. If you have a VPN, always turn it on when you are on a hotspot, even if you're not "working" but just surfing Facebook. All good VPN products will encrypt all of the traffic, even to Facebook.

Obviously home users don't have a corporate VPN on their laptops. Which VPN Service should they use then? We actually are not sure as we haven't really investigated this market. We're interested to hear your opinions. Leave us feedback via comments.

Updated to add: TechCrunch's take on Firefox extension Force-TLS; How To Protect Your Login Information From Firesheep.