Dealing with Firesheep

Not a Firesheep

I’m surprised that Firesheep hasn’t been a bigger deal. For those of you that aren’t familiar with it, Firesheep is a Firefox add-on that was released this past October that makes it easy to harvest other users’ cookies from network you share. These “cookies” are little bits of data that are stored in your browser that, among other things, allow a website you visit to recognize you when you return. This allows whoever is doing the collecting to impersonate the user whose cookies were collected, a practice referred to as “sidejacking”.

The biggest threat posed by sidejacking is on open wireless networks, like those you may use in your favorite coffee shop. Even if the network directs you to a special page to log in or accept its terms, your traffic is sent unencrypted, which allows anyone in range to intercept your traffic. (Networks that use access controls like WPA and WEP do encrypt their traffic individually for each user, and do not have this problem.) Sidejacking isn’t a new problem, but the Firesheep tool makes it much easier to accomplish, and therefore of more concern.

I can think of three ways to defend against this attack:

• Use an encrypted wireless network
• Use https: (TLS/SSL) for all web connections
• Use a VPN

Public access points typically don’t use encryption because one has to know the password (secret) for the network to make the initial connection.  Without a password, there’s no way to connect to the network.  I hear that the wireless networking vendors are working on new protocols for public-access networks to use encryption, but in the meanwhile we’ll be using unencrypted networks in public places for a long time.

TLS (Transport-layer Security) or SSL (Secure Sockets Layer), which is used when you see https: and the lock logo on your browser, is great when you can get it.  There are tools such as browser extensions for forcing the use of TLS on Web connections, but many websites don’t support TLS at all. Even so, not everything happens through your browser: many people use separate applications for email and instant messaging.

On mobile devices, there is a strong trend toward using special-purpose applications in place of using the web browser for everything. Most of these applications give no indication whether they’re using TLS or not, even though many use Web protocols (and cookies).

Many corporate users are given VPN capabilities to access their corporate networks from outside, and I recommend using those capabilities whenever using a public network, even if it’s just to access Facebook (assuming, of course, that the corporate network gives access to Facebook). But what to do on one’s personal device?

Noticing that my iPhone, iPad, and Mac all have VPN capabilities built in, I decided to figure out what can be done with that. After a little investigation, I found out that there are commercial services like WiTopia (and probably a lot of others) that provide termination for tunnels from users.

I opted instead to set up my own VPN endpoint, using the virtual private server I have been using for a few things.  The story of how that’s done is a lot more detailed, and I’ll save that for another blog post in the near future.  Stay tuned.

My advice is to be very careful when using open, public wireless networks because you never know who’s listening.  If you’re using them much at all, strongly consider setting up a VPN.  This is also yet one more reason that your home wireless network should be secured.