If you haven’t heard by now, then chances are fairly high that you’ve already been a victim without realizing it. That is, if you’ve used a public, unsecured WiFi network.
Victim of what you ask? Oh, only having your Facebook, Twitter, Amazon, and several other accounts be sidejacked by someone sitting next to you… or maybe in the parking lot… or heck, maybe even at home.
Last Sunday at the ToorCon Security Conference in San Diego, freelance software developer Eric Butler released Firesheep, a Firefox extension that allows users to “hack” your online accounts with relative ease, to the world.
Here’s a video that does a good job of explaining what Firesheep is and what it does courtesy of our friends at Household Hacker:
Pretty scary shit, huh? The truth is cookie hijacking is nothing new; however, the threat of this exploit has exploded with the release of Firesheep because nearly anyone can use this Firefox extension. As of the release of this article, Firesheep has already been downloaded over 500,000 times. If that’s not a wakeup call for Web sites to get serious about protecting their users’ privacy and security with either transport layer security (TLS) or secure socket layer (SSL) cryptographic protocols, then I don’t know what is.
So what can you do about this very public, very easy exploit?
Well, first of all, there’s no need to go to Traveler from Household Hacker’s personal channel because all he tells you to do is add an “s” to the end of the “http” portion of the Web address in the Web address bar of your Web browser. So if it’s Facebook, for example, you would type https://www.facebook.com in the Web address bar instead of plain old http://www.facebook.com.
Simple enough right?
The only problem with that is it won’t work on every Web site from the this list here because not all Web sites have an SSL Certificate. If you try that approach on a site without an SSL Certificate you’ll get an error message informing you that the page cannot be displayed.
So what do you do then?
The easiest thing is STAY OFF UNSECURED PUBLIC WiFi NETWORKS!!!
But since that may not always be possible for whatever reason, here are some solutions for you.
The easiest way to protect yourself from Firesheep is to use a free Firefox add-on that forces the Firefox browser to use an encrypted connection when accessing certain sites. There are a few out there, but we at Postmodern Moron recommend Force-TLS. It’s free and it lets you specify which sites you want to force encryption on whereas the other add-ons available only have a set list of sites.
But what about the other browsers? What about Google Chrome or IE, for example? Well, those users will have to do a little bit more work if they insist on connecting to the Internet via unsecured public WiFi.
One option for you non-Firefox users is to connect to public unsecured WiFi networks using a virtual private network (VPN). A VPN creates a tunnel for your data that runs directly between the router and your computer keeping it encrypted. There are several VPN providers and they all charge for the service; however, this won’t solve the problem completely because once the traffic leaves the VPN’s server, your data could still be accessed by Firesheep or another tool like it. While it is highly unlikely that anyone would be sniffing that traffic, it is possible. Feel cheated??? Then use Firefox with Force-TLS if you have to use an unsecured public WiFi network.
“But won’t Mozilla put an end to Firesheep since it’s an add-on to their Firefox browser?” The short answer is no.
Have follow-up questions? Don’t hesitate to comment below.
[...] This post was mentioned on Twitter by Stacey Ballard, The Postmodern Moron. The Postmodern Moron said: New post: Firesheep Makes "Hacking" as Easy as Installing an Add-On http://bit.ly/cH756f [...]
This program looks scary. And i am leaving a comment from my ipad, even more scary :)