Short summary for the impatient: Firesheep makes it tragically easy to steal your logins to many web pages, in certain types of network environments. Follow some basic security precautions and you will be much better protected than most people.
The recently released Firesheep Firefox plugin demonstrates how simple it is to sniff logins and sessions on open, shared networks. I spent a little bit of time playing with it; it is dirt-easy to install (OSX requires a workaround when running it in combination with FileVault — the fix is to move the extension directory somewhere outside of FileVault, such as the Firefox application directory in /Applications and to create a soft link back to the extensions directory.) Although French ISPs are generally very good about providing their customers with home routers/firewalls with wireless encryption enabled by default, and it is thus pretty difficult in Paris to find open networks in comparison with other countries (except for the open access Free/O-Zone/SFR/etc. commercial ones), there are always a few. Jumping on one of these, I had someone else’s Facebook account within 3 seconds (no, I didn’t use it, not that interested in other people’s private lives.)
In short, the plugin allows even a non-technical user to open a sidebar in a browser, click on “start sniffing”, and within fractions of a second, obtain both session cookies and username/password combinations for a wide range of popular web sites (Facebook, Twitter, and Gmail, among others, are configured by default, while the plugin allows easy adding of more pages.) Sniffed accounts show up as icons on the sidebar — by clicking on one, you’re immediately logged into that user’s web account.
Taking this a step further, the (not as user-friendly, for now) Idiocy Python script (thanks to Thomas for pointing it out) automatically posts a link to this page “explaining what has happened” to a compromised Twitter account.
This is not entirely a problem of unencrypted wireless networks. Any sufficiently determined user can attack a wireless network secured with WEP or certain types of WPA. Even WPA2 may be vulnerable to brute force password cracking (standard password/passphrase best practice applies), although due to its key management methods, a compromised WEP environment allows a sniffer to access traffic from all users since the same key is shared.
Furthermore, malicious administrators with access to any sort of network choke point have access to this traffic anyway. Most users are protected from such abuse by circumstance or pure statistics;
- many (especially European) countries have extremely strict limitations on what an employer can legally do in terms of intercepting traffic
- a network administrator likely has much better things to do than sniff traffic
- any choke point handling a large enough amount of data to be significant as a threat faces the above problem, but even more so
Security through obscurity is not a problem, but as has been pointed out elsewhere, if you’re in a group of people running from the bear, you don’t have to be fastest, just don’t be slowest. Generally, any sort of network encryption (yes, even WEP) is a good start, and users of mobile data services and fixed-line networks are generally not at realistic risk. WEP keys can be compromised in a few minutes under optimal conditions; using reinjection and deauthentication, enough packets can be captured reasonably quickly for this to work. I maintain, though, that an attacker faced with an unencrypted network and even a weakly encrypted one will first go for the former — but a WEP network is only as secure as the most malicious person using it (whether they got on legitimately or not.) Mr. Lakofski has a very valid point about shared WEP networks (e.g. hotels) insofar as their user base is a lot wider than a private one (which you should set to WPA2 anyway.)
Lastly, there are other, more amusing ways of collecting user data, beyond trojans, keyloggers, and this sort of thing. A really amusing bit of evil villainery would have been for Eric Butler to have actually included a password stealing trojan in Firesheep itself — thus obtaining massive numbers of unsuspecting would-be crackers’ credentials as they connect to Facebook to boast about their “exploits”. Yes, that would be illegal and bad, but still pretty funny.
Most popular websites allow SSL; Facebook, Google search, Gmail and Twitter all allow https:// connections (although in Facebook’s case, clicking on a Facebook link within the site redirects to a non-SSL page.) Other services (LinkedIn, Amazon, Plaxo, and most social news sites e.g.) redirect https:// URLs to plain-text, at least for pages that do not involve entry of payment details or password changes. Still others mix SSL- and non-SSL elements in their pages, which is about as good as having no SSL at all. Most modern browsers, and some older ones, display a warning when this is the case.
Widespread SSL use is a good thing. While it is computationally more expensive than cleartext, even SSL using self-signed certificates is an improvement — this is why I object strenuously to the way some browsers handle self-signed certificates; obnoxious warning messages discourage casual users from using crypto for the sake of crypto (rather than authenticating a web site.) SSL is not necessarily a fix, due to the fact that a cookie not marked as ‘secure’ is still transmitted in clear text. Once a user is authenticated, the certificate may be intercepted using passive man in the middle. There is not much you can do about this, except to bug website owners / web app coders to fix the problem.
SSLStrip can also force a transmission to drop into cleartext. One fix for this is Strict Transport Security, currently supported in several browsers. FFixer also lets you force SSL (Facebook chat may not work.) Another workaround is HTTPS-Everywhere (currently Firefox 3 only).
Gunnar Atli Sigurdsson of the University of Iceland has recently released FireShepherd, which floods nearby open wireless networks with packets designed to disable nearby Firesheep instances at ca. 0.5 second intervals.
Computerworld has an article about protecting against Firesheep that’s worth a look.
Update: the Blacksheep Firefox plugin seeds bogus session information to see if Firesheep is being used, then warns if it detects an attempt to hijack that session. It’s not a defense, but could be a fun toy.
Recent Comments