Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
2 Men Arrested After Teen Was Run Over For His iPad
Defend against Firesheep by surfing securely with HTTPS
The last couple of days have seen the launch and explosive proliferation of a Firefox add-on called Firesheep. It's an incredibly simple program that snoops unsecured Wi-Fi packets to grant you one-click masquerading of other users: if you log into Facebook at the local coffee shop, someone can use Firesheep to become you. Seriously, you can go along to any location with an unsecured Wi-Fi network and steal other users' accounts.Firesheep does this by 'scooping' cookies out of the air. Whenever you log into a website your name and password is only sent once -- afterwards, a stored authorization token is used. This means that if someone has your cookie they can pretend to be you -- and with unsecured wireless networks, anyone can grab your cookie.
This is a huge issue, and you have every right to be concerned -- but there is a solution!
Hopefully you've all heard about SSL and HTTPS, the encryption techniques used to secure Internet communications. The 'secure padlock' icon in your browser is most commonly found when buying things online, but most major sites also use it to secure login and registration. If you see this padlock, you are safe. If you could browse the entire Internet with that secure padlock in place then I wouldn't be writing this post.
Unfortunately, many sites redirect you to an unsecured page after you log in. Yes, your password remains secret -- but what good is that if your exposed cookie can be stolen by anyone on the same unsecured Wi-Fi network?
Fortunately, there are a few solutions for Firefox, and at least one good solution for every other browser.
The key to staying safe is by forcing every connection to use HTTPS, or to go via another connection that encrypts your communication. Almost every website has HTTPS capabilities, but because of the increased overhead that encrypted communication requires, it's often only used for logins and registering. Years ago this might not even have become an issue, but with everyone storing more and more personal information on services like Facebook and Google, and with Wi-Fi blanketing our streets and coffee shops, encryption really is required.
If you use Firefox, these add-ons should do the trick:
- HTTPS Everywhere -- this gem from the Electronic Frontier Foundation is about as good as it gets. By default it forces most popular websites to use HTTPS, and you can add your own rules for other sites. This is one of the few add-ons that I use everywhere
- Torbutton -- this solution is slightly more involved (it's for power-users), but if you want to be really secure and anonymous, the Tor network is a fantastic solution
- Force-TLS -- this is like HTTPS Everywhere, but doesn't come with a built-in dictionary of secure sites. Adding them is very easy, though
Chrome users, due to a limitation of the browser, aren't quite so lucky. There is no way to force HTTPS with an extension. You may have read elsewhere that KB SSL will help you, but it won't. Instead you need to use a secure SOCKS proxy. This isn't particularly hard, it does involve a bit of work.
- A guide for Windows users, using SpoonProxy
- A guide for Mac users, using Meerkat -- our sister site TUAW has a guide that might help, too
Ultimately, though, if you use unsecured Wi-Fi networks you will leave yourself exposed. The best solution might not be to install add-ons, but to ask your local coffee shop owner to secure his network with WPA2. The entire problem would go away if big-name websites used HTTPS across the board, too.
Comments
23
Subscribe to commentspat_boy2008Oct 27th 2010 11:26AM
This is some good info. I haven't tried it yet, but I hear that you can use this userscript (http://userscripts.org/scripts/show/29090) in Chrome and it works.
Sebastian AnthonyOct 27th 2010 11:41AM
The problem with this, as far as I can tell, is that it doesn't DIRECTLY hit the HTTPS sites. It hits the normal site, then redirects to the HTTPS version. Your cookie is still exposed.
That's the problem with KB SSL, too.
Ashutosh MishraOct 27th 2010 11:26AM
Settings up that SOCKS proxy thing isn't exactly easy, but you can get nearly same security with a VPN service. The popular ones, like VyprVPN or Astrill, are not free (still cheap at $4-6 a month), but there are some good free ones like ProXPN and Security KISS.
Sebastian AnthonyOct 27th 2010 11:38AM
Very good point! I meant to mention VPNs. They're certainly easier to use :)
Yonatan AmirOct 27th 2010 11:49AM
TOR doesn't make you at all secure, quite the contrary.
Sebastian AnthonyOct 27th 2010 1:22PM
I thought Tor was, by default, encrypted?
Yonatan AmirOct 27th 2010 2:01PM
Only inside the TOR network.
http://www.wired.com/threatlevel/2010/06/wikileaks-documents/
Sebastian AnthonyOct 27th 2010 2:53PM
Hrm... I'm fairly sure that Firefox add-on forces requests through the Tor network. Did I get it wrong? :)
Yonatan AmirOct 27th 2010 4:07PM
It does, but facebook and other sites aren't inside the TOR network, and for data to travel back and forth between the user's browser and these sites, it must pass through an exit and entry nodes, where it is encrypted and decrypted. Anyone can run these nodes, and as you can see in the Wired article, they can do with the information as they please. TOR only masks your IP address and encrypts the communication so the user's ISP can't read it, but that is of little use for the average western user.
arnobOct 27th 2010 11:59AM
yes, TOR is good for anonymity but not for security. Do not use Tor when you surf websites that need to log in (bank, mail, facebook, twitter...)
ChronRiddickOct 27th 2010 12:26PM
The real solution is for these sites to turn on full-session SSL, since there's no way the other 98% of the population is going to do this.
Matt SalerOct 27th 2010 1:09PM
"You may have read elsewhere that KB SSL will help you, but it won't."
Can you expand on that? Why won't it help?
Sebastian AnthonyOct 27th 2010 1:15PM
My first comment, up above, explains why :)
Basically, it redirects AFTER you hit the normal HTTP site. Your cookie is still exposed.
Click a link > HTTP site > KB SSL redirects > HTTPS site
It should be:
Click a link > HTTPS Everywhere add-on > HTTPS Site
Matt SalerOct 27th 2010 1:20PM
Ah, I thought that might be what you were getting at. I'd read that the others behave the same way, but that's not true?
Sebastian AnthonyOct 27th 2010 1:23PM
As far as I'm aware, that HTTPS Everywhere add-on for Firefox means that you only ever hit HTTPS sites where possible :)
b0z0dcl0wnOct 27th 2010 1:42PM
"The entire problem would go away if big-name websites used HTTPS across the board, too." - I'm sorry what about things like arpspoofing and sslstrip? User education will fix the problem.
OvenmittOct 27th 2010 7:24PM
"If you see this padlock, you are safe"
Not by a longshot. So don't be lulled into a false sense of security. If they want to make you a target, an SSL plugin is not going to help. Like others have said, use common sense when connected to public networks.
hak5.org
p0psOct 28th 2010 11:11AM
Is there a solution for iOS Safari? This is the only browser I can use when out in public WiFi areas.
Sebastian AnthonyOct 28th 2010 11:11AM
That's a good question -- I was thinking about it last night, actually.
If you can change 'proxy settings', then yes. You'd have to go through the SOCKS proxy route.
Or only use WPA2-encrypted networks :)
p0psOct 28th 2010 11:23AM
We can set up a VPN - but, I, and my friends, wouldn't know how to do it. Is there a tutorial?