Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Electronic Frontier Foundation Encryption Privacy Security The Internet Wireless Networking Your Rights Online

How To Protect Against Firesheep Attacks 208

Posted by CmdrTaco
from the oh-that-helps-sure dept.
Monday we mentioned Firesheep, a plug-in that trivializes ID spoofing on social networks. Since then various security researches have come out to suggest How to Protect Yourself against Firesheep Attacks (submitted by Batblue). Of course the advice is pretty obvious: Don't use free Wi-Fi, use SSL, or a VPN. It seems to me that the big sites should start by redirecting all non-SSL traffic to https automatically. If you want to be insecure, you'd have to explicitly state that you can't encrypt for some reason.
This discussion has been archived. No new comments can be posted.

How To Protect Against Firesheep Attacks

Comments Filter:
  • by The_mad_linguist (1019680) on Wednesday October 27, 2010 @12:17PM (#34039540)

    All you really need to do is stay out of the tall grass on Route 32. If you do have a firesheep attack, I recommend sending out a water type like wartortle.

  • slashdot's method (Score:5, Insightful)

    by Lord Ender (156273) on Wednesday October 27, 2010 @12:20PM (#34039584) Homepage

    Slashdot does the opposite. It redirects SSL connections to HTTP. They must want their users' accounts to be hijacked... and their privacy to be invaded.

    • What's "private" about anything on Slashdot?

      • Re: (Score:3, Funny)

        by astrashe (7452)

        My precious, precious karma. :)

      • by bunratty (545641)
        You don't mind the GNAA making posts using your account on Slashdot I suppose. And I'm sure future employeers will not mind when they see that stuff posted using your name when they search the Internet prior to hiring you.
      • I would prefer that my ISP, employer, etc. does not know what I post to slashdot.

      • by mcgrew (92797) *

        Your real na... oh. Well, you and I and a few others are the exceptions here.

    • by astrashe (7452)

      I was just about to make the same post.

    • There's nothing on Slashdot that really merits privacy. Something like Facebook, where people basically post intimate details of their lives, is a very different thing. What does one really gain by hijacking a Slashdot account?
      • The question should be, What damage can one really do by hijacking a Slashdot account? How easy is it for someone to post things with your name and ID that contradict what you've written and make you look bad?
        • Re: (Score:3, Funny)

          Oh the horror! You might look like an idiot on Slashdot of all places!

          In all seriousness, people should not be using Facebook in a way that could cause any damage to them if their accounts are hijacked. Facebook is a toy, and treating it like anything other than a toy is asking for trouble.
          • by cbhacking (979169)

            Did you actually think about what you said before you posted? How the hell does how somebody use Facebook in a way that there's no risk of serious damage? If I hijack your account, I can change all your privacy settings, upload all the pictures I want (they might not be your pictures, but that doesn't mena you want them on your profile), post comments, join groups, send nasty break-up letters to your girlfriend, and declare your undying love of the church of scientology in exchange for all the horrible prob

            • How the hell does how somebody use Facebook in a way that there's no risk of serious damage?

              By not choosing it as your primary communications tool? If your girlfriend thinks you are breaking up with her because of a message you sent on Facebook, then something is wrong. Seriously, I could just as easily register a Facebook account in your name, then send friend requests to all the people I want to have see your undying love for Scientology.

              The real problem is that people are taking Facebook seriously. If you receive an important-looking or surprising message on Facebook, you should request

              • using Facebook as anything other than a toy is a really stupid thing to do.

                One could say that for the whole Internet. Sadly, other people searching for your name to see what you've posted and what groups you've joined and what the timestamps are on your messages (were you posting during working hours?) may or may not comprehend that the presence of your name is not your fingerprint. Somebody was using a quote of mine from the RISKS newsletter, with my name as attribution, as their sig for a while; my name was in a LOT of places where I didn't put it. And that wasn't intended as

        • Granted, there's that. But the damage, I think, at least, is limited to /.. If your Facebook account is compromised, that puts a lot more information at the intruder's disposal.
      • by mcgrew (92797) *

        There's nothing on Slashdot that really merits privacy. Something like Facebook, where people basically post intimate details of their lives, is a very different thing.

        From NSFW: [slashdot.org]

        Tami was groaning in extasy, her huge legs wrapped around my back. I lay between her giant breasts, pumping hard, sweat drupping off our naked bodies. God but it had been so long! I was both in terrible pleasure and horribly ashamed, as Tami is married. But it had been so long I'd forgotten how good sex could be, even with a woman a

    • and their privacy to be invaded.

      So someone can read my profile and find out that I'am a 12yo girl, who really, really likes Ponies??

    • by ameline (771895)

      Yeah -- I just tried https://slashdot.org/ [slashdot.org] and got redirected to http://.../ [...]

      Not cool.

       

  • So uhm, windows and mac only?
    I thought we were supposed to be the sniffing ones!

  • by kamelkev (114875) on Wednesday October 27, 2010 @12:50PM (#34040022)

    The idea that "It seems to me that the big sites should start by redirecting all non-ssl traffic to https automatically" is very shortsighted when you consider how social networking sites actually work.

    Social networks by their very nature include cross posting of content found from around the internet. If a site is running in "SSL only" mode then you'd very quickly see intermixed SSL and non-SSL content living side by side, and this creates a disaster for the admins of any web service.

    For those who aren't familiar, modern web browsers throw up warnings whenever you intermix SSL and non-SSL content - it's been this way for years, it's a problem for anyone who accepts user generated content cross-site content.

    If someone like Facebook were to implement this policy they'd immediately get a flood of complaints about these warnings.

    SSL isn't very good protection nowdays anyway - we need something better.

    • by bunratty (545641)
      Do they throw up a warning even when all traffic to one site is SSL and all traffic to another site is non-SSL?
      • by XanC (644172)

        Whenever an HTTP element (of any kind) on an HTTPS page is loaded, a big hairy warning message pops up.

        • by bunratty (545641)
          Yes, I understand. But I was under the impression the HTTP element had to be on the same site as the HTTPS page. Is that not the case?
          • by XanC (644172)

            Had to be for what? In order to display at all? In order to get the error message?

            I believe the rule is just what I said.

          • by goofy183 (451746)

            It doesn't matter what domain the HTTP content is coming from. ANY HTTP content from ANY domain on an HTTPS page results in a warning.

            • by bunratty (545641)
              You're right. I just tested in Firefox, and it gives a warning for an image loaded using an HTTP URL from a different server than the HTTPS page. Is there a good reason? Is it to help prevent some type of XSS attack?
    • Facebook already has this as far as I can tell. There's a firefox addon that forces https whenever the site has it. It works for facebook. It just ends up disabling the chat function.

  • It's been best practice for years to use SSL for anything that requires any form of authentication, and plain HTTP for anything which is completely open and anonymous.

    • by ultranova (717540)

      It's been best practice for years to use SSL for anything that requires any form of authentication, and plain HTTP for anything which is completely open and anonymous.

      It's best practice to always use SSL whenever possible, period. After all, if the connection isn't encrypted, the user's ISP might listen in, and with all countries nowadays trying to implement their own version of Eye of Sauron, any small bit of obfuscation helps.

      And https is simply HTTP sent over SSL-encrypted connection.

      • It's best practice to always use SSL whenever possible, period.

        Which doubles the cost of hosting a personal web site. How do you plan to make the business case to hobbyists that an SSL certificate from a commercial CA and a dedicated IPv4 address* are worth the extra $50/yr on top of the $50/yr that they're already paying for a domain and budget shared web hosting?

        * Windows XP, BlackBerry, and iOS before 4 don't support the extension that allows name-based virtual hosting over SSL [wikipedia.org].

        • by bunratty (545641)
          You can get certificates from StartSSL for free. If you want to pay, they're only $10-15 per year, not $50 per year.
        • StartCom offers free x.509 certificates, and their root is trusted by Windows/IE, Mozilla, and Mac OS / Safari.

          • by tepples (727027)

            StartCom offers free x.509 certificates

            But you still need an IPv4 address to use a certificate until SNI-incapable clients disappear in three and a half more years [microsoft.com]. Once ARIN runs out of blocks to hand out to regional registries, which in turn run out of blocks to hand out to hosting providers' ISPs, watch hosting providers charge plenty extra for a hosting tier that supports SSL.

  • by fuzzyfuzzyfungus (1223518) on Wednesday October 27, 2010 @12:58PM (#34040174) Journal
    Now, firesheep is ooh scary because it makes it visible and obvious that complete strangers can jack-yo'-myspace in the coffee shop.

    This works because an open WLAN is the equivalent of an old unswitched ethernet network, with every wi-fi reciever in radio range plugged in. It can be mitigated, however, if you are VPN connected to a secure network, because your traffic will be nothing but inscrutable VPN noise, even if the site in question is sloppy.

    However, here is the part where the paranoia starts to tickle... Y'know who always has access to any traffic that isn't encrypted between you and your remote host? Your ISP. Y'know who(unless you are buying a pretty serious business class line) you've signed a ridiculously one-side contract with, one that allows them to do basically anything at any time, for any reason? Your ISP. Y'know who hates being reduced to a dumb pipe, and looks covetously at the ad money flowing through the various web companies? Your ISP(See Phorm, Nebuad, et al.). Y'know who could be, totally silently, Firesheeping every non-SSL login you make, and observing all the fun consumer data that advertisers will pay for? Your ISP...

    Forget the neckbearded script-kiddie in the coffee shop. He is trivial to work around.
    • Re: (Score:3, Insightful)

      by John Hasler (414242)

      Y'know who could be, totally silently, Firesheeping every non-SSL login you make, and observing all the fun consumer data that advertisers will pay for? Your ISP...

      So what?

    • It can be mitigated, however, if you are VPN connected to a secure network, because your traffic will be nothing but inscrutable VPN noise, even if the site in question is sloppy.

      Even with a split tunnel? And who would not be using a split tunnel these days?

  • Who dreams of fire sheep?
  • by KevMar (471257) on Wednesday October 27, 2010 @02:51PM (#34041572) Homepage Journal

    Use a switched network ....

    This is a packet sniffer. If you are on a switched network, the degree of difficulty to pull this off is much greater. it is not a solution because of other tricks like arp poisoning.

    This is nothing new, but it is good publicity to remind people how important SSL is. This addon did not change anything except now more script kiddies have access to another tool.

    • by prockcore (543967)

      arp poisoning doesn't work on wifi APs since they know the difference between LAN and WAN... and many of them don't allow LAN-to-LAN communication at all.

  • Personally I love the idea of firesheep (although it's not new...just user-friendly). That said, I can't wait for e-mail sheep, instant message sheep, sms sheep etc.pp.. I'd like to see Terrabytes of peoples conversations using any of those ways posted publicly. Ditto for voice (phone) conversations. Post it, post it and post it again. Until even the last grandma understands the realities of electronic communication and *wants* to encrypt.

    People lock their doors because they perceive of getting a benefit fr

  • ipad, touch, new air only has an Apple USB ethernet adapter as an extra. The world in some tech areas is going wifi and news like this is not good with todays low low encryption 'options'.
    Someone is going to have a lot of fun collecting all this data.
  • IMO, SSL should go away.
    Instead of SSL, new encryption for the web would appear using DNSSEC.

    Certificates would be stored in DNS. The same certification and signature that certifies that "www.blah.com" matches to "1.2.3.4" would certify that is the correct public key for www.blah.com.

    Storing certificates in DNS prevents a rogue CA issuing a certificate for a site.
    And it prevents say NSA etc getting fake certificates made up (no evidence exists to suggest this has happened but lots of suggestion that it cou

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...