HTTPS Everywhere Gets Firesheep Protection 77
coondoggie writes "The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that
offers protection against 'Firesheep' and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors' log-in credentials."
And the ISP will sniff you. (Score:2, Informative)
There's no substitute for end-to-end encryption.
Re:Duh? (Score:5, Informative)
Re:Duh? (Score:5, Informative)
Many of the sites that Firesheep attacks use HTTPS for their login, so you don't send your credentials in the clear, but fall back to HTTP for delivery of content. The point Firesheep attempts to make is that this is not sufficient -- your unencrypted HTTP requests contain the session cookie that your encrypted login obtained. The session cookie is just as useful, as long as you make use of it "soon".
Re:Duh? (Score:2, Informative)
I've tried similar extensions, and Facebook gladly connects over HTTPS when manually instructed to, but reverts to normal HTTP on pretty much any click, this just keeps the connection on HTTPS regardless of the link target. The only downside, specifically on FB but certainly similar problems on other sites: no chat. So there are compromises, but probably worth it.
Re:Probably breaks lots of web sites (Score:5, Informative)
Actions you must take for firesheep protection (Score:3, Informative)
The 0.9.0 release of HTTPS Everywhere is a new beta version designed to offer improved protection against Firesheep. Most notably, it can provide much better protection for Facebook, Twitter and Hotmail accounts, as well as completely new protection for bit.ly, Dropbox, Amazon AWS, Evernote, Cisco and Github. Unfortunately, in order to obtain maximum Firesheep protection, especially on Facebook, you must take two extra steps:
Re:Do Not Use Unsecured Wireless (Score:2, Informative)
It's actually pretty common, and possibly even the norm.
You can't just use a pre-shared key, so you have to use WPA enterprise. (a PSK is only slightly better than open, for privacy, if everyone knows it, and not terribly useful for regulating access to the network if you only want school affiliates to use the wireless resources).
Often times you can't use the more common EAP types because the authentication data isn't stored in a way that's friendly to your radius servers.
So now you have to write all sorts of documentation like "download this application that will take over your laptop's wireless card and you'll lose all your old network configs" or "Look for how your wireless card's supplicant configures EAP, and chose EAP-TLS, and then if it asks, select from the list of trusted certificate authorities verisign." Now get this information to all the users without standing around with out hiring a town crier, and hope that users actually read *and understand* the information when they don't even know if they've got a 32 of 64 bit system...
So, while it is simple for you to configure your linksys wireless network at home, it isn't nearly as easy in the real world.
Re:Do Not Use Unsecured Wireless (Score:5, Informative)
Re:Secure cookies (Score:3, Informative)
It can be done, but it's not being done - that's why this happens.
Re:Do Not Use Unsecured Wireless (Score:2, Informative)
Enterprise or Pre-shared key WPA? Pre-shared keys are only marginally better than open, if everyone knows the key. If I know the PSK, I can force you to rekey your session then your traffic is unencrypted to me and I can use firesheep on you.
And the fact that they use "mac-filter" leads me to think it is just PSK.
That isn't to say these mechanisms are completely worthless, but they're not super-valuable.
And I stand by my initial statement -- enterprise WPA in a university setting where you don't manage the end stations is hard.