FireSheep: How to Protect Yourself when using Public WiFi
If you’ve been keeping up to date with tech news sites, or even your local TV news, you’ve probably heard of FireSheep. There are a lot of news outlets reporting about how public WiFi is no longer safe to use, and how you should avoid using it at all costs.
So what is FireSheep? Why should you be worried? And why shouldn’t you browse your email while enjoying a coffee at a local shop anymore?
Today we’ll take a look at what FireSheep is, why it’s both good and bad, and how you can protect yourself, while still enjoying Internet on the go.
Essentially, FireSheep is an add-on to the web browser FireFox that demonstrates a serious security flaw in many (if not most) websites online.
It works by stealing what is called a “cookie” through the open wireless network, and using it to log in to an account.
While many websites offer encryption when you first type in your password to log in, most websites do not encrypt the rest of your session, leaving the cookie out in the open.
In fact, even if you are careful to not visit sites like Facebook, any website displaying a Facebook “Like” button will connect to Facebook, revealing your account to the malicious user. Once FireSheep captures your session, or cookie, it is able to trick the website into thinking it is legitimately logged in, giving the malicious user full access to your account.
According to Eric Butler, one of the creators of FireSheep, the add-on was not created as a “hacker tool” to help malicious people steal others’ account information. He claims that he created the add-on simply to demonstrate that there is something seriously wrong with the way websites handle security, and hopes that the add-on will bring more attention to the matter.
FireSheep is so simple to install and use, that it can allow anyone with a bit of motivation to hijack your online accounts.
I have heard a lot of people making the point of, “It’s just a social network, it’s not like they will have my bank account or anything.” This isn’t entirely true. Currently, FireSheep is able to capture sessions from over 25 websites, including Google (gmail) and Yahoo Mail. That means if someone tries to reset your bank account password, or any other account linked to your email address, they might be able to complete the reset and gain access to your accounts with ease.
How To Protect Yourself on Open Networks
There are many ways to protect yourself from this sort of session hijack. First of all, the add-on only works on “open” networks. This means that as long as you had to put in a password to connect to the network (using WEP, WPA, etc.) you should be safe.
Use a VPN or SOCKs Proxy
If you are not on a secure network and you absolutely must use an open network, there is still hope. While business users especially should look into using a VPN (Virtual Private Network) when logging in to an unencrypted network, there are free and paid VPNs available that anyone can sign up to use.
Without going into too much detail, a VPN pulls data through an encrypted tunnel, bypassing the local security issues.
Much like a VPN, you can use OpenSSH to create an SSH Tunnel and SOCKs Proxy to log in securely. By setting up a proxy through your home computer system, you are actually logging in from your secure home computer, and pulling the information through an encrypted tunnel.
This is quite easy to set up, and as long as you are sure your home computer is safe and secure, it is an easy way to encrypt your connection from anywhere.
Force Sites to use Secure SSL
You can also force websites to use secure connections throughout the site, (as they should be,) making FireSheep useless. Some sites support this feature with a quick settings update (such as gmail,) while other websites may support using a secure connection, but not offer it as an option.
Firefox users can use certain add-ons to force the use of a secure connection. The Electronic Frontier Foundation offers up an add-on called HTTPS Everywhere which will force HTTPS on all sites that support it, and Sid Stamm has created one called Force TLS that will allow you to manually specify sites to encrypt.
Use a Private WiFi HotSpot
Finally, why not try ditching the public hotspot altogether and making your own? Many cell phone service providers offer some sort of personal WiFi service that you can use to connect to the Internet securely.
AT&T offers LaptopConnect, Verizon offers Mobile Hotspots, and T-Mobile offers Laptop Sticks. On some phones, such as many Android-based phones (and jailbroken iPhones), you can even use an app to create a personal WiFi connection; just be sure to check with your provider to be sure it’s allowed. If you do decide to go this route, remember to create an encrypted WiFi connection or you’ll run the same risk as before, if you create an open connection.
If you absolutely can’t use something more secure, like a VPN, Proxy, or secure HotSpot, your best bet would have to be using Private Browsing along with the HTTPS Anywhere add-on. You want to be sure that any time you are using an open network, that your sessions are completely encrypted.
Remember: even if you are on an encrypted website, just one unencrypted page visit is all FireSheep needs to hijack your session.
Can FireSheep Be Detected?
Yes! By using an add-on called BlackSheep, you can effectively test to see if anyone is currently using FireSheep on an open network. The add-on works by injecting fake session information at an interval, and monitoring the traffic to see if it has been hijacked, displaying a message to you if it has.
While this will work to detect FireSheep, it is important to note that BlackSheep is not a protection method, as it does nothing to stop the person from accessing your data.
If you plan to install BlackSheep, note that it uses a heavy portion of FireSheep’s code-base, so they cannot be installed on the same FireFox profile. If you need to have both installed, you will need to create a separate profile for each add-on.
The Future of Public Wifi
I believe FireSheep may bring in a new age of security awareness. With Facebook in the spotlight after various security breaches and concerns, and identity theft on the rise, it is up to businesses and website owners to stepup and offer completely secure connections throughout their websites.
While the use of secure protocols can tax server hardware, it is a necessity that has been long overlooked (or ignored.) If it comes down to it, perhaps a new method of security will need to be created to meet the demands of consumers, and server administrators.
What do you think about the future of security, or the borderline black-hat tool FireSheep? Let me know in the comments section below.