It just got a whole lot friendlier and easier for little Johnny to sniff an unencrypted wireless network and use the data he finds. In other words, he can pretend to be you.

For those of you who didn't realize that this was possible, shame on you, this is nothing new.

http://codebutler.com/firesheep


I am actually amazed it took this long for something like this to happen, should be fun reading the news for a few days.

10/25/2010 1:29:06 AM

This helps mitigate its effects: https://www.eff.org/https-everywhere

10/25/2010 1:59:14 AM

Yeah, we should start using VPNs because someone wrote a new Firefox extension to exploit an old security issue.

How about we just turn on wireless encryption, smartass?

10/25/2010 8:24:47 AM

Quote :

"How about we just turn on wireless encryption, smartass?"

are you able to enable wireless encryption on public wireless networks, smartass?

10/25/2010 8:36:04 AM

Provided they haven't changed the router's default username and password, yes. But more to the point, I don't be authenticating on strange networks to begin with.

10/25/2010 8:41:06 AM

^^ NCSU is the first one that comes to mind.

Hell the CSC dept does it legally. They have papers signed with the university to sniff all traffic in EB2. I know others that have done it elsewhere on campus.

10/25/2010 9:52:29 AM

Quote :

"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

Anyone who uses an open AP should be aware of the risks.


The purpose of this plugin is not to expose that risk, it's to urge sites to start using SSL and https like they should have been doing from the start

10/25/2010 10:22:16 AM

so i guess it would be consider amoral of me to start using this in public places for shits and giggles?

10/25/2010 10:56:03 AM

It would be immoral.

Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out.

[Edited on October 25, 2010 at 11:23 AM. Reason : BEBEBEBEBEBEBEBEBE]

10/25/2010 11:23:17 AM

http://techcrunch.com/2010/10/25/firesheep/

10/25/2010 11:25:09 AM

haahahhaa - this is awesome. I'm definitely trying this at church to see what the youth are up to sunday morning

[Edited on October 25, 2010 at 12:18 PM. Reason : and did someone check the source code? It'd be REALLY funny if this was a virus. lol]

10/25/2010 12:16:40 PM

would this work over a LAN? (if ran on the dns server)

10/25/2010 12:55:35 PM

Quote :

"Although, if your intent is simply to be amusing or put messages on their computers along the lines of "seriously, I could have destroyed your life, be thankful I'm not an asshole and get better security for your laptop" it'd probably balance out."

that's more of what i was thinking...something like this as a facebook status:

"D'oh! My account has been hijacked! Changing my password won't help. Read more at http://codebutler.com/firesheep. You could be next!"

10/25/2010 1:14:30 PM

any good easy how-to's to set up and use a VPN?

10/25/2010 2:36:44 PM

is it illegal to track ANY cookies on your own network, regardless of who is connected, even if you suspect someone else is using it without permission?

10/25/2010 3:13:49 PM

hamachi & squid if you want to use your home internet

or you can use something like Tor

10/25/2010 3:14:23 PM

^^While I dont diss them, If you can get a home server box with win 2k3 or 2k8 its really easy to use them as well.

10/25/2010 4:19:36 PM

how the fuck does ssl or https help on an un-encrypted wireless network? the same guy sniffing your traffic to facebook is sniffing the key exchange in the first place, making ssl just as trivial. disabling broadcast and end to end encryption are the only things that are gonna help on public wifi

10/25/2010 7:15:39 PM

The handshake includes a random number that's generated using the site's certificate (their public key) that can only be decrypted using the site's private key to establish the encryption formula for the rest of the conversation.

Unless they have the site's private key, I'm not sure how they're going to break the SSL session. To my knowledge, there is no "key exchange". The client and the server generate their keys independently based off of this random number which can only be decrypted by the site's private key.

[Edited on October 26, 2010 at 9:01 AM. Reason : .]

10/26/2010 8:57:52 AM

if your site's cert isn't a root cert that you already have stored locally, how can you verify that the cert you're receiving is legit? you could be receiving a forged cert from a MITM party.

basis:
http://forums.devshed.com/security-and-cryptography-17/ssl-man-in-the-middle-attack-86557.html
theory on how it could be used (chinese gov't did some of this):
http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
tool to do it with:
http://crypto.stanford.edu/ssl-mitm/

10/26/2010 9:41:25 AM

Getting MITM'd has nothing to do with the encryption strength of TSL and the difficulty of putting a 3rd party proxy on a public connection shouldn't be called 'trivial'. I suppose you could make a van, park it next to a starbucks, name the connection something very similar to their SSID, hope they don't use some other sort of authentication (I don't know if starbucks uses access cards or something) that would tip you off as a fake and trick people into using your connection instead of starbucks.

This is like saying SSL is trivial because you could get a virus that modifies your HOSTS file and routes you to a fake Bank of America page.

I do welcome the discussion however, and learning about new ways assholes work to break our stuff.

Or I suppose you could capture some traffic, spoof the site's ip...but then the client would become confused by receiving 2 sessions back and probably break the session anyway, so I'm not sure it would work like it does in movies. I think you'd have to compromise either the client's machine (in which case it's over no matter what encryption you use) or trick them into using your network.

[Edited on October 26, 2010 at 11:04 AM. Reason : .]

10/26/2010 11:01:50 AM

The easiest, is to install DD-WRT on your wireless router and use the built-in basic VPN or more advanced OpenVPN server.

http://www.dd-wrt.com/wiki/index.php/VPN

http://www.dd-wrt.com/wiki/index.php/OpenVPN

Then configure your computer to use your new VPN. Done.

Also, if Tomato is your flavor, it looks like there might be a usable VPN build as well. I never used it so YMMV:

http://tomatovpn.keithmoyer.com/


[Edited on October 26, 2010 at 12:26 PM. Reason : .]

10/26/2010 12:22:58 PM

http://modernerd.com/post/1407610448/solved-protect-yourself-on-public-wi-fi-networks

$55 a year? i don't know if it's worth that much to me...

10/26/2010 1:31:41 PM

So why hasn't anyone posted about the fun had with this add-on?

10/26/2010 1:42:54 PM

Correct me if I'm wrong, but it's not the VPN that makes you safe is it? Doesn't it depend on the protocol?

10/26/2010 2:47:16 PM

Sure, it's a two-part solution.

Even with a VPN direct to your home's internet connection, your data is still vulnerable to sniffing. But it's much harder for someone to sniff the internet traffic leaving your house, than say, the unsecured Wi-Fi at Starbucks, or on a college campus like NCSU where the wireless packets are broadcast in the clear and available for anyone to capture and analyze.

So, using a VPN when using a public Wi-Fi is what you do to prevent public sniffing ... while enabling (or forcing) SSL/HTTPS connections is the security responsibility of the web server in order to actually fix the problem being exploited by Firesheep.


Edit: To further answer your question about protocol, using a VPN will allow you to tunnel ALL your traffic through a secure pipe to your home, effectively removing any possibility that your public Wi-Fi communications can be sniffed.

[Edited on October 26, 2010 at 2:54 PM. Reason : .]

10/26/2010 2:53:40 PM

When you VPN, all traffic is encrypted between you and your computer and then whatever between your computer and the site.

It's still "unsafe" but it's much less likely to be someone grabbing your packets between your home and the site. For one, it's not a wireless connection at that point.

Facebook's problem is they're not actually using SSL for all traffic and are including authentication cookies in plaintext. They suck.

[Edited on October 26, 2010 at 2:56 PM. Reason : it's]

10/26/2010 2:53:42 PM

We were stealing and editing cookies like 3 years ago on campusblender.com.

Someone finally made a script kiddie app for it.





Today, we are all hax0rs.

10/26/2010 3:24:20 PM

^^^not entirely true.

If you use GRE or L2TP for tunneling (without PPTP or IPSec) those are plaintext tunnels to VPN and not secure. My point is in theory it's all about the protocol, not the VPN itself that makes it secure.

i assume though all Windows machines default to PPTP?

[Edited on October 26, 2010 at 3:29 PM. Reason : .]

10/26/2010 3:25:47 PM

Like I said ...

http://codebutler.com/firesheep-a-day-later

Quote :

"Since being released just over a day ago, Firesheep has been downloaded over 129,000 times. Firesheep has consistently been one (if not more) of the “Top Tweets” on Twitter, on top of Hacker News, was at one point the #10 trending search on Google in the US, and is the second suggestion on Bing when you start typing “fire”."

His new blog post also details lots of useful information about what you should and shouldn't do to protect yourself. Tor is definitely on the "do not use" list. VPN is on the list, but only because it doesn't solve the HTTPS issue, it just solves the unencrypted Wi-Fi issue. Definitely check out the extensions he points out, they are a good start, but the responsibility is ultimately in the hands of the web server administrators.

Good read.


Edit: ^Of course, but who would use an unencrypted VPN? Seems kind of pointless.

[Edited on October 26, 2010 at 3:27 PM. Reason : .]

10/26/2010 3:25:59 PM

i wasn't saying they would, i'm just saying it's not the VPN itself, that's all i was trying to clarify. i know what a VPN is and does, and maybe it was a silly question if VPN software automatically encrypts the traffic

[Edited on October 26, 2010 at 3:49 PM. Reason : .]

10/26/2010 3:30:37 PM

With the VPN bit, this is a prime thing here at NCSU. NCSU's VPN is open to all vpn.ncsu.edu, that said it only secures ncsu applications and traffic. It uses split tunnel, so all net traffic is sent unencrypted.

10/26/2010 7:24:46 PM

firesheep in the title would have helped

i just found out about this though
https://vpn.ncsu.edu/

your school business will be protected, but all web traffic goes straight out

10/26/2010 7:28:07 PM

^ me and you were just in the same meeting

10/26/2010 7:58:52 PM

ya know i finally got around to checking out openvpn b/c of this and this is pretty funny

http://www.openvpn.net/index.php/open-source/downloads.html

OpenVPN 2.1.3 -- released on 2010.08.27
OpenVPN 2.0.9 -- released on 2006.10.01

10/28/2010 1:19:10 PM

i went to a starbucks yesterday and started trying this but the whole setup just took longer than i had. anyone else tried it?

also, this. http://blogs.forbes.com/andygreenberg/2010/10/28/how-to-screw-with-firesheep-snoops-try-fireshepherd/

i'm going back today and trying both. if i see anyone throw his arms up in frustration after i start fireShepherd, i swear i will go put visine in his drink or something...

10/29/2010 6:06:01 AM

hah.

10/29/2010 7:17:08 AM

http://www.fastcompany.com/1698627/firesheep-idiocy-privacy-facebook-twitter-google-foursquare-eric-butler-wifi

Idiocy = twitter cookie jacker to send a tweet under that account showing the victim is an idiot

wow, this isn't going to blow over anytime soon, is it?

10/29/2010 9:42:46 AM

^Nope, I'll go make some fresh popcorn.

10/29/2010 10:16:53 AM

ok so i tried setting up openvpn yesterday. it was hard i thought it was gonna be easy, installation wizard that set up most stuff for me

anybody got any pointers or know of a good tutorial?

10/29/2010 10:23:41 AM

I'm assuming you are not using OpenVPN provided by DD-WRT or Tomato? In that case, here are a couple sites that seem to have correct information for setting up your own server and clients:

http://openmaniak.com/openvpn_tutorial.php

http://www.wi-fiplanet.com/tutorials/article.php/3831021/How-to-Run-OpenVPN-on-Windows-Mac-and-LinuxUnix.htm

10/29/2010 2:06:24 PM

yeah i've got a standard WRT310N, no tomato (though that's another thing i've been meaning to try)

thx for the links, i think i found that 2nd one on google yesterday. i'll try it again later, was just surprised at how many manual steps were required

[Edited on October 29, 2010 at 2:08 PM. Reason : .]

10/29/2010 2:07:49 PM

I have DD-WRT

OpenVPN is in my interests

10/29/2010 8:26:25 PM

For anyone that uses Giganews, they're offering VyperVPN from Golden Frog for an additional 5.00 if you upgrade to their Diamond package by December 31st.

They have US servers for those out of the country that want to watch hulu/cnn/abc/etc or if you want to bypass your ISP's QoS implementation. And they also have an EU server for Spotify and BBC streams. I can max out 16Mb/1.5Mb while connected.

11/8/2010 7:53:38 AM

http://lifehacker.com/5684348/blacksheep-alerts-you-when-networking-sniffing-tool-firesheep-is-active

http://www.zscaler.com/blacksheep.html

11/8/2010 3:45:24 PM

Ars Technica did a good follow up on this.

http://arstechnica.com/security/news/2010/11/researcher-free-wifi-should-use-free-password-to-protect-users.ars?comments=1#comments-bar

Still doesnt fix the base issue and just makes "secure" networks as usefuluseless as open networks. I have a friend that already proved this as he tested firesheep on a wpa network and still got it to work (more sucessfully than on an open network actually which we found funny).

11/10/2010 5:30:16 PM