Thursday, 28 October 2010

Defend against Firesheep by surfing securely with HTTPS

Defend against Firesheep by surfing securely with HTTPS

Firesheep Sucks, DeviantArt user MyBlackSheepThe last couple of days have seen the launch and explosive proliferation of a Firefox add-on called Firesheep. It's an incredibly simple program that snoops unsecured Wi-Fi packets to grant you one-click masquerading of other users: if you log into Facebook at the local coffee shop, someone can use Firesheep to become you. Seriously, you can go along to any location with an unsecured Wi-Fi network and steal other users' accounts.




Firesheep does this by 'scooping' cookies out of the air. Whenever you log into a website your name and password is only sent once -- afterwards, a stored authorization token is used. This means that if someone has your cookie they can pretend to be you -- and with unsecured wireless networks, anyone can grab your cookie.



This is a huge issue, and you have every right to be concerned -- but there is a solution!



Hopefully you've all heard about SSL and HTTPS, the encryption techniques used to secure Internet communications. The 'secure padlock' icon in your browser is most commonly found when buying things online, but most major sites also use it to secure login and registration. If you see this padlock, you are safe. If you could browse the entire Internet with that secure padlock in place then I wouldn't be writing this post.




Unfortunately, many sites redirect you to an unsecured page after you log in. Yes, your password remains secret -- but what good is that if your exposed cookie can be stolen by anyone on the same unsecured Wi-Fi network?



Fortunately, there are a few solutions for Firefox, and at least one good solution for every other browser.


The key to staying safe is by forcing every connection to use HTTPS, or to go via another connection that encrypts your communication. Almost every website has HTTPS capabilities, but because of the increased overhead that encrypted communication requires, it's often only used for logins and registering. Years ago this might not even have become an issue, but with everyone storing more and more personal information on services like Facebook and Google, and with Wi-Fi blanketing our streets and coffee shops, encryption really is required.







If you use Firefox, these add-ons should do the trick:

  • HTTPS Everywhere -- this gem from the Electronic Frontier Foundation is about as good as it gets. By default it forces most popular websites to use HTTPS, and you can add your own rules for other sites. This is one of the few add-ons that I use everywhere

  • Torbutton -- this solution is slightly more involved (it's for power-users), but if you want to be really secure and anonymous, the Tor network is a fantastic solution


  • Force-TLS -- this is like HTTPS Everywhere, but doesn't come with a built-in dictionary of secure sites. Adding them is very easy, though







Chrome
users, due to a limitation of the browser, aren't quite so lucky. There is no way to force HTTPS with an extension. You may have read elsewhere that KB SSL will help you, but it won't. Instead you need to use a secure SOCKS proxy. This isn't particularly hard, it does involve a bit of work.


Opera and Internet Explorer users: you too will need to use a SOCKS proxy; just follow one of the guides above.




Ultimately, though, if you use unsecured Wi-Fi networks you will leave yourself exposed. The best solution might not be to install add-ons, but to ask your local coffee shop owner to secure his network with WPA2. The entire problem would go away if big-name websites used HTTPS across the board, too.


No comments:

Post a Comment