Firesheep should get your ATTENTION: Open Public Wifi Dangers are REAL

This may be the most important post you’ll read on my blog from a personal, digital security standpoint. If you use ANY website today which requires a login but does NOT use a “persistent https” secure connection thereafter, you’re at MAJOR risk of having your account(s) hacked if you use open, wifi hotspots in coffee shops or other locations. Yes, this means Facebook, at least for now until they FINALLY deploy persistent https. This danger is real, this is not a “Chicken Little” story, and in this post I’ll explain why. The bottom line for me is, I’m now using a commercial VPN service (Astrill) whenever I’m connecting my laptop on any type of network (a wired hotel connection or a public wifi connection) other than one I own at my house, or via my 3G AT&T network connection. I want to thank James Deaton (@jed on Twitter) for alerting me to this risk demonstration (Firesheep) at OpenBeta5 last week in Oklahoma City.

For a more in-depth, geeker explanation of the problem which Firesheep exploits and dramatically demonstrates, read Glenn Fleishman’s October 28, 2010, article for BoingBoing, “Liar, Liar, Sheep on Fire.” I’ll begin with a visual illustration. After installing the free FireFox extension FireSheep this evening at a local coffee shop, I was immediately able to gain access to the Facebook accounts, WordPress blog administrative dashboards, and other SUPPOSEDLY private, secure profiles of the following web users on different sites:

I am not a hacker, I’d classify myself as a “medio picante” geek… So how did I do this? The reason is Firesheep: A simple, easily installed FireFox extension which allows ANYONE to gain this kind of access on a shared Internet connection…. Not just black hats, white hats, or script kiddies. MANY websites, including Facebook today, do NOT use a “persistent https” connection after users login. This means the browser address changes to “https” and creates a secure “tunnel” during the login process, but thereafter users’ browsers return to a “http” unsecure connection while a “browser cookie” is set to maintain the login. When using a common router, as users do in most coffee shops and other locations where open, unsecured wireless connectivity is provided, those browser cookies are essentially “shouted out loud” for anyone to read / hear / copy / use. Eric Butler, a freelance web application and software developer in Seattle, Washington, released FireSheep on October 24, 2010, at the Toorcon12 conference in San Diego as a free, open source plug-in for the FireFox browser to demonstrate this security vulnerability and its seriousness. Eric got my attention, and he should get yours too.

I’ve read and heard about the dangers of open wifi connections for years, but until seeing FireSheep in action myself, I wasn’t a believer. Now I am. When I was in Shanghai, China, in September 2010, I utilized Astrill to bypass the Chinese content filters and gain access to sites like Twitter, Diigo, Google Sites, and other web destinations I regularly use for my work as an educational consultant. I’ve read about how hackers (and even script kiddies) can use software programs like Ethereal and “Winsock Packet Editor” to view userids and passwords sent “in the clear” over http connections. I didn’t realize the process could be so easy and straightforward as Firesheep makes it, however. The release of Firesheep onto the world stage means something very important for all of us: We should NOT assume our Internet “sessions” (website logins) are secure or private when we are using most public / shared wifi or wired Internet connections.

Glenn Fleishman includes a variety of suggestions in his article on Firesheep for what “we” should do to protect ourselves from this acknowledged and pervasive web vulnerability. I’ll highlight a few of these.

SUGGESTION #1: AVOID LOGINS ON UNSECURE NETWORKS

His first suggestion is one we all should implement immediately: “Engage in no unsecured Web logins when working on an untrusted network, public or otherwise.” This means we should log OUT of all websites for which we’ve “saved our passwords” in all the web browsers we use or have open on our computers, when we’re on an unsecured network connection, and NOT login to them unless we use a VPN.

Translated into plainer language, this means: Don’t use Facebook EVER at a coffee shop, unless you’re taking geeky precautions. (Using a VPN.)

SUGGESTION #2: USE HTTPS EVERYWHERE WITH FIREFOX

HTTPS Everywhere is another free plugin for FireFox, but it’s designed to keep you more secure online. For websites which permit https / secure connections, the plugin FORCES the website to use those https “tunnels” so your web traffic stays secure and confidential. I prefer using the Google Chrome browser over FireFox in most cases, so this suggestion isn’t one that will help me a great deal. I have installed it on my FireFox browser, however, so it will be an option for me if I forget or don’t renew my VPN.

SUGGESTION #3: USE A VPN SERVICE

A VPN is a “virtual private network,” and VPN connections are used frequently by business travelers to connect back to their home / small business / corporate office to securely access web applications. At one time, people who wanted to use a VPN connection had to purchase and configure hardware to which they connected their laptop(s) when away from the office. Today, however, a variety of commercial options are available which provide VPN services on a monthly or annual basis. I had very good experiences with Astrill in September when I was in China, connecting via my laptop, iPhone, and iPad, so I decided to activate a three month plan with them today for $20. I figure I’ll give this a try, and if something better comes along I’ll switch in three months.

Astrill does NOT require users to download anything on an iPhone or iPad to use the service. Instead, you simply configure your VPN connection with the server address and login credentials for your account.  On a laptop computer, however, Astrill provides a downloadable client application which you use to connect to the service when you want VPN tunneling.

CONCLUSIONS

I wrote the post “Wireless and hotel Internet security” back in December 2005, after listening to a Security Now podcast about hacking, packet sniffers and VPNs. I didn’t take the inconvenient steps at the time, or until today, of actually paying for and using a VPN connection on unsecured network connections. After seeing Firesheep in action before my eyes tonight, however, I’m a believer and am changing my web surfing ways on unsecured networks. I’d encourage you to do the same, and share this information with others.

Even though web services like GMail DO use persistent https connections, once you are logged into Google their “cookie” is set in your browser and allows other Google web services which do NOT (currently) use https to be accessed by others using methods like Firesheep. My best advice is: When you’re on an unsecured network, assume you’re being packet sniffed. It’s simply too easy for people to do it now, and the costs to your online digital footprint as well as relationships (face-to-face as well as virtual) could be very high if someone chooses to hack your cookies.

If you choose to give Astrill a try, please use this link which includes my “affiliate” code. It won’t make a difference in terms of your costs, but my account will receive some credit… and I’ll consider that a “thank you” for this very important security “heads up.”

Posted via email from wesley fryer’s posterous