How Do You Know If You Have Been FireSheeped?
Simple answer is, you don’t. When sidejacking occurs, the attacker simply gets hold of the user’s cookie and is thus able to use the site as if it were his or her own. Even the person FireSheep user is not exempt from becoming a victim and neither are users of portable devices such as, the iPad, as long as there are operating on an open wireless network.
Is FireSheep Illegal?
Probably not. There are quite a few arguments for and against the legality of using FireSheep or similar sidejacking tools particularly in relation to building the add-on and its download and use by the general public. For example, the Council of Europe’s Convention on Cybercrime, contains an obligation to member states to have a legislation against the misuse of devices, in Article 6. Thus, Computer Misuse could be interpreted by some as intercepting data (cookie) without the user’s consent. Some, in the U.S., have also argued that the creation and distribution of FireSheep could be wire-tapping, which may be a criminal offense under U.S. law.
However, on the other side of the coin are those who stress the importance of intent when considering whether or not FireSheep is legal. According to its developer, FireSheep was released in order to educate users and encourage more Websites to use full end-to-end encryption such as, HTTPS or SSL for logins. The add-on is therefore expected to highlight the lack of security surrounding existing user-login systems and cookies that are used on popular Websites. This argument appears to be a valid one because,while it is already a well known fact that cookies that are sent over insecure network connections can be easily captured and used by hackers via HTTP session hijacking., what the FireSheep extension does is only to educate Internet users by making it simple to do so in a bid to persuade major Websites to create secure SSL connections between the server and user at all stages after logging in.
How Do You Protect Yourself From Firesheep?
Internet security experts have suggested various ways of protecting oneself against FireSheep and similar attacks. Some of the most popular methods are highlighted below.
- FireShepherd: While there are plenty of tools that offer protection against sidejacking, an engineering student at the University of Iceland, Gunnar Atli Sigurdsson, designed a desktop program that can periodically jam the local wireless network by using a string of random characters that will instantly crash FireSheep. Sigurdsson is quoted as saying that FireShepherd “pretty much floods the wireless network with packets that crush FireSheep and turns it off”. Download or Read More Here.
- Firefox Plug-ins: Alternatively, there are various free Firefox plugins that can be used to encrypt your traffic. For example, HTTPS Everywhere Firefox extension or Force-TLS which force popular sites to send data via the more secure HTTPS protocol.
- Set up SSH SOCKS proxy: By using a simple SSH command, one can encrypt all Web browsing traffic and redirect it through a trusted computer. To configure Firefox to use SOCKS proxy, once up and running, the browser has to be configured to use it in the Tools > Option > Advanced section of the Network tab.
- Avoid using public hotspots or WiFi networks altogether: This option however, appears to be a bit of an over-reaction because the vulnerability is due to a lack of security from the Websites concerned rather than the WiFi network.
- Use a virtual private network (VPN): There are a good number of private VPN service providers that could be used when connecting to public WiFi networks, some of which are available for as little as $5 per month. Examples include, Strong VPN, Road Warrior VPN and F-Secure.
- Connect through a MiFi device: This option is arguably the most expensive, for example, while Verizon is reported to give away the hardware while it charges between $40 and $60 per month for access to its 3G network, in America.
- Use Strict Transport Security (STS): The HTTP Strict Transport Security (HSTS) is still a relatively new security feature that is starting to appear in some Internet browsers. It automatically forces the browser to make a secure connection with every Web page that supports SSL encryption. The HSTS policy is currently supported in Chrome 4, while Firefox intends to adopt it in its next release.
Unfortunately, one cannot guarantee that the tool will not be misused with over half a million downloads made already. Inasmuch, as Mozilla have a blocklist mechanism that can be used to remove illegal and potentially-dangerous Firefox add-ons from its database, it appears that the organisation will not use it in this case. Thus, users can only hope that the likes of Twitter and Facebook will soon configure their Websites to use end-to-end encryption so as to prevent further harvesting of information from insecure WiFi networks.
Is the development and subsequent release of FireSheep the best way to raise awareness of security issues and highlight the apparent lack of full encryption on popular Websites? What impact will it have on your browsing habits, if any?