Firesheep panic

There seems to be a general panic and a blogstorm in the user community after the publishing of Firesheep, a simple to use Firefox extension, that you can install in minutes and that can be used to “sidejack” accounts by sniffing for cookies on popular websites like Google, Facebook etc. on open WiFi.

Whats the big fuzz? Everyone has worked hard for many years to ignore the warning message you get when connecting to open WiFI network …”Your are connected to an open network and your information may be visible to others..” or similar. The new thing is probably that Toorcon now has shown that even my grandmother can hijack someones account – the threat cannot be ignored anymore. So, if you absolutely need to be on an open uncontrolled WiFi get your SSL or VPN solution working. I guess WPA/WEP gives you some protection if you can rely on that only “the good guys” have the key ;-).

The discussion whether Firesheep is illegal is of course ridiculous – I think by openly publishing the software to anyone, Toorcon does us  a great service exposing threats that where always there. However, I think that there could be people out there prepared to do nasty stuff with this tool…

Some Swedish blogs on how to protect your sessions on open WiFi

About Jens Zander

Professor Jens Zander is professor in Radio Communication Systems at the Royal Institute of Technology, Stockholm, Sweden. He has been among the few in Swedens Ny Teknik magazine's annual list of influential people in ICT that have been given the epithet “Mobile Guru”. He is one of the leading researchers in mobile communication and is the Scientific director of the industry/academia collaboration center Wireless@KTH. His research group focuses on three main areas – the efficient and scalable use of the radio frequency spectrum, economic aspects of mobile systems and application and energy efficiency in future wireless infrastructures.
This entry was posted in Security. Bookmark the permalink.

6 Responses to Firesheep panic

  1. Islam says:

    I read the Wireless communications security (Imai, Hideki) book, and I felt safe from the complex algorithms they used to make the wireless network secure, but tools like firesheep, vanishing my safe from most Wifi spots, I never imagine it would be that easy …….

  2. Bjørn says:

    What about activating MAC adress control in your access point. Wouldnt that inhibit the loophole of cracked WPA/WEP codes ?

    • Jens Zander says:

      @Björn: Definitely. I guess the main problem was NOT your home AP where you can have your own WPA encryption, but but in public networks where you do not have MAC layer control.

  3. Jens Zander says:

    A recommendation is to use “HTTPS Everywhere” plugin for Firefox. Download in seconds from https://www.eff.org/https-everywhere. The browser will then connect to the encrypted version of the sites, when available. Works nice with most standard apps like Facebook, Google etc (although some of the functions may not be available encrypted). If you feel safe and want all functions, you may just disable the plugin temporarily.

  4. Maria Hägglöf says:

    Facebook doesn’t support https more than during the login procedure, at the next klick you do it falls back to ordinary http.

    Btw, for us Chrome users I recommend KB SSL Enforcer https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof

  5. Jens Zander says:

    My Firefox seems to keep the https connection to FB at all times – the chat and “logged in friends” disappear in this mode, though.

Leave a Reply

Your email address will not be published.