Baa baa Firesheep, have you stolen my password?
November 14, 2010 9:20 AM Subscribe
How worried do I need to be about Firesheep? What sites does it affect? Is there anything I can do to protect myself on an iPad?
I'm stuck in one chair for the next five hours with little to entertain myself but my iPad and the free wifi at Hynes Convention Center in Boston. Do I need to worry that my MeFi login will be stolen? Can I read my Google Reader? How about Web Outlook? If these things are indeed vulnerable, is it something I should really worry about, or just a remote possibility? Please aim your answer at someone tech savvy enough to use Metafilter, but not much beyond.
I'm stuck in one chair for the next five hours with little to entertain myself but my iPad and the free wifi at Hynes Convention Center in Boston. Do I need to worry that my MeFi login will be stolen? Can I read my Google Reader? How about Web Outlook? If these things are indeed vulnerable, is it something I should really worry about, or just a remote possibility? Please aim your answer at someone tech savvy enough to use Metafilter, but not much beyond.
Best answer: Coding Horror has a lay-intelligible summary of how Firesheep works.
It looks like the Hynes is completely unsecured, so if someone is running FireSheep near you, and you're accessing non-https sites, they can impersonate you on those sites.
From the above article:
It looks like the Hynes is completely unsecured, so if someone is running FireSheep near you, and you're accessing non-https sites, they can impersonate you on those sites.
From the above article:
We should be very careful how we browse on unencrypted wireless networks. This is the great gift of Firesheep to all of us. If nothing else, we should be thanking the author for this simple, stark warning. It's an unavoidable fact of life: if you must go wireless, seek out encrypted wireless networks. If you have no other choices except unencrypted wireless networks, browse anonymously -- quite possible if all you plan to do is casually surf the web and read a few articles -- and only log in to websites that support https. Anything else risks identity theft.posted by zamboni at 9:30 AM on November 14, 2010
Response by poster: Blacksheep won't help on a iPad running Safari, I don't think. It's for Firefox.
posted by Horace Rumpole at 9:32 AM on November 14, 2010
posted by Horace Rumpole at 9:32 AM on November 14, 2010
theredpen: "I haven't tried this yet, but one solution appears to be Blacksheep (cannot yet vouch for)"
OP is on an iPad. Blacksheep is a Firefox plug. No Firefox in iOS.
posted by sharkfu at 9:33 AM on November 14, 2010
OP is on an iPad. Blacksheep is a Firefox plug. No Firefox in iOS.
posted by sharkfu at 9:33 AM on November 14, 2010
If you have a VPN, you can connect to that and it will be encrypted. There are several for-pay VPN providers, but I doubt it's worth it for a few hours of security. If this is an ongoing issue for you, mail me and I can give you more information.
Another long-term solution is to setup a VPN on a more secure system (your home network) and connect to that before browsing in public.
I work for one of those providers, so I don't want to shill for or against them in public.
posted by mad bomber what bombs at midnight at 9:36 AM on November 14, 2010
Another long-term solution is to setup a VPN on a more secure system (your home network) and connect to that before browsing in public.
I work for one of those providers, so I don't want to shill for or against them in public.
posted by mad bomber what bombs at midnight at 9:36 AM on November 14, 2010
Best answer: You might want to check the discussion forums to see which sites are "supported" by Firesheep. As of late October there were "currently supported is Amazon, Basecamp, bit.ly, eNom, Facebook, Foursquare, GitHub, Google, Hacker News, Harvest, The New York Times, Pivotal Tracker, Twitter, ToorCon, Evernote, Dropbox, Windows Live, Cisco... Slicehost, Gowalla, and Flickr."
And they claimed coming soon is "Yahoo!, eBay, LinkedIn, Digg, Reddit, Wikipedia, Blogger, GoDaddy, Posterous, Tumblr, Netflix, YouTube, Slashdot, MobileMe, PayPal, Salesforce, Craigslist, MySpace, Match, and AOL."
I don't think MeFi is a big enough fish there, so you should be okay. My feeling is that the risk in this sort of thing is small but not zero. You may have to assess your personal taste for risk to see what you want to be doing.
posted by jessamyn at 9:39 AM on November 14, 2010 [4 favorites]
And they claimed coming soon is "Yahoo!, eBay, LinkedIn, Digg, Reddit, Wikipedia, Blogger, GoDaddy, Posterous, Tumblr, Netflix, YouTube, Slashdot, MobileMe, PayPal, Salesforce, Craigslist, MySpace, Match, and AOL."
I don't think MeFi is a big enough fish there, so you should be okay. My feeling is that the risk in this sort of thing is small but not zero. You may have to assess your personal taste for risk to see what you want to be doing.
posted by jessamyn at 9:39 AM on November 14, 2010 [4 favorites]
Set up a VPN server at home (your router most likely can do this) and then stop worrying.
posted by Brian Puccio at 9:47 AM on November 14, 2010
posted by Brian Puccio at 9:47 AM on November 14, 2010
re: Dropbox + Firesheep, Dropbox claims they're not vulnerable.
posted by sharkfu at 9:49 AM on November 14, 2010
posted by sharkfu at 9:49 AM on November 14, 2010
they can impersonate you on those sites.
What I don't understand with FireSheep (my access is protected btw) is if someone manages to emulate you, say on Twitter, won't you notice the difference or the tweets "you made" under your account?
posted by The Lady is a designer at 9:50 AM on November 14, 2010
What I don't understand with FireSheep (my access is protected btw) is if someone manages to emulate you, say on Twitter, won't you notice the difference or the tweets "you made" under your account?
posted by The Lady is a designer at 9:50 AM on November 14, 2010
Response by poster: Sorry, I should have put the part about a public network above the fold. We have secured wireless at home.
posted by Horace Rumpole at 9:54 AM on November 14, 2010
posted by Horace Rumpole at 9:54 AM on November 14, 2010
Huh. Well this is the first I'm hearing about Firesheep...so thanks for the info MeFi!
If I'm understanding correctly, it's an extension for Firefox, but if you're on an open wifi network then you're vulnerable to an attack no matter what browser you are using - right? And the only way to block it is with an extension for Firefox?
Guess I'm going to be using Firefox if I'm ever on public wifi.
posted by radioamy at 10:00 AM on November 14, 2010
If I'm understanding correctly, it's an extension for Firefox, but if you're on an open wifi network then you're vulnerable to an attack no matter what browser you are using - right? And the only way to block it is with an extension for Firefox?
Guess I'm going to be using Firefox if I'm ever on public wifi.
posted by radioamy at 10:00 AM on November 14, 2010
What I don't understand with FireSheep (my access is protected btw) is if someone manages to emulate you, say on Twitter, won't you notice the difference or the tweets "you made" under your account?
Well, yeah, but the question is whether you'll be able to do anything about it if they've accessed your email as well and reset all of your passwords.
posted by EndsOfInvention at 10:17 AM on November 14, 2010 [1 favorite]
Well, yeah, but the question is whether you'll be able to do anything about it if they've accessed your email as well and reset all of your passwords.
posted by EndsOfInvention at 10:17 AM on November 14, 2010 [1 favorite]
It is important to note that Blacksheep does not block Firesheep from working. It will only detect if someone is using Firesheep on your network. Your safest bet is to make sure you are on a secured network, or using a vpn of some kind.
An idea I picked up from the Security Now podcast is if you are in a place that has a public wifi network (like a coffee shop) and its free, ask to speak to the manager. If that network just turns on WPA (or WPA2) and posts the password for everyone to see it will mitigate the Firesheep attack.
posted by thewalledcity at 10:43 AM on November 14, 2010
An idea I picked up from the Security Now podcast is if you are in a place that has a public wifi network (like a coffee shop) and its free, ask to speak to the manager. If that network just turns on WPA (or WPA2) and posts the password for everyone to see it will mitigate the Firesheep attack.
posted by thewalledcity at 10:43 AM on November 14, 2010
The risk with firesheep is near-total if someone is running it. You can see this by running it yourself next time you've a laptop on unsecured wifi and watching its list fill up with accounts you can take over with one click.
You don't have to calculate the risk of someone with firesheep browsing through your accounts. If they're nearby, it's close to certain. You have to calculate the risk of someone nearby running firesheep. What's the crowd like there?
For the next five hours, if you're nervous, just don't browse any of its supported sites. For future sets of five hours, get a portable 3G->wifi device (or switch your iPad to 3G if it has it), or set up a VPN as others suggest.
(That said: don't feel reassured by the limited number of sites that firesheep supports. All firesheep amounts to is an easy way to collect cookies. Hundreds of thousands more cookie-based sites are vulnerable to the same basic technique, including MeFi.)
posted by bonaldi at 10:51 AM on November 14, 2010
You don't have to calculate the risk of someone with firesheep browsing through your accounts. If they're nearby, it's close to certain. You have to calculate the risk of someone nearby running firesheep. What's the crowd like there?
For the next five hours, if you're nervous, just don't browse any of its supported sites. For future sets of five hours, get a portable 3G->wifi device (or switch your iPad to 3G if it has it), or set up a VPN as others suggest.
(That said: don't feel reassured by the limited number of sites that firesheep supports. All firesheep amounts to is an easy way to collect cookies. Hundreds of thousands more cookie-based sites are vulnerable to the same basic technique, including MeFi.)
posted by bonaldi at 10:51 AM on November 14, 2010
thewalledcity: "An idea I picked up from the Security Now podcast is if you are in a place that has a public wifi network (like a coffee shop) and its free, ask to speak to the manager. If that network just turns on WPA (or WPA2) and posts the password for everyone to see it will mitigate the Firesheep attack."
Not sure if Security Now went into detail on the limitations of this, but this site claims that's only temporary protection, or more accurately, the tools are out there to bypass the added layer but aren't a point and click solution yet.
posted by sharkfu at 11:06 AM on November 14, 2010
Not sure if Security Now went into detail on the limitations of this, but this site claims that's only temporary protection, or more accurately, the tools are out there to bypass the added layer but aren't a point and click solution yet.
posted by sharkfu at 11:06 AM on November 14, 2010
Response by poster: What's the crowd like there?
Rare book dealers. If you had to pick a low risk group, I figure that's a pretty good one.
posted by Horace Rumpole at 11:19 AM on November 14, 2010
Rare book dealers. If you had to pick a low risk group, I figure that's a pretty good one.
posted by Horace Rumpole at 11:19 AM on November 14, 2010
The simplest solution for many web sites is to use the secured version of the URL. Instead of http://www.facebook.com, use https://www.facebook.com. Most popular web sites will have secured versions.
posted by megatherium at 11:59 AM on November 14, 2010
posted by megatherium at 11:59 AM on November 14, 2010
Sorry, I was thinking selfishly (I use Firefox). Good luck, OP.
posted by theredpen at 12:20 PM on November 14, 2010
posted by theredpen at 12:20 PM on November 14, 2010
Beware of trusting https. Many sites use secure http to exchange authentication, but then use unsecured http for everything else. This still leaves you vulnerable to firesheep, as your cookie is transmitted in the clear.
Last I heard, Facebook and Twitter were still using https only for authentication.
posted by mad bomber what bombs at midnight at 12:32 PM on November 14, 2010
Last I heard, Facebook and Twitter were still using https only for authentication.
posted by mad bomber what bombs at midnight at 12:32 PM on November 14, 2010
It won't run on an iPad but for those of you on computers, another alternative to BlackSheep is FireShepherd, a program designed to crash Firesheep.
Firefox users also have the option of HTTPS Everywhere from the EFF.
posted by IndigoRain at 1:23 PM on November 14, 2010 [1 favorite]
Firefox users also have the option of HTTPS Everywhere from the EFF.
posted by IndigoRain at 1:23 PM on November 14, 2010 [1 favorite]
Best answer: Do I need to worry that my MeFi login will be stolen?
Not with the default Firesheep install, no. Metafilter is not among the sites that come in the default list. Although that's just a matter of an oversight on the developer's part; MeFi is vulnerable to this kind of attack in thoery.
Can I read my Google Reader?
Google is among the sites in Firesheep's inventory, it may be vulnerable. It all depends on whether iPad uses HTTPS or not; I believe its available for Google Docs but not mandated.
How about Web Outlook?
SSL for OWA is something that has to be setup & enabled on a site-by-site basis. It all depends on whether your organization has it enabled. Here's a quick tutorial you can forward to your site admin.
If these things are indeed vulnerable, is it something I should really worry about, or just a remote possibility?
I've seen it being used in the wild in metropolitan areas so the threat is far from theoretical. I'd have to say the Hynes is a fairly high-risk area, as it'd be attractive to a teenage hacker looking to score a bunch of accounts to play with.
posted by scalefree at 1:40 PM on November 14, 2010
Not with the default Firesheep install, no. Metafilter is not among the sites that come in the default list. Although that's just a matter of an oversight on the developer's part; MeFi is vulnerable to this kind of attack in thoery.
Can I read my Google Reader?
Google is among the sites in Firesheep's inventory, it may be vulnerable. It all depends on whether iPad uses HTTPS or not; I believe its available for Google Docs but not mandated.
How about Web Outlook?
SSL for OWA is something that has to be setup & enabled on a site-by-site basis. It all depends on whether your organization has it enabled. Here's a quick tutorial you can forward to your site admin.
If these things are indeed vulnerable, is it something I should really worry about, or just a remote possibility?
I've seen it being used in the wild in metropolitan areas so the threat is far from theoretical. I'd have to say the Hynes is a fairly high-risk area, as it'd be attractive to a teenage hacker looking to score a bunch of accounts to play with.
posted by scalefree at 1:40 PM on November 14, 2010
@sharkfu True, it isn't a complete fix, but it is a very good first step and frankly should be implemented everywhere.
posted by thewalledcity at 1:42 PM on November 14, 2010
posted by thewalledcity at 1:42 PM on November 14, 2010
There is a a secure version of Google Reader at https://www.google.com/reader/ by the way.
posted by Pronoiac at 12:33 AM on November 15, 2010
posted by Pronoiac at 12:33 AM on November 15, 2010
« Older Help understanding these blood sugar test results? | From whom should I buy a SIM card for an unlocked... Newer »
This thread is closed to new comments.
posted by theredpen at 9:26 AM on November 14, 2010