Caution: 'Firesheep' is bad

http://gawker.com/5672877/now-anyone-at-your-cafe-can-hijack-your-facebook-account

Vallywag said: A new Firefox extension lets anyone sharing an open wireless network at your neighborhood café or workplace easily access your Facebook, Twitter and myriad other online accounts. It's a terrifying tool designed to highlight a longstanding problem. Seattle programmer Eric Butler's new Firesheep extension can show you a graphical list of the online accounts of everyone sharing an open wifi network with you. With one click on an icon, you're instantly logged in as them. [...] "HOLY CRAP" sums up the general Twitter reaction, as compiled by TechCrunch. The vulnerability exploited by Firesheep has been there for years. Many major websites transmit the keys to your account — your login HTTP "cookies" — completely in the clear, with no encryption whatsoever. That's not a problem when you're on a well secured wireless network; for example if your local cafe uses WPA encyrption on the router, you'd almost certainly be fine. The vulnerable networks are those that are totally open, as well as, possibly, networks that use the weak WEP password system. You'll typically see these types of vulnerable networks in college dormitories, cafes and restaurants, or at other businesses that never bothered to modernize their wireless infrastructure. Vulnerable sites include Amazon, Dropbox, Facebook, Flickr, Foursquare, Google, nytimes.com, Tumblr, Twitter, Wordpress, Yahoo and Yelp. These sites could fix the problem by routing cookies through the secure HTTPS protocol. Indeed, encouraging them to do so is why Butler created Firesheep: Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. Judging from internet reaction to Firesheep, that's already happening. Update: This vulnerability exists outside of the browser, so it's not Firefox specific, and switching to Chrome will not help, as some commenters have suggested. It also shouldn't affect cellular data networks, including 3G networks, so we've updated our wording above to make it clear we're talking about wifi. Although the problem is fundamentally in the wifi networks and the destination websites, there is a Firefox extension that tries to route around the problem by redirecting cookies through encrypted HTTPS connections. Since many web servers don't offer HTTPS, your experience with that extension will be hit or miss. You can also ensure your GMail is locked down by checking the HTTPS toggle in your Gmail settings (it is secure by default). Your best bet, for now, is to avoid using open wifi networks.

BTW - the programmer is 14. And he was duly paid $3k for his security flaw find.

talk about a protege....that's younger than DVD Jon

A kid with that much brain power writes a program that he offers free for you to download that will attach itself to your browser and evidence the security flaws in your computer.

Anyone else see a problem here?

Why would I download his add-on, when he is clearly much smarter than me (and most folks), and perfectly capable of introducing untold security breeches of his own?

I know it sounds a bit paranoid, but I'm just sayin...

I'm satisfied reading the article.

In reply to SVreX:

He's what's called a "white hat" in the IT industry (and let's hope he stays that way). A white hat searches for security flaws and vulnerabilities, exploits them, and then presents them to major IT firms so that they will fix them. Many IT firms will offer prizes and hold competitions for white hats to discover flaws in their products. A "black hat" exploits security flaws and vulnerabilities for monetary gain, for political or military reasons, or for the lulz.

Yeah, basically, he's smart/savvy enough to find the exploit, and young/idealistic enough to want it fixed...

Possibly why Mozilla pays so much for these finds.

Oh, I "get it", and appreciate his skills and abilities.

Just don't have any desire to download his software.

SVreX wrote: A kid with that much brain power writes a program that he offers free for you to download that will attach itself to your browser and evidence the security flaws in the public network you connect to and also the websites you frequent

fixed that for you.

I didn't expect you'd want to install it yourself. I only mentioned it because people should be aware that the plug-in exists....Using a public network to visit sites that use cleartext session keys could be dangerous because script kiddies WILL install this 'sploit/plugin in their browsers.

SVreX wrote: A kid with that much brain power writes a program that he offers free for you to download that will attach itself to your browser and evidence the security flaws in your computer. Anyone else see a problem here? Why would I download his add-on, when he is clearly much smarter than me (and most folks), and perfectly capable of introducing untold security breeches of his own? I know it sounds a bit paranoid, but I'm just sayin... I'm satisfied reading the article.

That 'problem' exists for >95% of everything in society that people don't understand enough to build or even use for themselves (cars, tools, computers - hardware/software, engineering, psychology, clothing, processed foods, drugs, medicine, practically anything).

dj wrote: That 'problem' exists for >95% of everything in society that people don't understand enough to build or even use for themselves (cars, tools, computers - hardware/software, engineering, psychology, clothing, processed foods, drugs, medicine, practically anything).

Well put, dj. Most people don't know enough about how things work to determine the relative merits of a product. FWIW, when I decided to document my car build on my website, I built a database and wrote some scripts to enter data and read from it; i.e. made a very lean version of blogging software.

One of my friends said something like, "You do realize that, you could have downloaded and installed blogging software that has more features in a fraction of the time." My response was, "I know how this works."

(I'll be honest, though....a large part of why I did it was just to see if I could....the same basic motivation as building the datsun replica.)

I assume a Firesheep user could only log into my Facebook account if I am currently logged into Facebook from an unsecured Wifi network right? If I've properly logged out, he couldn't log in right? I assume Firesheep somehow grabs your cookies as they're flying through the air and then connects using that cookie. If I'm logged out, he can't get in because he won't have my password, right (assuming I don't have 'remember me' clicked when I log in so my password isn't in my cookie)?

That's my understanding, but check the original documentation (It is linked to in the article referenced above.)

dj wrote: That 'problem' exists for >95% of everything in society that people don't understand enough to build or even use for themselves (cars, tools, computers - hardware/software, engineering, psychology, clothing, processed foods, drugs, medicine, practically anything).

True, however the general populace who don't understand that stuff enough to build or use it for themselves is NOT required to interface with those products in ways that put them or their personal information at risk.

No one needs to know how to build a car to be a good operator, and the car won't steal stuff from them without them realizing it.

Computers are different. A LOT different.

Most everyone is required to interface with them in some manner that puts them at risk without them having any knowledge that there even WAS a risk. I think it is quite reasonable that people trained in the use of computers should require absolutely no training whatsoever in the construction of computers or in the programing of computers.

I don't need to be a chemist to have a good understanding of how to properly take my medicine. I don't need to be an engineer to have a good understanding of how to safely drive across a bridge. And it is a completely reasonable expectation that the bridge should not collapse when I do drive across it, just because I am not an engineer.

SVreX wrote: Most everyone is required to interface with them in some manner that puts them at risk without them having any knowledge that there even WAS a risk. I think it is quite reasonable that people trained in the use of computers should require absolutely no training whatsoever in the construction of computers or in the programing of computers. [...] And it is a completely reasonable expectation that the bridge should not collapse when I do drive across it, just because I am not an engineer.

Again, I agree with you. That's the point of this browser plugin...the vulnerability it highlights has been known about for years, and companies have left users vulnerable all this time. Why? The consumers weren't concerned, which means that there was no profit in fixing the problem.

People are now concerned, and companies will need to fix the problem.

You seem to think I am disagreeing with you. I'm not. I'm in complete agreement with you.