You may have heard about a new Internet security threat called "Firesheep". This FAQ explains what it is, how it works, and how you can protect yourself against it.

Note: Those who just want the simple answers can ignore the italicized sections, which are included for those who are interested in more technical detail about the reasons behind the answers.

What is Firesheep?

Firesheep is a new Firefox extension that allows someone on a unsecure wifi network to see when anyone else on that network is using a service like Facebook or Twitter, and then to log into that service as that user.

In other words:

1. An attacker installs Firesheep and goes to a coffee shop with free wifi service.
2. You happen to be in the same coffee shop connected to Facebook through their wifi.
3. Firesheep tells him you're on Facebook and allows him to log into Facebook as you.

How does it work?

Have you ever wondered how sites that require a log-in remember that it's still you once you're past the log-in screen, so they don't have to continue asking you to log-in again for every page of the site you want to visit? They do it by storing a small file called a cookie on your computer that says, "Yes, this is Freeman, and he is currently logged in." Every time you try to hit a new page of the site, the cookie is also sent to the server by your browser, and that cookie tells the server that it doesn't have to ask you again for your password.

What Firesheep does is watch for the sending of those cookies. Once it sees one that it recognizes, it grabs it and essentially installs it on the attacker's computer. Then the attacker can simply browse to the site the victim was on and the attacker's browser will send the victim's cookie to that site. Seeing the cookie, the site will let the attacker go anywhere and do anything the victim could.

Does Firesheep steal my password?

No, what it does is make the website you're logged into think that it's you and that it's already entered your password. However, once it's into your account, it could then change your password, unless the site requires entering the old password first in order to change it.

Also, if it's your email account that Firesheep has compromised, an attacker could use it to change your passwords on other sites you use by using the "I forgot my password" feature on those sites that emails you a link to reset your password.

Finally, remember that we're just talking about Firesheep here. There are other types of attacks that can steal your password.

Why is Firesheep so much more dangerous than other attacks I've heard about?

Because it is a simple Firefox extension that anyone can install, and it's gotten a fair amount of publicity, so a lot of people know about it. (Within a day of its release, "Firesheep" became the #10 trending search on Google in the U.S.!) It requires no programming skills or any special computer knowledge to use. Anyone sitting in that coffee shop with you could be using it.

Where am I in danger?

You're in danger any time you're connected to an open wifi network, or even one that's protected using WEP encryption. You're safe on wifi networks that use WPA or WPA2, or on wired networks like you might have at work or at home.

What do "open", WEP, and WPA mean, and how can I tell which one of these types a given wifi network is?

Your computer's wifi utility should tell you what type a given network is. In Windows XP, for example, if you view the list of available wifi networks, you'll find descriptive text under the name of each signal specifying whether it's "unsecured" (open) or "secured" (encrypted) and if the latter, what the encryption type is. (WEP, WPA, or WPA2.) The encrypted signals also have a little lock icon next to them.


An open network is unencrypted, which means that data is sent through it in a form that anyone can read if they can intercept it. WEP and WPA are methods of encrypting, or scrambling, wifi data, so that even if it is intercepted, it won't be able to be read. WEP is a weaker form of encryption in that every computer on the same WEP encrypted network has its data encrypted the same way, so one computer can read another computer's data if it can intercept it. With WPA and WPA2, wifi data is scrambled in a different way for each computer, so if one computer intercepts another one's data, it still won't be able to make any sense of it.

Am I in danger when accessing a site through a phone app while my phone is using an unsecure wifi connection?

Probably not, but it depends on the app. To be certain, you should contact the author of the app. (Note: I can say for sure that the Gmail and Facebook apps for Android are safe.) If the "app" is really just the website itself accessed through the phone's browser, however, then you are not safe.

If your phone is not using wifi but its own data connection, or if it's using a wifi connection secured with WPA or WPA2 encryption, then you're safe.

It's very likely that most native apps use a given service's API to interact with that service, and also very likely that the API is https based and might not even pass cookies in the way described above. However, as with many things, this could vary by service and by app.

How do I protect myself against Firesheep?

Starting with the most foolproof and/or easy methods:

1. Don't connect to wifi networks unless they're encrypted using WPA or WPA2.

If they're encrypted using WEP, an older and less secure method, avoid them unless you personally trust anybody else who might be on that network at the same time as you: for example, if it's your home network and you only gave the WEP password to members of your family. (Although in that case, if it's your home wifi router and you have control over it, you should really use WPA or WPA2 encryption instead just because they're safer in other ways.)

2. If you must connect to unsafe wifi networks, you can still be safe as long as the sensitive websites you visit encrypt all their pages.

You can tell if a web page is encrypted by whether its URL begins with "https" instead of the normal "http". Your browser might also display a lock symbol in its address bar next to the URL. Here, for example, is what Google's Chrome shows for a secure site:

The problem is that while most websites that require logging in encrypt some of their pages, almost none of them encrypt all their pages, and you only have to hit one unencrypted page for Firesheep to find you.

An open wifi network is like sending letters in transparent envelopes, but when you visit a website that encrypts its pages, it's like writing the letter in code. Then, even if the envelope is transparent, other parties still won't be able to understand what you wrote.

3. If you must connect to unsafe wifi networks and use websites that don't encrypt all their pages, you should use Firefox as your browser and install an extension that forces it to go to the encrypted pages of major sites rather than the unencrypted ones.

One good choice is HTTPS Everywhere, from the Electronic Frontier Foundation. It will force the use of encrypted ("https") pages all the time for all the sites that it knows about. Be careful, though: it doesn't know about every site you might frequent, and its coverage of some sites, such as Amazon.com, is incomplete.

Note: when you click on the big "Install HTTPS Everywhere" button, a yellow bar might appear at the top of the page saying, "Firefox prevent this site (www.eff.org) from asking you to install software on your computer." This is a security feature of Firefox that helps prevent malicious sites from trying to trick you into installing harmful extensions, but in this case, you can trust the Electronic Frontier Foundation. Just click on the "Allow" button on the right side of the bar to allow the installation to proceed.

4. If you use Gmail, make sure you turn on the "always use https" setting found on the General Settings tab.

5. Use a VPN proxy. This is an advanced option that will cost money.

Basically, there are paid services out there that will allow you to conduct all your internet activity through their server. Rather than talk directly to, say, Facebook over the wifi connection, your computer talks to the service's proxy server, encrypting its data to keep it safe as it passes through the wifi network. Then the proxy server passes everything on to the Facebook server under much safer conditions, and passes Facebook's replies back to your computer once again in encrypted form.

6. Install and run FireShepherd. This is a wonderfully clever little Windows utility created by Gunnar Atli Sigurdsson of the University of Iceland that basically causes Firesheep to crash if anyone on the same wifi network is using it.  (Note: installing and running this utility requires a certain amount of advanced Windows expertise.)

It does this by sending out fake cookies that Firesheep will read and essentially choke on. It's not 100% foolproof and so you shouldn't rely on it as your primary protection against Firesheep, but you might add it to the other things to max out your protection, extend it to the other customers in the coffee shop who might not have gotten this information yet, and irritate the Firesheep user[s] among you!

Which of the above steps is the author of this FAQ personally taking?

3, 4, and 6.

What about websites I visit that don't require log-ins? Do I need to make sure they're encrypting their data, too?

No.

If there's no log-in state to protect, there's no need for encryption. In fact, even with a site that requires a log-in, if you don't care whether someone can log in as you (perhaps because the nature of the site is that there's nothing harmful they could do and no private information they could discover) then you don't need to worry about Firesheep seeing those sites. Breeches in the security of one site won't affect another. (i.e. if Firesheep catches you visiting an unencrypted page of Uncle Joe's Social Network, that won't enable it to then get into your Facebook account.)

My laptop has VPN software installed that I use for work. Will it protect me from Firesheep?

It's possible. To be sure, you should check with your IT department.

Is there a Mac version of FireShepherd?

Not as far as I know.

I use Google's Chrome as my browser. Is there an extension available for Chrome that will force it to use SSL for most major sites?

Not yet I'm afraid. There's apparently a technical issue with Chrome that currently prevents such an extension from being written.

Note: there are some Chrome extensions that claim to force SSL, but the way they work is to wait until the unencrypted page begins loading, and then quickly redirect the browser to the encrypted version of the page. This is useful for keeping safe any activity you might then engage in on that page, but it's useless for protecting you from Firesheep because by then, the cookie has been sent in the clear for the initial loading and therefore intercepted. Other Chrome extensions rewrite every webpage to change the "http" in links to "https". However, this does not cover all the possible ways you might end up navigating to an unencrypted page.

What about other browsers? Is there an SSL forcing extension for Safari or Opera or IE?

Not that I can find so far. If any reader knows of one, please let me know and I'll update this article.

What websites are vulnerable to FireSheep? Will HTTPS Everywhere protect me on all of them?

Both Firesheep and HTTPS Everywhere only know about certain websites. It's possible to add new sites to their coverage, but that requires some programming expertise. Here are screenshots showing which websites each tool covers "out of the box":

Firesheep:

I don't need to enter a password in order to connect to the open wifi signal at my local coffee shop, but once I'm connected, the first time I try to browse to a website, a page appears first asking me to accept the terms of service or maybe even enter a password provided by the shop. Does this mean I'm safe?

No.

That page has nothing to do with encrypting the data between your laptop and the wifi network. It's just a page inserted by the coffee shop for legal or advertisting purposes. By the time you hit that page, you're already connected to the network.

The login pages for the sites I use are all encrypted. (Their URL's begin with "https") Doesn't that mean I'm safe?

No.

Just because the login page is encrypted doesn't mean the rest of the site is. Most sites encrypt their login pages, but not all the pages you then move on to to view your content or post updates, etc. It's when you go to those unencrypted pages that Firesheep can steal your identity on that site.

I logged into a vulnerable site before reading this FAQ. Should I log out?

If you think an attacker might have caught you on the site before you could take any of the above precautions, you should probably change your password. Simply logging out will probably not be enough, though it might be for some sites.

Even though Firesheep doesn't actually steal passwords, most major sites will invalidate your cookies when you change your password. Therefore, the cookie that Firesheep intercepted won't be good any more. Keep in mind, however, that this depends on the behavior of the site itself. Some sites might not invalidate your cookies when you change your password, and some might lag a bit in recognizing that a cookie is no longer valid and allow the attacker to take some limited actions on the site before locking him out.

I'm a coffee shop owner. Is there anything I can do to protect my customers, short of not offering them free wifi?

You can turn on WPA or WPA2 encryption on your wifi router. I know that this is an inconvenience because your customers then have to enter a password in order to use the wifi, but one way to mitigate this is to post a big sign saying what the password is. You can also include the password in the SSID of the signal! For example, you could name the signal, "Joes_Cafe-password_is_foo" and set the password to "foo". Remember that WPA/WPA2 encryption will protect a user from Firesheep even if the attacker knows the password, because these methods encrypt data differently for every computer connected to the network.

Who's fault is this mess and what is the ultimate solution?

It's the fault of major websites for not encrypting all their pages, even though they've known about the potential security issues for years. The solution is that all such sites simply need to encrypt all their pages.

Are any major websites currently doing the right thing?

Google is with Gmail. (See the item about turning on the "always use https" option above.)

Facebook has announced that they'll be implementing a fix "in the coming months."

If some site you use frequently isn't doing the right thing yet, I strongly urge you to yell at them about it.

Who created Firesheep, and why?

Eric Butler,  a freelance web application and software developer in Seattle, WA, actually created Firesheep for a good purpose: to force major websites to finally start doing the right thing and encrypt all their pages. His reasoning is that even though these sites -- and their malicous attackers -- have known about this vulnerability for years, very few sites have fixed their pages. By providing such an easy-to-use way to exploit this security hole, he's hoping to force them to finally patch it.

Tell me again, in just one sentence and without all this extra Q&A, what I should do to protect myself against Firesheep!

If you must surf the Internet using public wifi services, you should, at the very least, use Firefox with the HTTPS Everywhere extension installed, and don't visit any sensitive sites not covered by HTTPS Everywhere.

If I do that, will I be safe?

You'll be safe from Firesheep and similar attacks, but there are, unfortunately, others. This is a very big hole, though, and it will be well worth the effort to plug it.