Freeman Ng's Open Salon Blog

Firesheep FAQ

Mon, 8 Nov 2010 00:11:38 -0500

You may have heard about a new Internet security threat called "Firesheep". This FAQ explains what it is, how it works, and how you can protect yourself against it.

Note: Those who just want the simple answers can ignore the italicized sections, which are included for those who are interested in more technical detail about the reasons behind the answers.

What is Firesheep?

Firesheep is a new Firefox extension that allows someone on a unsecure wifi network to see when anyone else on that network is using a service like Facebook or Twitter, and then to log into that service as that user.

In other words:

An attacker installs Firesheep and goes to a coffee shop with free wifi service.
You happen to be in the same coffee shop connected to Facebook through their wifi.
Firesheep tells him you're on Facebook and allows him to log into Facebook as you.

How does it work?

Have you ever wondered how sites that require a log-in remember that it's still you once you're past the log-in screen, so they don't have to continue asking you to log-in again for every page of the site you want to visit? They do it by storing a small file called a cookie on your computer that says, "Yes, this is Freeman, and he is currently logged in." Every time you try to hit a new page of the site, the cookie is also sent to the server by your browser, and that cookie tells the server that it doesn't have to ask you again for your password.

What Firesheep does is watch for the sending of those cookies. Once it sees one that it recognizes, it grabs it and essentially installs it on the attacker's computer. Then the attacker can simply browse to the site the victim was on and the attacker's browser will send the victim's cookie to that site. Seeing the cookie, the site will let the attacker go anywhere and do anything the victim could.

Does Firesheep steal my password?

No, what it does is make the website you're logged into think that it's you and that it's already entered your password. However, once it's into your account, it could then change your password, unless the site requires entering the old password first in order to change it.

Also, if it's your email account that Firesheep has compromised, an attacker could use it to change your passwords on other sites you use by using the "I forgot my password" feature on those sites that emails you a link to reset your password.

Finally, remember that we're just talking about Firesheep here. There are other types of attacks that can steal your password.

Why is Firesheep so much more dangerous than other attacks I've heard about?

Because it is a simple Firefox extension that anyone can install, and it's gotten a fair amount of publicity, so a lot of people know about it. (Within a day of its release, "Firesheep" became the #10 trending search on Google in the U.S.!) It requires no programming skills or any special computer knowledge to use. Anyone sitting in that coffee shop with you could be using it.

Where am I in danger?

You're in danger any time you're connected to an open wifi network, or even one that's protected using WEP encryption. You're safe on wifi networks that use WPA or WPA2, or on wired networks like you might have at work or at home.

What do "open", WEP, and WPA mean, and how can I tell which one of these types a given wifi network is?

Your computer's wifi utility should tell you what type a given network is. In Windows XP, for example, if you view the list of available wifi networks, you'll find descriptive text under the name of each signal specifying whether it's "unsecured" (open) or "secured" (encrypted) and if the latter, what the encryption type is. (WEP, WPA, or WPA2.) The encrypted signals also have a little lock icon next to them.

An open network is unencrypted, which means that data is sent through it in a form that anyone can read if they can intercept it. WEP and WPA are methods of encrypting, or scrambling, wifi data, so that even if it is intercepted, it won't be able to be read. WEP is a weaker form of encryption in that every computer on the same WEP encrypted network has its data encrypted the same way, so one computer can read another computer's data if it can intercept it. With WPA and WPA2, wifi data is scrambled in a different way for each computer, so if one computer intercepts another one's data, it still won't be able to make any sense of it.

Am I in danger when accessing a site through a phone app while my phone is using an unsecure wifi connection?

Probably not, but it depends on the app. To be certain, you should contact the author of the app. (Note: I can say for sure that the Gmail and Facebook apps for Android are safe.) If the "app" is really just the website itself accessed through the phone's browser, however, then you are not safe.

If your phone is not using wifi but its own data connection, or if it's using a wifi connection secured with WPA or WPA2 encryption, then you're safe.

It's very likely that most native apps use a given service's API to interact with that service, and also very likely that the API is https based and might not even pass cookies in the way described above. However, as with many things, this could vary by service and by app.

How do I protect myself against Firesheep?

Starting with the most foolproof and/or easy methods:

1. Don't connect to wifi networks unless they're encrypted using WPA or WPA2.

If they're encrypted using WEP, an older and less secure method, avoid them unless you personally trust anybody else who might be on that network at the same time as you: for example, if it's your home network and you only gave the WEP password to members of your family. (Although in that case, if it's your home wifi router and you have control over it, you should really use WPA or WPA2 encryption instead just because they're safer in other ways.)

2. If you must connect to unsafe wifi networks, you can still be safe as long as the sensitive websites you visit encrypt all their pages.

You can tell if a web page is encrypted by whether its URL begins with "https" instead of the normal "http". Your browser might also display a lock symbol in its address bar next to the URL. Here, for example, is what Google's Chrome shows for a secure site:

The problem is that while most websites that require logging in encrypt some of their pages, almost none of them encrypt all their pages, and you only have to hit one unencrypted page for Firesheep to find you.

An open wifi network is like sending letters in transparent envelopes, but when you visit a website that encrypts its pages, it's like writing the letter in code. Then, even if the envelope is transparent, other parties still won't be able to understand what you wrote.

3. If you must connect to unsafe wifi networks and use websites that don't encrypt all their pages, you should use Firefox as your browser and install an extension that forces it to go to the encrypted pages of major sites rather than the unencrypted ones.

One good choice is HTTPS Everywhere, from the Electronic Frontier Foundation. It will force the use of encrypted ("https") pages all the time for all the sites that it knows about. Be careful, though: it doesn't know about every site you might frequent, and its coverage of some sites, such as Amazon.com, is incomplete.

Note: when you click on the big "Install HTTPS Everywhere" button, a yellow bar might appear at the top of the page saying, "Firefox prevent this site (www.eff.org) from asking you to install software on your computer." This is a security feature of Firefox that helps prevent malicious sites from trying to trick you into installing harmful extensions, but in this case, you can trust the Electronic Frontier Foundation. Just click on the "Allow" button on the right side of the bar to allow the installation to proceed.

4. If you use Gmail, make sure you turn on the "always use https" setting found on the General Settings tab.

5. Use a VPN proxy. This is an advanced option that will cost money.

Basically, there are paid services out there that will allow you to conduct all your internet activity through their server. Rather than talk directly to, say, Facebook over the wifi connection, your computer talks to the service's proxy server, encrypting its data to keep it safe as it passes through the wifi network. Then the proxy server passes everything on to the Facebook server under much safer conditions, and passes Facebook's replies back to your computer once again in encrypted form.

6. Install and run FireShepherd. This is a wonderfully clever little Windows utility created by Gunnar Atli Sigurdsson of the University of Iceland that basically causes Firesheep to crash if anyone on the same wifi network is using it. (Note: installing and running this utility requires a certain amount of advanced Windows expertise.)

It does this by sending out fake cookies that Firesheep will read and essentially choke on. It's not 100% foolproof and so you shouldn't rely on it as your primary protection against Firesheep, but you might add it to the other things to max out your protection, extend it to the other customers in the coffee shop who might not have gotten this information yet, and irritate the Firesheep user[s] among you!

Which of the above steps is the author of this FAQ personally taking?

3, 4, and 6.

What about websites I visit that don't require log-ins? Do I need to make sure they're encrypting their data, too?

No.

If there's no log-in state to protect, there's no need for encryption. In fact, even with a site that requires a log-in, if you don't care whether someone can log in as you (perhaps because the nature of the site is that there's nothing harmful they could do and no private information they could discover) then you don't need to worry about Firesheep seeing those sites. Breeches in the security of one site won't affect another. (i.e. if Firesheep catches you visiting an unencrypted page of Uncle Joe's Social Network, that won't enable it to then get into your Facebook account.)

My laptop has VPN software installed that I use for work. Will it protect me from Firesheep?

It's possible. To be sure, you should check with your IT department.

Is there a Mac version of FireShepherd?

Not as far as I know.

I use Google's Chrome as my browser. Is there an extension available for Chrome that will force it to use SSL for most major sites?

Not yet I'm afraid. There's apparently a technical issue with Chrome that currently prevents such an extension from being written.

Note: there are some Chrome extensions that claim to force SSL, but the way they work is to wait until the unencrypted page begins loading, and then quickly redirect the browser to the encrypted version of the page. This is useful for keeping safe any activity you might then engage in on that page, but it's useless for protecting you from Firesheep because by then, the cookie has been sent in the clear for the initial loading and therefore intercepted. Other Chrome extensions rewrite every webpage to change the "http" in links to "https". However, this does not cover all the possible ways you might end up navigating to an unencrypted page.

What about other browsers? Is there an SSL forcing extension for Safari or Opera or IE?

Not that I can find so far. If any reader knows of one, please let me know and I'll update this article.

What websites are vulnerable to FireSheep? Will HTTPS Everywhere protect me on all of them?

Both Firesheep and HTTPS Everywhere only know about certain websites. It's possible to add new sites to their coverage, but that requires some programming expertise. Here are screenshots showing which websites each tool covers "out of the box":

Firesheep:

HTTPS-Everywhere:

I don't need to enter a password in order to connect to the open wifi signal at my local coffee shop, but once I'm connected, the first time I try to browse to a website, a page appears first asking me to accept the terms of service or maybe even enter a password provided by the shop. Does this mean I'm safe?

No.

That page has nothing to do with encrypting the data between your laptop and the wifi network. It's just a page inserted by the coffee shop for legal or advertisting purposes. By the time you hit that page, you're already connected to the network.

The login pages for the sites I use are all encrypted. (Their URL's begin with "https") Doesn't that mean I'm safe?

No.

Just because the login page is encrypted doesn't mean the rest of the site is. Most sites encrypt their login pages, but not all the pages you then move on to to view your content or post updates, etc. It's when you go to those unencrypted pages that Firesheep can steal your identity on that site.

I logged into a vulnerable site before reading this FAQ. Should I log out?

If you think an attacker might have caught you on the site before you could take any of the above precautions, you should probably change your password. Simply logging out will probably not be enough, though it might be for some sites.

Even though Firesheep doesn't actually steal passwords, most major sites will invalidate your cookies when you change your password. Therefore, the cookie that Firesheep intercepted won't be good any more. Keep in mind, however, that this depends on the behavior of the site itself. Some sites might not invalidate your cookies when you change your password, and some might lag a bit in recognizing that a cookie is no longer valid and allow the attacker to take some limited actions on the site before locking him out.

I'm a coffee shop owner. Is there anything I can do to protect my customers, short of not offering them free wifi?

You can turn on WPA or WPA2 encryption on your wifi router. I know that this is an inconvenience because your customers then have to enter a password in order to use the wifi, but one way to mitigate this is to post a big sign saying what the password is. You can also include the password in the SSID of the signal! For example, you could name the signal, "Joes_Cafe-password_is_foo" and set the password to "foo". Remember that WPA/WPA2 encryption will protect a user from Firesheep even if the attacker knows the password, because these methods encrypt data differently for every computer connected to the network.

Who's fault is this mess and what is the ultimate solution?

It's the fault of major websites for not encrypting all their pages, even though they've known about the potential security issues for years. The solution is that all such sites simply need to encrypt all their pages.

Are any major websites currently doing the right thing?

Google is with Gmail. (See the item about turning on the "always use https" option above.)

Facebook has announced that they'll be implementing a fix "in the coming months."

If some site you use frequently isn't doing the right thing yet, I strongly urge you to yell at them about it.

Who created Firesheep, and why?

Eric Butler, a freelance web application and software developer in Seattle, WA, actually created Firesheep for a good purpose: to force major websites to finally start doing the right thing and encrypt all their pages. His reasoning is that even though these sites -- and their malicous attackers -- have known about this vulnerability for years, very few sites have fixed their pages. By providing such an easy-to-use way to exploit this security hole, he's hoping to force them to finally patch it.

Tell me again, in just one sentence and without all this extra Q&A, what I should do to protect myself against Firesheep!

If you must surf the Internet using public wifi services, you should, at the very least, use Firefox with the HTTPS Everywhere extension installed, and don't visit any sensitive sites not covered by HTTPS Everywhere.

If I do that, will I be safe?

You'll be safe from Firesheep and similar attacks, but there are, unfortunately, others. This is a very big hole, though, and it will be well worth the effort to plug it.

My Unlikely Healthcare Reform Heroes

Sat, 27 Mar 2010 14:03:43 -0400

John Boehner

And the rest of the GOP leadership, for deciding to go for broke and resist health care reform in every way possible. If they had decided instead to cooperate with the President and other Democrats who, in the early stages of the process, desperately wanted the effort to be bipartisan, we would not only have a much weaker bill today, but would lose out on the future political gains we can now look forward to as the threatened death panels, ballooning of the deficit, and general destruction of the American Way of Life fail to materialize.

Anthem Blue Cross

Just when the public was beginning to grow fatigued over the whole issue, Anthem Blue Cross announced huge rate hikes on individual policy holders that reenergized the debate.

Thanks, Anthem Blue Cross! Please cancel my policy.

Nancy Pelosi

Only included in this list of unlikely heroes because of her abysmal approval ratings, even among Democrats. Maybe we’ll change our opinion of her now that it’s come out she was a major voice lobbying President Obama to stand firm on the full bill after Scott Brown’s victory in Massachusetts cast its passage in doubt. She dismissed a watered down alternative proposed by Rahm Emanuel as “kiddie care,” and told Obama, “We’re in the majority. We’ll never have a better majority in your presidency in numbers than we’ve got right now. We can make this work!”

Bart Stupak

And other conservative Democrats who voted for the bill. Many of them will face tough reelection battles in their Republican-leaning home states and districts. Some of them are receiving death threats from their constituents because of their votes on the bill. And let us not forget that some of them overcame sincerely held beliefs on abortion to vote for legislation they recognized was profoundly pro-life in a sense that they could agree on with their fellow Democrats.

David Frum

The former special assistant to President George W. Bush, resident fellow of the American Enterprise Institute (a conservative think tank) and author of a number of popular books on conservatism in America, enraged the more petulant wing of his party with a blog post criticizing the GOP leadership for its mule-headed approach to the healthcare debate. (See “John Boehner” above.) Frum represents an endangered species on the American political landscape: the rational Republican. It is to be hoped that he and his ilk eventually regain control of the Party of Lincoln.

In related news from this past week, David Frum was fired by the American Enterprise Institute.

What Paul Shirley Got Right

Mon, 1 Feb 2010 03:02:41 -0500

The Internet is abuzz with condemnations of Paul Shirley’s rant against Haitian earthquake relief. (Yes, I’m once again following up on a Salon.com “This Week In Crazy” feature.) Shirley has been accused of a lack of compassion, racial intolerance, and plain nut-jobbery, all of which might be true as far as I know – I only knew him previously as the writer of some very entertaining ESPN columns about his adventures as a professional basketball player – but what I want to focus on here is the one thing he got right:

While the earthquake was, obviously, unavoidable, the way in which many of the people of Haiti lived was not. Regrettably, some Haitians would have died regardless of the conditions in that country. But the fact that so many people lived in such abject poverty exacerbated the extent of the crisis.

One of the secondary tragedies of the Haitian disaster is how infrequently Shirley’s observation has been echoed in news reports and opinion pieces. While the compassionate response of the world in giving to Haitian relief has been a wonderful thing to see, it’s unfortunate that this disaster hasn’t also caused our collective attention to turn any more persistently than usual to the problem of global poverty. This latest episode in Haiti’s woeful history might have triggered a discussion about the lingering effects of past colonialism and Cold War politics, and about the staggering degree of wealth inequality in the present world order. (Which might in turn have spared a better educated Shirley from going on to absurdly blame the Haitians for their own suffering!)

As it is, it looks like the past will once again be prologue. We’ll text our $10 donations to Haitian earthquake relief and return to playing our favorite iPhone game. Then, a couple of years down the line, the next earthquake or tsunami or hurricane will devastate some other vulnerable area of the third world. We’ll be horrified – and utterly surprised – and will, hopefully, give freely to the relief effort yet again. But will we finally wake up to the broken global economic and political systems that treat the billion or so extremely poor humans among us like so much fodder?

If we don’t, it will be small consolation that we’ll have many more opportunities to do so in the future.

Wealth inequality by country:

Wealth inequality between countries:

Another blog post by me on the same theme

Clarence Thomas: Supreme Nut Job

Mon, 25 Jan 2010 02:01:26 -0500

Andrew Leonard's inaugural installment of Salon's “This Week in Crazy” column features Clarence Thomas and the recent Supreme Court decision to lift restrictions on corporate spending on political campaigns. The crazy part was not the decision itself. (That was merely catastrophic.) Nor was it that Thomas formed part of the conservative majority of the court that brought it about. (That was automatic.) It was that Thomas, and Thomas alone, dissented from the only sane part of the ruling, the part that upheld the requirement that these corporate donors at least disclose their identities!

Many of those who have written about this subplot of the tragedy that was Citizens United v. Federal Election Commission have emphasized the fact that Thomas was the lone dissenter on this point. Not even Scalia joined him!

That got me thinking about solo dissent in general. Does it happen often? Do some justices do it more often than others? What does it reveal about the ones who do?

Of the 335 decisions handed down by the court in the past five terms, 26 involved a lone dissenter, usually against the decision as a whole, but sometimes, as in Citizens United, only against some significant part of it. In these 26 cases, Roberts, Breyer, and (surprisingly) Scalia were the dissenters only once each, and Kennedy and Alito never at all. Sotomayer also never appears, which is not surprising, given her short time on the court so far. Souter appears twice, Ginsberg three times, and Stevens, who is widely regarded as the most liberal of the justices, tallies five. Clarence Thomas fills up the rest of the roll. He stood against all eight of his peers thirteen times, as many times as all the rest of them put together!

Does this mean he’s a crazy extremist, with Stevens running a distant second? Not necessarily. There can be many reasons for a justice to stand alone. She might be the only voice of reason in a dysfunctional court, for example. Or he might be a technician seeking to maintain certain important tensions in the mechanism of the law. The only way to tell is to look at the evidence. What were the lone dissenters actually standing for?

A glance at Stevens’ dissents reveals the leftward lean one would expect, but nothing very unbalanced. He tended to fight for the right of allegedly wronged parties to seek legal recourse: to sue a corporation for securities fraud in Tellabs, Inc. v. Makor Issues & Rights, Ltd., or to challenge the fairness of energy contracts in NRG Power Marketing, LLC v. Maine Public Utilities Commission.

In Fernandez-Vargas v. Gonzales, he spoke in the defense of an individual who was being deported due to a new tough law that was enacted after his violation of it.

His most ideologically charged opinion, at least in appearance, was his stance in Scott v. Harris. In this somewhat famous case, the court decided that a fleeing driver in a high speed car chase could not sue the deputy sheriff who ran him off the road, causing him to become paralyzed. At first glance, a dissent from this judgment might seem to be classic evidence for the myth of liberal coddling of criminals, but in fact, Stevens only argued that the facts of the case were sufficiently problematic that a local jury should be allowed to make the call.

Many of Thomas’ solo dissents are similarly ideological but mild.

In Buckeye Check Cashing, Inc. v. Cardegna, Preston v. Ferrer, Gonzalez v. United States, and Lopez v. Gonzales, he argued for states’ rights over federal authority, like a good conservative soldier. His opinions in Dolan v. United States Postal Service, MedImmune, Inc. v. Genentech, Inc., and Meacham v. Knolls Atomic Power Laboratory, were the mirror images of Stevens’ above: he fought to limit victims’ ability to sue, but not outrageously.

In Negusie v. Mukasey, the picture begins to change a bit. Daniel Negusie was an Eritrean whose application for asylum was rejected because he had been a guard who participated in the mistreatment of prisoners. The lower court that rejected his appeal thought it had to ignore his claims that he was forced to do what he did under threat of torture and death, but eight out of the nine Supreme Court justices ruled that such extenuating circumstances could be considered in these cases. Thomas disagreed.

In Northwest Austin Municipal Utility District No. 1 v. Holder, the court upheld the importance of section 5 of the Voters Rights Act, which prohibits local governments from enacting changes in their voting processes without federal approval. The nearly unanimous opinion went out of its way to emphasize the continued importance of this law, which prevents local jurisdictions from enacting new discriminatory practices as quickly as the federal government can outlaw them. Thomas disagreed that section 5 was needed any longer.

He also argued in Rothgery v. Gillespie County, with no one else joining him, that an individual’s right to counsel begins not when he or she is arrested, but only when a formal indictment is made.

Finally, there came the infamous case of Safford Unified School Dist. #1 v. Redding, in which a 13 year-old girl was strip searched because she was suspected of holding illegal drugs in the form of 400mg tablets of ibuprofen. (200mg is the normal over-the-counter strength.) Though the court ruled that the girl could not hold the school officials liable for their search, it asserted that the search itself was unconstitutional. Thomas disagreed with this latter point!

What do we make of all this? Is Clarence Thomas a heroic defender of some lost truth? A meticulous watcher over the subtle details of the law? Or is he simply a nut job? One way to decide is to imagine what the world would be like if he had gotten his way in all of these judgments: You could be arrested and incarcerated, and not have a right to counsel until an actual indictment was made. Big parts of the Voters Rights Act would be declared unconstitutional. Middle school girls could be strip searched on suspicion of carrying extra strength ibuprofen. And corporations could spend billions of dollars to influence the outcome of U.S. elections, as they will now anyway, but in total anonymity!

The verdict: Nut job, in an eight to one decision.

My Person of the Year: Ben Nelson???

Wed, 30 Dec 2009 03:12:44 -0500

Yes, I'm talking about the Democratic senator from Nebraska who cast the deciding vote to prevent a filibuster of the Senate health insurance reform bill, but only after he helped kill any chance for a public option, tried to insert an anti-abortion amendment into the bill, and finally extracted an economic concession for his state that the GOP is now making political hay over. With so many progressives feeling so unhappy about what they perceive as the disproportionate power the small conservative fringe of the party had in shaping a bill that has fallen far short of their highest hopes, why am I making the man who stood at the fulcrum of that struggle my person of the year?

I won't be arguing that he did, after all, enable passage of a bill that is going to do a great deal of good, and that he incurred significant political risk in doing so. I believe both those things are true, but beside the point, and more in line with the way Republicans tend to think than the way Democrats ought to. Rather than focus narrowly on the feats, personal beliefs or political courage of Ben Nelson, I prefer to think systemically, and to focus therefore on what he represents about the drastic way the political landscape changed in 2009. Ben Nelson's mere existence at the fulcrum of the healthcare debate, apart from what he actually did, demonstrated the two most important aspects of that change:

The very fact that there was a fulcrum. Let us not forget - let us never, ever forget! - that for most of George W. Bush's two terms, there was no real balancing point at all. (Or put another way, that point sat permanently outside the conservative majority that followed its orders from on high unfailingly.) Many Democrats have come to envy the efficiency of the Republican machine - why can't we match that party loyalty and message discipline? - but what they might call wimpiness, I call adherence to democratic values. Republicans wield power. Democrats govern. We're back to the messiness that is often democracy in action, and that's a good thing.
The fact that the fulcrum now sits (just barely) within the boundaries of the Democratic Party. If 313 more people had voted for Norm Coleman in the 2008 Minnesota Senate race, the balancing point would have shifted from Ben Nelson to Olympia Snowe, a moderate Republican who would have required an even greater weakening of the Senate bill before she would have agreed to oppose a Republican filibuster. If 2954 more people had voted for Ted Stevens in Alaska, the balancing point would have fallen off a cliff.

Therefore, as we look back on 2009, let us honor Ben Nelson, not so much for what he did (which was admirable, in my opinion) but for what he represents: the return of our political system to some semblance of health. As we look ahead to 2010, let us work to tip the balance further. If we can gain one more Senate seat in 2010, Ben Nelson will be freed to better represent his conservative constituency. (Assuming he survives his own reelection race that year.) If we can gain two seats, Joe Lieberman will be freed to lose his next race gracefully and go on to the analyst position waiting for him at Fox News. If we can win three seats - not really possible in 2010, but for the sake of argument - then the results are incalculable.

It is here, in the electoral trenches, that real change has and will come, through the continued hard work of millions of people registering new voters, contributing money to candidates, educating the public, and getting out the vote. It's not as glamorous as the fantasy of a progressive messiah of a president who will effortlessly lead us into paradise, but it's how democracy works, when it's working like it should.