Gaming Firesheep add-on.

DeMoN

GBAtemp Guru
OP
Member
Joined
May 12, 2004
Messages
7,708
Trophies
1
Website
Visit site
XP
2,185
Country
United States
Got an email from my university a few days ago, saying that public WiFi spots are all compromised because of this add-on, which lets anyone who uses it log-on to your facebook account or whatever, as long as you're connected to the same unencrypted network. Currently the only way to prevent this is to use a secured network, log-in to a VPN, or visit only https sites.

Has anyone else heard about this?
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
One "solution" is to have an always-on connection on a computer at a secure location (e.g. home), setup an SSH server on it, then log into it any time you are using a public WiFi connection.

But this particular add-on isn't what "created" the problem, and it is silly to say so. The problem is that popular sites don't use secure connection. This was always possible, just harder before. This extension was made to bring to light the simplicity of doing this, and thus spur the sites into action.

Another program called "idiocy" was also created, in I believe less than 100 lines of code that will automatically log into any active Twitter account on the local WiFi network and post an update.
 

Rydian

Resident Furvert™
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
35
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
8,930
Country
United States
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
Rydian said:
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.

Well, it DOES work in some cases where the site supports HTTPS, but doesn't use it by default (e.g. GMail, Facebook...)
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
Rydian said:
Gmail and facebook use HTTPS by default as soon a you try to sign in...
Facebook certainly does NOT for me. Perhaps during the sign in process, but not for the rest of the session, which is the problem. It does seem to work with HTTPS during the session though if you change it in the URL, however "Chat" won't work (presumably there is some issue with HTTPS and Chat...)
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,955
Trophies
3
Website
trastindustries.com
XP
26,545
Country
United Kingdom
Antoligy said:
I've been DNS tunneling (nb SSH over DNS) all my traffic whenever I use a public hotspot, so I'm fairly sure I'm okay.

Is it not also the case that such a technique will also see you able to bypass the ever lovely redirects that such hotspots (and some 3g implementations* for that matter) do to try and get you to pay for use of their services (others think a more elaborate block everything but port 80 idea you might have seen some of the more lowly security implementations). Not that I would know anything about such things (or have multiple dyndns accounts maintained for various reasons).

Also +1 to others, we have had packet scanners for years (I used to wind up my little brothers by snatching their MSN conversations out of the air using it).

*if it does work I advise not using it- telecommunications companies get a bit touchy about use of their services in such a manner.
 

Urza

hi
Member
Joined
Jul 18, 2007
Messages
6,493
Trophies
0
XP
742
Country
United States
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
 

Slyakin

See ya suckers
Member
Joined
Oct 15, 2008
Messages
4,448
Trophies
0
Age
26
Location
Soviet Slyakin
XP
379
Country
United States
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).

But I believe that if someone has a vague idea what they're doing, they can still sniff the packets and get into active sessions. (I wouldn't have a clue how to do that, and thankfully I don't believe its too easy, but there are those who would know how to do it)

EDIT: Just watched a video on sniffing packets etc., it is VERY easy. Takes a few minutes, but is pretty simple. Dunno about on "secured" connections though. I assume if you can crack the encryption, its not too much harder.
 

Urza

hi
Member
Joined
Jul 18, 2007
Messages
6,493
Trophies
0
XP
742
Country
United States
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
Urza said:
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.

Hmm, perhaps it was because I was already logged in when he tried. In fact, yeah I'd say thats probably it.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,955
Trophies
3
Website
trastindustries.com
XP
26,545
Country
United Kingdom
Slyakin said:
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif


I should have mentioned it first time around but the popular noscript addon (which most of the security concious types will probably already be using) has such functionality. enter the options of noscript -> advanced tab, HTTPS sub tab, the rest should be obvious.
 

You may also like...

General chit-chat
Help Users
    K3N1 @ K3N1: Priscillalisa