Firesheep add-on.

Discussion in 'Computer Games and General Discussion' started by DeMoN, Nov 11, 2010.

  1. DeMoN
    OP

    DeMoN GBAtemp Guru

    Member
    7,649
    100
    May 12, 2004
    United States
    Got an email from my university a few days ago, saying that public WiFi spots are all compromised because of this add-on, which lets anyone who uses it log-on to your facebook account or whatever, as long as you're connected to the same unencrypted network. Currently the only way to prevent this is to use a secured network, log-in to a VPN, or visit only https sites.

    Has anyone else heard about this?
     
  2. Vulpes Abnocto

    Vulpes Abnocto Drinks, Knows Things

    Former Staff
    6,664
    6,710
    Jun 24, 2008
    United States
  3. pcmanrules

    pcmanrules GBAtemp Regular

    Member
    233
    0
    Mar 15, 2009
    New Zealand
    Wellington, New Zealand
    I tried that extension at school yesterday, my Wi-Fi adapter wasn't supported and now i'm on study leave. makes me worry about what i give out on the internet and how insecure it is.
     
  4. Infinite Zero

    Infinite Zero Almost!

    Member
    2,922
    5
    Apr 25, 2010
    United States
    California
    I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
     
  5. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    One "solution" is to have an always-on connection on a computer at a secure location (e.g. home), setup an SSH server on it, then log into it any time you are using a public WiFi connection.

    But this particular add-on isn't what "created" the problem, and it is silly to say so. The problem is that popular sites don't use secure connection. This was always possible, just harder before. This extension was made to bring to light the simplicity of doing this, and thus spur the sites into action.

    Another program called "idiocy" was also created, in I believe less than 100 lines of code that will automatically log into any active Twitter account on the local WiFi network and post an update.
     
  6. Frederica Bernkastel

    Frederica Bernkastel WebPerf and PWA advocate; @antoligy on Twitter

    Member
    3,150
    758
    Jan 31, 2008
    Hinamizawa
    I've been DNS tunneling (nb SSH over DNS) all my traffic whenever I use a public hotspot, so I'm fairly sure I'm okay.
     
  7. Rydian

    Rydian Resident Furvert™

    Member
    27,883
    8,103
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

    IE; Doesn't actually work if it's not already HTTPS.
     
  8. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Well, it DOES work in some cases where the site supports HTTPS, but doesn't use it by default (e.g. GMail, Facebook...)
     
  9. Rydian

    Rydian Resident Furvert™

    Member
    27,883
    8,103
    Feb 4, 2010
    United States
    Cave Entrance, Watching Cyan Write Letters
    Gmail and facebook use HTTPS by default as soon a you try to sign in...
     
  10. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Facebook certainly does NOT for me. Perhaps during the sign in process, but not for the rest of the session, which is the problem. It does seem to work with HTTPS during the session though if you change it in the URL, however "Chat" won't work (presumably there is some issue with HTTPS and Chat...)
     
  11. playallday

    playallday Group: GBAtemp Ghost

    Member
    3,773
    9
    May 23, 2008
    Canada
    [@N@[)@
    .
     
    Last edited by playallday, Jun 22, 2015
  12. FAST6191

    FAST6191 Techromancer

    pip Reporter
    22,914
    8,591
    Nov 21, 2005
    Is it not also the case that such a technique will also see you able to bypass the ever lovely redirects that such hotspots (and some 3g implementations* for that matter) do to try and get you to pay for use of their services (others think a more elaborate block everything but port 80 idea you might have seen some of the more lowly security implementations). Not that I would know anything about such things (or have multiple dyndns accounts maintained for various reasons).

    Also +1 to others, we have had packet scanners for years (I used to wind up my little brothers by snatching their MSN conversations out of the air using it).

    *if it does work I advise not using it- telecommunications companies get a bit touchy about use of their services in such a manner.
     
  13. Terminator02

    Terminator02 ヽ( 。 ヮ゚)ノ

    Member
    4,517
    309
    Apr 10, 2010
    United States
    Somewhere near monkat
    the reason it's so big is because it's make it easy to watch what other people are doing etc. The process used to be fairly complicated, and only those well educated in computers could do it.

    also, this can be detected with Blacksheep
     
  14. Urza

    Urza hi

    Member
    6,493
    89
    Jul 18, 2007
    United States
    Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

    If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
     
  15. Slyakin

    Slyakin See ya suckers

    Member
    4,450
    40
    Oct 15, 2008
    United States
    Soviet Slyakin
    Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


    Not to mention, Firesheep is pretty darn fun. [​IMG]
     
  16. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).

    But I believe that if someone has a vague idea what they're doing, they can still sniff the packets and get into active sessions. (I wouldn't have a clue how to do that, and thankfully I don't believe its too easy, but there are those who would know how to do it)

    EDIT: Just watched a video on sniffing packets etc., it is VERY easy. Takes a few minutes, but is pretty simple. Dunno about on "secured" connections though. I assume if you can crack the encryption, its not too much harder.
     
  17. Urza

    Urza hi

    Member
    6,493
    89
    Jul 18, 2007
    United States
    No, it doesn't. WEP doesn't use unique session keys.

    It must have been due to some other failure.
     
  18. SifJar

    SifJar Not a pirate

    Member
    6,022
    891
    Apr 4, 2009
    Hmm, perhaps it was because I was already logged in when he tried. In fact, yeah I'd say thats probably it.
     
  19. FAST6191

    FAST6191 Techromancer

    pip Reporter
    22,914
    8,591
    Nov 21, 2005

    I should have mentioned it first time around but the popular noscript addon (which most of the security concious types will probably already be using) has such functionality. enter the options of noscript -> advanced tab, HTTPS sub tab, the rest should be obvious.