Firesheep add-on.

Discussion in 'Computer Games and General Discussion' started by DeMoN, Nov 11, 2010.

Nov 11, 2010

Firesheep add-on. by DeMoN at 5:21 AM (1,733 Views / 0 Likes) 18 replies

  1. DeMoN
    OP

    Member DeMoN GBAtemp Guru

    Joined:
    May 12, 2004
    Messages:
    7,647
    Country:
    United States
    Got an email from my university a few days ago, saying that public WiFi spots are all compromised because of this add-on, which lets anyone who uses it log-on to your facebook account or whatever, as long as you're connected to the same unencrypted network. Currently the only way to prevent this is to use a secured network, log-in to a VPN, or visit only https sites.

    Has anyone else heard about this?
     
  2. Vulpes Abnocto

    Former Staff Vulpes Abnocto Drinks, Knows Things

    Joined:
    Jun 24, 2008
    Messages:
    6,600
    Country:
    United States
  3. pcmanrules

    Member pcmanrules GBAtemp Regular

    Joined:
    Mar 15, 2009
    Messages:
    233
    Location:
    Wellington, New Zealand
    Country:
    New Zealand
    I tried that extension at school yesterday, my Wi-Fi adapter wasn't supported and now i'm on study leave. makes me worry about what i give out on the internet and how insecure it is.
     
  4. Infinite Zero

    Member Infinite Zero Almost!

    Joined:
    Apr 25, 2010
    Messages:
    2,922
    Location:
    California
    Country:
    United States
    I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
     
  5. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    One "solution" is to have an always-on connection on a computer at a secure location (e.g. home), setup an SSH server on it, then log into it any time you are using a public WiFi connection.

    But this particular add-on isn't what "created" the problem, and it is silly to say so. The problem is that popular sites don't use secure connection. This was always possible, just harder before. This extension was made to bring to light the simplicity of doing this, and thus spur the sites into action.

    Another program called "idiocy" was also created, in I believe less than 100 lines of code that will automatically log into any active Twitter account on the local WiFi network and post an update.
     
  6. Frederica Bernkastel

    Member Frederica Bernkastel WebPerf and PWA advocate; @antoligy on Twitter

    Joined:
    Jan 31, 2008
    Messages:
    3,145
    Location:
    Hinamizawa
    Country:
    United Kingdom
    I've been DNS tunneling (nb SSH over DNS) all my traffic whenever I use a public hotspot, so I'm fairly sure I'm okay.
     
  7. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

    IE; Doesn't actually work if it's not already HTTPS.
     
  8. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Well, it DOES work in some cases where the site supports HTTPS, but doesn't use it by default (e.g. GMail, Facebook...)
     
  9. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Gmail and facebook use HTTPS by default as soon a you try to sign in...
     
  10. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Facebook certainly does NOT for me. Perhaps during the sign in process, but not for the rest of the session, which is the problem. It does seem to work with HTTPS during the session though if you change it in the URL, however "Chat" won't work (presumably there is some issue with HTTPS and Chat...)
     
  11. playallday

    Member playallday Group: GBAtemp Ghost

    Joined:
    May 23, 2008
    Messages:
    3,773
    Location:
    [@N@[)@
    Country:
    Canada
    .
     
    Last edited by playallday, Jun 22, 2015
  12. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,731
    Country:
    United Kingdom
    Is it not also the case that such a technique will also see you able to bypass the ever lovely redirects that such hotspots (and some 3g implementations* for that matter) do to try and get you to pay for use of their services (others think a more elaborate block everything but port 80 idea you might have seen some of the more lowly security implementations). Not that I would know anything about such things (or have multiple dyndns accounts maintained for various reasons).

    Also +1 to others, we have had packet scanners for years (I used to wind up my little brothers by snatching their MSN conversations out of the air using it).

    *if it does work I advise not using it- telecommunications companies get a bit touchy about use of their services in such a manner.
     
  13. Terminator02

    Member Terminator02 ヽ( 。 ヮ゚)ノ

    Joined:
    Apr 10, 2010
    Messages:
    4,517
    Location:
    Somewhere near monkat
    Country:
    United States
    the reason it's so big is because it's make it easy to watch what other people are doing etc. The process used to be fairly complicated, and only those well educated in computers could do it.

    also, this can be detected with Blacksheep
     
  14. Urza

    Member Urza hi

    Joined:
    Jul 18, 2007
    Messages:
    6,493
    Country:
    United States
    Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

    If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
     
  15. Slyakin

    Member Slyakin See ya suckers

    Joined:
    Oct 15, 2008
    Messages:
    4,450
    Location:
    Soviet Slyakin
    Country:
    United States
    Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


    Not to mention, Firesheep is pretty darn fun. [​IMG]
     
  16. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).

    But I believe that if someone has a vague idea what they're doing, they can still sniff the packets and get into active sessions. (I wouldn't have a clue how to do that, and thankfully I don't believe its too easy, but there are those who would know how to do it)

    EDIT: Just watched a video on sniffing packets etc., it is VERY easy. Takes a few minutes, but is pretty simple. Dunno about on "secured" connections though. I assume if you can crack the encryption, its not too much harder.
     
  17. Urza

    Member Urza hi

    Joined:
    Jul 18, 2007
    Messages:
    6,493
    Country:
    United States
    No, it doesn't. WEP doesn't use unique session keys.

    It must have been due to some other failure.
     
  18. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Hmm, perhaps it was because I was already logged in when he tried. In fact, yeah I'd say thats probably it.
     
  19. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,731
    Country:
    United Kingdom

    I should have mentioned it first time around but the popular noscript addon (which most of the security concious types will probably already be using) has such functionality. enter the options of noscript -> advanced tab, HTTPS sub tab, the rest should be obvious.
     

Share This Page