Toggle sidebar

Gaming Firesheep add-on.

  • Thread starter Thread starter DeMoN
  • Start date Start date
  • Views Views 2,958
  • Replies Replies 18
DeMoN

DeMoN

GBAtemp Guru
Member
Level 12
Joined
May 12, 2004
Messages
7,712
Solutions
2
Reaction score
150
Trophies
3
Website
Visit site
XP
3,255
Country
United States
Got an email from my university a few days ago, saying that public WiFi spots are all compromised because of this add-on, which lets anyone who uses it log-on to your facebook account or whatever, as long as you're connected to the same unencrypted network. Currently the only way to prevent this is to use a secured network, log-in to a VPN, or visit only https sites.

Has anyone else heard about this?
 
One "solution" is to have an always-on connection on a computer at a secure location (e.g. home), setup an SSH server on it, then log into it any time you are using a public WiFi connection.

But this particular add-on isn't what "created" the problem, and it is silly to say so. The problem is that popular sites don't use secure connection. This was always possible, just harder before. This extension was made to bring to light the simplicity of doing this, and thus spur the sites into action.

Another program called "idiocy" was also created, in I believe less than 100 lines of code that will automatically log into any active Twitter account on the local WiFi network and post an update.
 
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Click to expand...
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.
 
Rydian said:
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Click to expand...
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.
Click to expand...

Well, it DOES work in some cases where the site supports HTTPS, but doesn't use it by default (e.g. GMail, Facebook...)
 
Rydian said:
Gmail and facebook use HTTPS by default as soon a you try to sign in...
Click to expand...
Facebook certainly does NOT for me. Perhaps during the sign in process, but not for the rest of the session, which is the problem. It does seem to work with HTTPS during the session though if you change it in the URL, however "Chat" won't work (presumably there is some issue with HTTPS and Chat...)
 
Antoligy said:
I've been DNS tunneling (nb SSH over DNS) all my traffic whenever I use a public hotspot, so I'm fairly sure I'm okay.
Click to expand...

Is it not also the case that such a technique will also see you able to bypass the ever lovely redirects that such hotspots (and some 3g implementations* for that matter) do to try and get you to pay for use of their services (others think a more elaborate block everything but port 80 idea you might have seen some of the more lowly security implementations). Not that I would know anything about such things (or have multiple dyndns accounts maintained for various reasons).

Also +1 to others, we have had packet scanners for years (I used to wind up my little brothers by snatching their MSN conversations out of the air using it).

*if it does work I advise not using it- telecommunications companies get a bit touchy about use of their services in such a manner.
 
the reason it's so big is because it's make it easy to watch what other people are doing etc. The process used to be fairly complicated, and only those well educated in computers could do it.

also, this can be detected with Blacksheep
 
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
 
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif
 
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).

But I believe that if someone has a vague idea what they're doing, they can still sniff the packets and get into active sessions. (I wouldn't have a clue how to do that, and thankfully I don't believe its too easy, but there are those who would know how to do it)

EDIT: Just watched a video on sniffing packets etc., it is VERY easy. Takes a few minutes, but is pretty simple. Dunno about on "secured" connections though. I assume if you can crack the encryption, its not too much harder.
 
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
Click to expand...
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.
 
Urza said:
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
Click to expand...
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.
Click to expand...

Hmm, perhaps it was because I was already logged in when he tried. In fact, yeah I'd say thats probably it.
 
Slyakin said:
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif
Click to expand...


I should have mentioned it first time around but the popular noscript addon (which most of the security concious types will probably already be using) has such functionality. enter the options of noscript -> advanced tab, HTTPS sub tab, the rest should be obvious.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Corsair one i164

HELP: LINUX Bedrock Dedicated Server Downgrade

Virtual Machine setups

Emulation  Pokémon Mystery Dungeon: Adventure Squad issue

Translation Project  Trails through Daybreak I ,Daybreak II et beyond the Horizon en fr!