Gaming Firesheep add-on.

DeMoN

DeMoN

GBAtemp Guru
OP
Member
Level 11
Joined
May 12, 2004
Messages
7,710
Trophies
1
Website
Visit site
XP
2,622
Country
United States
Got an email from my university a few days ago, saying that public WiFi spots are all compromised because of this add-on, which lets anyone who uses it log-on to your facebook account or whatever, as long as you're connected to the same unencrypted network. Currently the only way to prevent this is to use a secured network, log-in to a VPN, or visit only https sites.

Has anyone else heard about this?
 
SifJar

SifJar

Not a pirate
Member
Level 7
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
One "solution" is to have an always-on connection on a computer at a secure location (e.g. home), setup an SSH server on it, then log into it any time you are using a public WiFi connection.

But this particular add-on isn't what "created" the problem, and it is silly to say so. The problem is that popular sites don't use secure connection. This was always possible, just harder before. This extension was made to bring to light the simplicity of doing this, and thus spur the sites into action.

Another program called "idiocy" was also created, in I believe less than 100 lines of code that will automatically log into any active Twitter account on the local WiFi network and post an update.
 
Rydian

Rydian

Resident Furvert™
Member
Level 19
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
36
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
9,111
Country
United States
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Click to expand...
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.
 
SifJar

SifJar

Not a pirate
Member
Level 7
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Rydian said:
Infinite Zero said:
I have heard about this on InfoUplink and tinkernut on YouTube. The easy solution is to add "s" on http
Click to expand...
Adding the S will turn it into an SSL connection about as well as calling your dog "horse" will make it into a horse.

IE; Doesn't actually work if it's not already HTTPS.
Click to expand...

Well, it DOES work in some cases where the site supports HTTPS, but doesn't use it by default (e.g. GMail, Facebook...)
 
SifJar

SifJar

Not a pirate
Member
Level 7
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Rydian said:
Gmail and facebook use HTTPS by default as soon a you try to sign in...
Click to expand...
Facebook certainly does NOT for me. Perhaps during the sign in process, but not for the rest of the session, which is the problem. It does seem to work with HTTPS during the session though if you change it in the URL, however "Chat" won't work (presumably there is some issue with HTTPS and Chat...)
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,321
Country
United Kingdom
Antoligy said:
I've been DNS tunneling (nb SSH over DNS) all my traffic whenever I use a public hotspot, so I'm fairly sure I'm okay.
Click to expand...

Is it not also the case that such a technique will also see you able to bypass the ever lovely redirects that such hotspots (and some 3g implementations* for that matter) do to try and get you to pay for use of their services (others think a more elaborate block everything but port 80 idea you might have seen some of the more lowly security implementations). Not that I would know anything about such things (or have multiple dyndns accounts maintained for various reasons).

Also +1 to others, we have had packet scanners for years (I used to wind up my little brothers by snatching their MSN conversations out of the air using it).

*if it does work I advise not using it- telecommunications companies get a bit touchy about use of their services in such a manner.
 
Urza

Urza

hi
Member
Level 5
Joined
Jul 18, 2007
Messages
6,493
Trophies
0
XP
783
Country
United States
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
 
Slyakin

Slyakin

See ya suckers
Member
Level 4
Joined
Oct 15, 2008
Messages
4,448
Trophies
0
Age
28
Location
Soviet Slyakin
XP
399
Country
United States
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif
 
SifJar

SifJar

Not a pirate
Member
Level 7
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).

But I believe that if someone has a vague idea what they're doing, they can still sniff the packets and get into active sessions. (I wouldn't have a clue how to do that, and thankfully I don't believe its too easy, but there are those who would know how to do it)

EDIT: Just watched a video on sniffing packets etc., it is VERY easy. Takes a few minutes, but is pretty simple. Dunno about on "secured" connections though. I assume if you can crack the encryption, its not too much harder.
 
Urza

Urza

hi
Member
Level 5
Joined
Jul 18, 2007
Messages
6,493
Trophies
0
XP
783
Country
United States
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
Click to expand...
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.
 
SifJar

SifJar

Not a pirate
Member
Level 7
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Urza said:
SifJar said:
Urza said:
Firesheep is completely neutralized if the hot spot owner simply switches over to WPA with a public password (a library with the password "library" for example). WPA inherently gives each client a private session key, making this kind of cookie hijacking considerably more difficult (and making the current iteration of Firesheep nonfunctional).

If there are any public hot spots you use regularly, try to explain to the owners the dangers and convince them to implement this solution. I'm sure a quick demonstration of the plugin will suffice.
Click to expand...
WEP also seems to stop it from working, even if it is a pathetic security standard (this is what the WiFi in my house uses, and another person in my house could not log into my sessions with FireSheep).
Click to expand...
No, it doesn't. WEP doesn't use unique session keys.

It must have been due to some other failure.
Click to expand...

Hmm, perhaps it was because I was already logged in when he tried. In fact, yeah I'd say thats probably it.
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,321
Country
United Kingdom
Slyakin said:
Try this. It automatically makes websites encrypt themselves if they have the option. It works well.


Not to mention, Firesheep is pretty darn fun.
ninja.gif
Click to expand...


I should have mentioned it first time around but the popular noscript addon (which most of the security concious types will probably already be using) has such functionality. enter the options of noscript -> advanced tab, HTTPS sub tab, the rest should be obvious.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

"New Windows driver blocks software from changing default web browser"

Windows users should try to be more open minded to try Linux

Does anyone still use Windows 7 as their daily OS?

Windows 11 might not update if you have these popular apps installed

Was there ever going to be new generations of SATA after SATA III?

Still no Windows 11 minimum requirements HELP

can't host parsec

Use Win10 system as Bluetooth Speaker without user input?

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: butt