This is Part 3 of the Firesheep series, How to Beat Firesheep. Part 1 introduced the tool and the attack, Part 2 talked about the seriousness of the vulnerability. Part 3 will tell you how to beat Firesheep.
Let's drop in a lil napalm and cook 'em down!
First, let's setup up some basic ground rules:
- We all know you're going to be on Open Wifi at some point, so telling you "get off open wifi" is retarded
- The problem is essentially owned by the website operators, not the Wifi operators. The issue is HTTP cookies, and the ability to session-hijack, not the ability to login to a Wifi access point at Starmucks.
- Sites that are vulnerable to this attack today may not be vulnerable tomorrow, however, there will always be sites that are vulnerable, therefore it is important to at least try and browse securely while on Open Wifi
Some of these solutions will be geared toward the technically savvy. Some of them will be easy. Some of them may require that you pay money. Overall, I think at least one of these solutions will work for everyone.
Let's get started.
Secure your browsing on the Open Wifi by using VPN. This is by far the most effective and best way of solving the problem. This will encrypt all of your traffic on the wifi network and defeat anyone trying to use Firesheep against you. It can however cause you to spend a few bucks. Solutions like VyprVPN are perfect for solving the session-hijack problem. See my earlier review on VyprVPN here (figures it would come in handy!) quick note: VyprVPN is included free in Giganews subscriptions.
Secure your browsing on the Open Wifi by using SSH. This is very similar to using a VPN, except I would consider it much more difficult to setup. Essentially it provides the same benefit, an encrypted connection. Lifehacker did a good tutorial awhile back on setting up a free SSH server using your home computer here. Cygwin and OpenSSH are essentially the solutions here, but beware, setup is perhaps not for the faint of heart. Ducks need not apply.
Utilize SSL versions of websites (HTTPS rather than HTTP). This is easy. Many websites have HTTPS versions, even Facebook. However there is a major drawback: often times while browsing you will inadvertently switch back to HTTP. Try that Facebook link, then click around - see the problem? You're switching from HTTPS to HTTP in a heartbeat. This solution is easy, but perhaps less than ideal, and not very effective.
Install Firefox addons that will automatically direct you to HTTPS website versions. Two options are: HTTPS Everywhere and Force-TLS. This is also easy, and it will solve the problem of having to remember to type "HTTPS", or change your bookmarks. The addon will automatically direct you to the secure version of the site. Of course this still suffers from the same problem as #3, websites will easily switch you from HTTPS to HTTP, and is therefore still problematic.
Use the "Blacksheep" addon. Blacksheep is a firefox addon that will supposedly scan the Open Wifi you are on and determine if anyone is running Firesheep on it. So, if it you see a return, then at least you are aware of what's going on, and can hopefully take the necessary precautions. Still this does not solve the problem, it only makes you aware of the potential danger. Blacksheep does tell you the IP address of the attacker though. But if you're sitting in Starmucks, this may mean all you can do is yell out "Hey 192.168.0.XXX, you SMOKE POLE!" There is another drawback to this too - you don't need Firesheep to conduct this type of attack (Wireshark + WinPCap = Win). So although Blacksheep may detect Firesheep, it does not solve the session-hijack problem. The other issue here is this software is newly released, which could mean a back-and-forth between the "sheep". (fix, counter, fix, counter)
Use a Mifi/Cellular Modem/Hotpsot type device. I think every major cellular provider in North America sells these things. Some of them are just USB sticks you plug into the computer. In other cases, you can tether your phone to the laptop. The problem here is this costs money, a lot of money, and is tantamount to saying "don't use Open Wifi". Not an ideal solution, although it is effective at solving the problem.
Use Fireshepherd. This is a brand new piece of software designed specifically to combat Firesheep. It is not an addon like Blacksheep. Fireshepherd periodically sends out a stream of garbage that is intended to screwup or crash Firesheep. YMMV with this software. So far I have not read any reviews or done extensive tests myself. As I said, it's brand new. The other potential drawback is that this, like Blacksheep, does not apply to the actual root problem of session-hijacking. In other words, this may be another solution to the Firesheep issue, but not a solution to the session-hijacking problem. This is also vulernable to the same tit-for-tat as Blacksheep.
On a Mac? Try Meerkat. This is basically setting up SSH for your Mac, but Meerkat makes it a little easier. Of course, Meerkat costs money. There is a very good guide that deals with the entire Meerkat setup process here. Remember, OpenSSH is installed in Mac OS X by default. However, you still are going to deal with setup though, and again, that depends on whether you're a duck or not...
Warning from Blacksheep that Firesheep is active on your network
What are the other pundits saying? Most of them are going with VPN as the best solution, including the Firesheep developer himself. Hey, if Harvard recommends VPN, there must be something to it, right?
I heard these people were smart
I would honestly reccomend people look into a secure service like VyprVPN. Cost is minimal and benefits are great. Especially if you are conducting "work" over open Wifi, or if you are spending time on social, financial, or other private sites Consider it your own little private encrypted tunnel on an otherwise open network. I have no problem endorsing VyprVPN as an ideal solution that will keep you on Open Wifi, but keep you safe from kiddies session-hijacking your logins (VPN solves a number of other security concerns as well). As I mentioned in my earlier review, this service also comes free with Giganews, so if you're already on Usenet, now may be the time to look at Giganews
I figure it's also worth mentioning solutions that are NO GOOD. In other words, these will NOT WORK.
- Using Tor. Tor will not solve your problems. In fact, if the owner of the exit node is running Firesheep, you just got pwned, hard. Even the Firesheep developer thinks using Tor is a bad idea.
- Enable WPA2 and tell yourself "it's all good now". Sure, you've done good, but you can still get pwned, pretty hard. ARP poisioning and DNS spoofing take a little bit more tech savvy, but software exists to conduct those attacks as well - on either a wirless WPA2 network, or a wired network. Google: Cain and Abel.
- Using a VPN or SSH tunnel you don't know and trust. This is bad, mmkay? You just pushed the problem off to that exit connection. Since you don't know anything about it, and clearly can't trust it...you're basically asking for trouble. "Use VPN" is good, but just blindly using whatever VPN is not - get it?
As you can see from the above, the solutions basically come in two flavors:
- Encrypt all of your communications on the wireless network (VPN, SSH, Meerkat, etc)
- Encrypt the communications with the particular website (HTTPS, Addons, etc.)
Both of these flavors have one thing in common: encryption. If you don't know, now you know. BTW, if you are running Firesheep for whatever purpose, be aware that Microshaft is detecting it as a "virus/malware". I lol'd. Another BTW, if you are using the standard Windows antivirus/antimalware you should seriously consider upgrading to an alternative.
Getting pwned by script kiddies is bad, mmmkay?