The Firesheep exploit -- a Firefox browser extension that lets an attacker snoop on a Wi-Fi connection to collect Website usernames and session IDs -- raises some interesting issues for Web security. So far, most of the focus has been on how individual users can protect themselves. But Firesheep's creator is trying to draw attention to the limited or complete lack of encryption support on popular Web services and Web pages.
We've got some worthwhile coverage on our site and I'll include some additional links below.
PC World's Ian Paul downloaded the Firesheep add-on and gave it a limited test drive with his PC and home Wi-Fi router. Overall, it works as promised...or as threatened. Essentially, Paul says, Firesheep is a packet sniffer that collects and analyzes Web traffic on an unencrypted Wi-Fi connection linking Wi-Fi clients with an open access point. When the clients start to log into any of the 26 Websites in Firesheep's database (including everything from Amazon, through Google, to Yahoo), the Firesheep code sifts out and displays specific information from the site's cookie, typically the username and the session ID number, but not the password. That's enough apparently to make it possible for the attacker to hijack that session, though not, apparently, the complete account nor any activity that requires the account password.
Firesheep's creator, programmer Eric Butler, has details and screen shots on his Website. The release of Firesheep has sparked a wave of commentary and coverage. A brief blogpost around 8 a.m. Wednesday by security guru Bruce Schneier sparked nearly 40 comments by 4 p.m. Many of them included a variant of "you don't understand" or "you're missing the point."
In terms of personal protection, you've got choices. Some aren't very attractive: don't use unencrypted Wi-Fi networks. Others are longstanding: use a virtual private network to create an encrypted tunnel. This is a standard practice for corporate laptops, and increasing for smartphones or tablets with Wi-Fi.
For consumers, there are now a number of VPN services, which charge a monthly fee, usually in the $5-10 range. The service's VPN agent on the client connects to the service's VPN termination point in a secure data center. From there, the service makes the connection to the requested Web site or Web service.
Computerworld's Greg Keizer has a follow-up story that assess these options and explores some of the security implications. Strong VPN is one such service. TrustConnect, from Comodo Security Services, is another.
There are free options, too. The Electronic Frontier Foundation created its own Firefox extension, HTTPS Everywhere. When you browse to a Website that uses HTTPS encryption, the EFF extension rewrites all Web page requests to the site to use the encryption. Amother Firefox extension, Force-TLS, forces HTTPS to be used as the default connection when its available. There are two drawbacks: Microsoft Internet Explorer and Google Chrome don't have these extensions; and Websites may not implement HTTPS or do so only for the initial log-on.
Ian Paul notes an emerging security specification, from the IETF, called HTTP Strict Transport Security (STS). Essentially, it's a policy mechanism that Web servers can use to direct an incoming browser, also supporting STS, to use only secure connections, such as HTTPS. Chrome has STS support, since version 4, and the upcoming Firefox 4 will have it also.
It takes longer to explain the exceptions and limitations of Web encryption than it does to explain Firesheep. Butler's rationale is that real protection ought to begin with the Web sites themselves, by implementing HTTPS and applying it more comprehensively to all traffic with a client browser. The IETF's STS spec is an important step but it can only work if a given Website uses encryption.
In a blogpost, he argues, "The real story here is not the success of Firesheep but the fact that something like it is even possible.....Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."