Firesheep: what, why, and how to protect yourself from it

Firesheep has been out for a while and it has totally opened my eyes to how vulnerable we can all be when we don't think of Internet security. I'll try to make it as simple as possible that even my teen kids can understand it.

What is Firesheep

If you're unfamiliar with Firesheep, you can read this article from the creator. If you find it too geeky then you should watch this vid instead:



Yes folks, ANYONE with this Addon can takeover your account without knowing your username nor password. This affects famous sites like Facebook and Twitter.

Why create Firesheep in the first place?

Firesheep was created to open the eyes of the users to possible hijacking of accounts. According to Butler and Gallagher:

"I wrote Firesheep because I was tired of having to deal with websites that were ignoring this problem of user privacy," Butler told me in his first interview since releasing Firesheep. "Hopefully sites like Facebook and Twitter will see this and decide protecting user privacy is a priority for them."

Watch the vid below for more on why they created it:

How do I protect myself from Firesheep and its ilk?

According to the Firesheep creator, here are the ways to protect yourself when you're in an open WiFi location:

While companies are implementing fixes (described below) you can do a few things to increase your level of security, but there’s no silver bullet (aside from stopping use of the services which you don’t want hijacked.)

• HTTPS-Everywhere - This is a Firefox extension created by the Electronic Frontier Foundation which makes Firefox use only HTTPS connections for certain websites. Like Firesheep, it only works on a defined list of websites, so it won’t protect you if you use any websites that it doesn’t support. It does not appear to be immediately simple for users to add sites without some development experience. HTTPS-Everywhere is well respected for doing what it claims to do safely.
• Force-TLS - As mentioned earlier, some websites support SSL but don’t implement it properly, leaving you at risk. This Firefox extension is similar to HTTPS-Everywhere but allows you to specify your own list of domain names to force encryption on.
• VPN - In some situations a VPN (or something similar such as an SSH tunnel) can be great. All traffic sent through a VPN is likely secure from your computer to the VPN server. But be aware that this is not a silver bullet and there are potential problems. See below for our warnings on using a VPN.

Ironically, the authors have suggested Firefox addons over Google Chrome, which is the reason now why I've decided to go back to Firefox. Besides adding the addons above, I've also added most of the addons from The Paranoid Kit to make my browser even more secure than before. Although there are Chrome extensions like the KB SSL Enforcer, it seems to go HTTP before it goes HTTPS and is therefore not an option for me.

Another common sense way to secure yourself from such attacks is to log out of sites rather than just close them. As mentioned in the video above, not logging out of Facebook or Twitter will make you vulnerable when you go to sites with FB or Twitter buttons. Think about it, logging out takes only a few seconds.

Unfortunately there will be sites that go bonkers when it's forced to undergo HTTPS. One of the examples is Status.net. You won't be able to post anything there when you force the site to HTTPS. Although it's been discussed here, the message is clear: Using HTTPS is too expensive for them and would rather become a paid feature rather than a basic one. A total turnoff really. Another example is if you force-HTTPS Facebook, you'll be unable to use the chat feature--which is totally fine by me.

The future of the internet has been shaped because of this addon. I just hope that sites like Facebook, Twitter, etc. think of making HTTPS default when anyone enters their site. Until then Firesheep (and its ilk) will keep on making their sites less secure.

Sources:
Announcement of Firesheep
Interview with Firesheep creators