How to protect yourself from Firesheep (and other wolves in disguise)

About a month ago codebutler released a firefox plugin called firesheep and shook the world (or at least the internet using part of it). Firesheep makes it possible to sniff unencrypted networks for credentials and take over someones identity; the HORROR !

The vulnerability that firesheep (ab)uses is not new, known for a very long time, widely spread, and called "session hijacking". A very simple overview can be found at the OWASP page about it.

In fact, the problem is so big that a tool like firesheep was necessary to finally create some awareness for it and according to the website that was also the main reason for releasing it:
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.


Unfortunately the problem resides on the web server side and can only be solved there but the solutions are known.

So, where does that leave us? Are we completely helpless? Luckily not. Over the last few weeks several solutions were posted all over the internet, but I felt none of them provided a complete overview, so that's why I wrote this post.

Let's start with the obvious: "Do not use unencrypted networks"
Although this might seem an "open door" it's not. Many applications run in the background connecting at regular intervals for updates and not only on laptops, but nowadays also on smart-phones. Make sure to disable automatic connections to unsecured networks.

"Only use https"
When you need to access a webpage that requires you to login make sure it supports https. This can be trickier than it looks as many websites only support https on the login page and switch back to http after the login has completed, making sniffing and a successful session hijacking attack possible again. Some websites (e.g. gmail ) allow you to force the use of https in the settings, but more sites don't.

Firefox users can use add-ons like 'https everywhere' or 'noscript' to force the browser to always use https on certain sites, but the problem remains that many sites do not support it on all pages or functionalities (e.g. facebook chat or linkedin). Users of IE, Chrome or Opera cannot even use these plugins.

"HTTPS tunneling"
A better solution is the use of an https tunnel. With a tunnel you basically create an encrypted connection to a trusted location and reroute all traffic over it. Although many SSL supporting web proxies exist, I personally wouldn't trust them with my login data so a better idea it to setup one yourself.
For this you need to have a webserver, but this might be easier than you think. Many home-use devices like a NAS have build-in support for this and you don't need much power if you only use it yourself; a simple apache server with php+ssl support is all you need. Providing a complete guide to set this up for every device or webserver is impossible, but the basic steps to set this up are:

1) install a php based proxy on your webserver (I use phproxy, but alternatives exist)
2) setup ssl in apache
3) i also recommend to at least setup basic authentication to prevent unauthorized access
4) open up the port in your firewall

When everything is running it is as simple as first browsing securely to your proxy after which you can safely have the proxy access insecure sites. This solution does have a few drawbacks though, the biggest one being broken functionality, but security comes at a price... Another drawback is that this solution cannot be used for applications other than the browser.

When you want use other applications securely on an unencrypted network you need more advanced solutions like an SSH tunnel. Again, providing a complete guide to set this up for every device or webserver is impossible, but here and here you can find the basics for setting up an SSH tunneling proxy using putty.

Another solution is using a VPN connection, but that might prove to be more difficult to set up. Fortunately many providers offer these solutions relatively cheap so google a bit around.

No comments:

Post a Comment