Networking
Steven J. Vaughan-NicholsHerding Firesheep
Summary
The only real answer for Firesheep is for all Web 2.0 sites to start using security. That won’t be easy. Here’s how to start.
Topics
Blogger Info
Steven J. Vaughan-Nichols
Biography
Steven J. Vaughan-Nichols
His work has been published in everything from highly technical publications (IEEE Computer, ACM NetWorker, Byte) to business publications (eWEEK, InformationWeek, ZDNet) to popular technology (Computer Shopper, PC Magazine, PC World) to the mainstream press (Washington Post, San Francisco Chronicle, BusinessWeek).
The more I think about Firesheep, the network packet sniffer for dummies, the more I realize that end-users are never going to be able to deal with the problems that it brings to the table. Sure, there are lots of ways to handle Wi-Fi vulnerabilities from a user’s desktop. But, at the end of the day, the easier methods, such as forcing a site to set up a secure HTTP connection, won’t work with all sites and some people are too dumb to use any protection even after they’ve been told that they’re letting anyone look over their virtual shoulders.
Yes, there is now a Windows program, FireShepherd that knocks out near-by Firesheep users with a brute-force attack of junk packets. But, as the author of FireShepherd wrote, “the user is still in danger of all other session hijacking mechanisms” and “this is only a temporary solution to the Firesheep problem.” Exactly. I also wonder what transmitting a bunch of junk every 400-milliseconds or so is going to do to both your, and the network’s, overall throughput-nothing good I’m sure.
So, bottom line, the real solution to Firesheep, is going to have come from the Web sites and their owners. Firesheep’s author, Eric Butler, point that “The only effective fix for this problem [open, unencrypted Wi-Fi] is full end-to-end encryption, known on the web as HTTPS or SSL” is correct. There really isn’t any other answer.
So why wasn’t this done ages ago? After all, there’s nothing remotely new about this security hole. It’s as old as wireless itself. The reason is that Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be cost a lot in computer performance. Web site managers figured that since only people who really knew they were doing with sophisticated network packet sniffer programs like WireShark they wouldn’t bother to protect users against the potential of this small group of people attacking them.
Oh, and by the way, FireShepard won’t phase an experienced WireShark user for a minute.
Getting back to Firesheep, today, any idiot who can install a Firefox extension can not only snoop on the person the next table over, they can also grab their login information on such social networks as Facebook or Twitter to do with as they want.
This is going to blow up in a Web 2.0 site owners’ faces. Someday soon, someone is going to lose important information to a Firesheep user and, this being America, they’re going to sue the site owner and their Web hosting company for damages.
If you have any brains and you run any kind of Web site where your users enter personal or important data you need to start using TLS, SSL or HTTPS now.
In 2010, using these security protocols is not as hard on your server as it was once was. Google has started doing it, and so can you. For example, you can now securely search the Web with Encrypted Google.
Most Web servers include TLS/SSL as options. For Apache, for instance, you can use the Apache mod_ssl module and OpenSSL. Microsoft’s Internet Information Services (IIS) also makes setting up secure connections pretty straight-forward.
If you discover your Web servers can’t handle the encryption load, then you can always use SSL accelerators instead. An SSL accelerator is typically either a PC card with its own processor or a stand alone network device. Either one does the heavy processor lifting needed to run the encryption algorithms quickly.
There are many SSL accelerators, but over the years some of the more reliable brands I’ve found for this kind of work include: Barracuda SSL VPN; Cavium Networks’ SSL accelerator boards; and F5’s BIG-IP SSL Acceleration. Cisco and Juniper Networks, of course, have their own excellent line of SSL accelerators.
I’m going to be straight with you. Whatever you do, even if you can manage to get by just supporting encryption in software, it’s going to cost you more money. If you’re running a large, popular Web site, it could you well into the tens of millions. Really fast, really powerful SSL acceleration is not cheap. You just need to ask yourself: “Do I want to pay to upgrade my edge servers and network today, or do I want to pay some lawyer and his client tomorrow?” It’s really that simple.
Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.
Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system
Disclosure
Steven J. Vaughan-Nichols
Biography
Steven J. Vaughan-Nichols
His work has been published in everything from highly technical publications (IEEE Computer, ACM NetWorker, Byte) to business publications (eWEEK, InformationWeek, ZDNet) to popular technology (Computer Shopper, PC Magazine, PC World) to the mainstream press (Washington Post, San Francisco Chronicle, BusinessWeek).
More from “Networking”
Talkback Most Recent of 19 Talkback(s)
-
RE: Herding Firesheep
adsffxdfvcbvvbvc11/01/2010 06:29 PM -
Never cost that much if used properly. You only need it for sensitive data.
go ahead and keep sending your paris hilton gossip and banal youtube vids in the clear and let the sheep take a look...Johnny Vegas11/01/2010 07:35 PM -
They do not get their login information...
The password is never sent in the clear, what they are getting is their session cookie and it is only valid @ that wifi spot. All the owners of the wifi hotspots have to do is turn on WPA and set the password to something simple and this issue goes away.
I think we should be using SSL for connections for sites we keep personal information.mrlinux11/02/2010 10:19 AM -
RE: Herding Firesheep
@mrlinux
Then the owner of the 'free WIFI' has to deal with people asking/complaining/having problems connecting.
People need to learn, the hard way if necessary, how to manage their own security risks.bwalker11/02/2010 10:44 AM -
RE: Herding Firesheep
@mrlinux
not entirely true.
i have many times shut down my laptop without logging off of sites, gone home, restarted my laptop, and the login session was still valid. with the number of networks that do many:few NAT, locking the cookie to an IP address would force users to log in repeatedly as their outgoing requests were distributed between the available outgoing channels.
i personally manage a network that has 4 separate internet connections, and the traffic is distributed between them by a single router, and have never had a session fail when the router shifted my requests to a new IP addresserik.soderquist12/06/2010 07:50 AM -
Pay now or later...hmmm!
There is not doubt in my mind every CFO will go for the pay the lawyers later scenario.bizcad11/02/2010 01:05 PM -
RE: ...every CFO will go for the pay the lawyers later ...
@bizcad
Exactly. Spending the money NOW is taking money out of the CFO's bonu$, or the stockholder's profits. Why worry about a potential lawsuit, until it actually happens; and then I will be out of here!!!
(/sarcasm)
[Just expressing the typical stupid corporate mentality aloud.]fatman6553511/02/2010 01:59 PM -
Just forget about it.
Let the sheeple go to the slaughterhouse! Its gonna be a lot of fun to hijack people for the next decade.Tommy S.11/03/2010 06:43 AM -
RE: Herding Firesheep
The biggest thing I have against Firesheep is the number of script kiddies that will use it and think they're cool and/or know jack**** about anything. The author is a douche for that reason alone, nevermind the unethical nature of his actions.ITSamurai11/03/2010 08:58 PM -
Phase?
"FireShepard won?t phase an experienced WireShark user for a minute."
Yeah, but will it faze them?gtvr11/04/2010 06:28 AM -
RE: Herding Firesheep
encrypted google?. what's the point. google are going to share your searches with their advertisers anyway
if you are concerned about privacy never use google, for starters.techguru@...11/08/2010 09:37 PM -
TROLL ALERT!
@techguruIsocrates11/12/2010 01:21 PM -
RE: Herding Firesheep
@Isocrates
Um tell us why? what did he say that was a lie? that google collects data? That they sell it to advertisers?Stan5711/18/2010 11:47 AM -
RE: Herding Firesheep
@techguru@... Use a different search engine, such as Startpage by Ixquick, who promise not to record your IP or queries, normally connects via SSL, and leaves no cookies on your machine. (User preferences are stored in the URL string and can be saved in your browser's favorites or bookmarks.)phil819211/16/2010 01:48 PM -
RE: Herding Firesheep
@phil8192
And just why should we trust Ixquick? How are they any diffrent then all the others that have claimed they dont collect/sell and were found out to be liers?
How are they making money? who funds them? Who are they?Stan5711/18/2010 11:51 AM
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Gamification
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- Networking
- On Sustainability
- The Semantic Web
- SEO Whistleblower
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- Deploying virtual environments quickly and easilyAs IT environments become more complex, especially with on-demand cloud ... (IBM)Download Now
- Transforming your Data Center into a Converged InfrastructureThis podcast discusses how the data center of the future is built upon a ... (Hewlett-Packard (HP))Download Now
- Cost-Effective Remote Office/Branch Office (ROBO) Virtualization with HP StorageWorks P4000 Virtual SAN Appliance (VSA)Every HP StorageWorks P4000 Virtual SAN Appliance (VSA) ... (Hewlett-Packard (HP))Download Now