Networking

The more I think about Firesheep, the network packet sniffer for dummies, the more I realize that end-users are never going to be able to deal with the problems that it brings to the table. Sure, there are lots of ways to handle Wi-Fi vulnerabilities from a user’s desktop. But, at the end of the day, the easier methods, such as forcing a site to set up a secure HTTP connection, won’t work with all sites and some people are too dumb to use any protection even after they’ve been told that they’re letting anyone look over their virtual shoulders.

Yes, there is now a Windows program, FireShepherd that knocks out near-by Firesheep users with a brute-force attack of junk packets. But, as the author of FireShepherd wrote, “the user is still in danger of all other session hijacking mechanisms” and “this is only a temporary solution to the Firesheep problem.” Exactly. I also wonder what transmitting a bunch of junk every 400-milliseconds or so is going to do to both your, and the network’s, overall throughput-nothing good I’m sure.

So, bottom line, the real solution to Firesheep, is going to have come from the Web sites and their owners. Firesheep’s author, Eric Butler, point that “The only effective fix for this problem [open, unencrypted Wi-Fi] is full end-to-end encryption, known on the web as HTTPS or SSL” is correct. There really isn’t any other answer.

So why wasn’t this done ages ago? After all, there’s nothing remotely new about this security hole. It’s as old as wireless itself. The reason is that Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be cost a lot in computer performance. Web site managers figured that since only people who really knew they were doing with sophisticated network packet sniffer programs like WireShark they wouldn’t bother to protect users against the potential of this small group of people attacking them.

Oh, and by the way, FireShepard won’t phase an experienced WireShark user for a minute.

Getting back to Firesheep, today, any idiot who can install a Firefox extension can not only snoop on the person the next table over, they can also grab their login information on such social networks as Facebook or Twitter to do with as they want.

This is going to blow up in a Web 2.0 site owners’ faces. Someday soon, someone is going to lose important information to a Firesheep user and, this being America, they’re going to sue the site owner and their Web hosting company for damages.

If you have any brains and you run any kind of Web site where your users enter personal or important data you need to start using TLS, SSL or HTTPS now.

In 2010, using these security protocols is not as hard on your server as it was once was. Google has started doing it, and so can you. For example, you can now securely search the Web with Encrypted Google.

Most Web servers include TLS/SSL as options. For Apache, for instance, you can use the Apache mod_ssl module and OpenSSL. Microsoft’s Internet Information Services (IIS) also makes setting up secure connections pretty straight-forward.

If you discover your Web servers can’t handle the encryption load, then you can always use SSL accelerators instead. An SSL accelerator is typically either a PC card with its own processor or a stand alone network device. Either one does the heavy processor lifting needed to run the encryption algorithms quickly.

There are many SSL accelerators, but over the years some of the more reliable brands I’ve found for this kind of work include: Barracuda SSL VPN; Cavium Networks’ SSL accelerator boards; and F5’s BIG-IP SSL Acceleration. Cisco and Juniper Networks, of course, have their own excellent line of SSL accelerators.

I’m going to be straight with you. Whatever you do, even if you can manage to get by just supporting encryption in software, it’s going to cost you more money. If you’re running a large, popular Web site, it could you well into the tens of millions. Really fast, really powerful SSL acceleration is not cheap. You just need to ask yourself: “Do I want to pay to upgrade my edge servers and network today, or do I want to pay some lawyer and his client tomorrow?” It’s really that simple.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system

Full Bio
Disclosure
Contact

More from “Networking”

Five Ways to Shear Firesheep

God help us: Internet Explorer 6 Lives On

Talkback Most Recent of 19 Talkback(s)

Follow via:: RSS; Email Alert

RE: Herding Firesheep

adsffx
dfvcbvvbvc

11/01/2010 06:29 PM
- Reply to
- Flagged
Never cost that much if used properly. You only need it for sensitive data.

go ahead and keep sending your paris hilton gossip and banal youtube vids in the clear and let the sheep take a look...
Johnny Vegas

11/01/2010 07:35 PM
- Reply to
- Flag
They do not get their login information...

The password is never sent in the clear, what they are getting is their session cookie and it is only valid @ that wifi spot. All the owners of the wifi hotspots have to do is turn on WPA and set the password to something simple and this issue goes away.

I think we should be using SSL for connections for sites we keep personal information.
mrlinux

11/02/2010 10:19 AM
- Reply to
- Flag
RE: Herding Firesheep

@mrlinux
Then the owner of the 'free WIFI' has to deal with people asking/complaining/having problems connecting.

People need to learn, the hard way if necessary, how to manage their own security risks.
bwalker

11/02/2010 10:44 AM
- Reply to
- Flag
RE: Herding Firesheep

@mrlinux

not entirely true.

i have many times shut down my laptop without logging off of sites, gone home, restarted my laptop, and the login session was still valid. with the number of networks that do many:few NAT, locking the cookie to an IP address would force users to log in repeatedly as their outgoing requests were distributed between the available outgoing channels.

i personally manage a network that has 4 separate internet connections, and the traffic is distributed between them by a single router, and have never had a session fail when the router shifted my requests to a new IP address
erik.soderquist

12/06/2010 07:50 AM
- Reply to
- Flag
Pay now or later...hmmm!

There is not doubt in my mind every CFO will go for the pay the lawyers later scenario.
bizcad

11/02/2010 01:05 PM
- Reply to
- Flag
RE: ...every CFO will go for the pay the lawyers later ...

@bizcad

Exactly. Spending the money NOW is taking money out of the CFO's bonu$, or the stockholder's profits. Why worry about a potential lawsuit, until it actually happens; and then I will be out of here!!!

(/sarcasm)

[Just expressing the typical stupid corporate mentality aloud.]
fatman65535

11/02/2010 01:59 PM
- Reply to
- Flag
Just forget about it.

Let the sheeple go to the slaughterhouse! Its gonna be a lot of fun to hijack people for the next decade.
Tommy S.

11/03/2010 06:43 AM
- Reply to
- Flag
RE: Herding Firesheep

The biggest thing I have against Firesheep is the number of script kiddies that will use it and think they're cool and/or know jack**** about anything. The author is a douche for that reason alone, nevermind the unethical nature of his actions.
ITSamurai

11/03/2010 08:58 PM
- Reply to
- Flag
Phase?

"FireShepard won?t phase an experienced WireShark user for a minute."

Yeah, but will it faze them?
gtvr

11/04/2010 06:28 AM
- Reply to
- Flag
RE: Herding Firesheep

encrypted google?. what's the point. google are going to share your searches with their advertisers anyway
if you are concerned about privacy never use google, for starters.
techguru@...

11/08/2010 09:37 PM
- Reply to
- Flag
TROLL ALERT!

@techguru
Isocrates

11/12/2010 01:21 PM
- Reply to
- Flag
RE: Herding Firesheep

@Isocrates

Um tell us why? what did he say that was a lie? that google collects data? That they sell it to advertisers?
Stan57

11/18/2010 11:47 AM
- Flag
RE: Herding Firesheep

@techguru@... Use a different search engine, such as Startpage by Ixquick, who promise not to record your IP or queries, normally connects via SSL, and leaves no cookies on your machine. (User preferences are stored in the URL string and can be saved in your browser's favorites or bookmarks.)
phil8192

11/16/2010 01:48 PM
- Reply to
- Flag
RE: Herding Firesheep

@phil8192
And just why should we trust Ixquick? How are they any diffrent then all the others that have claimed they dont collect/sell and were found out to be liers?
How are they making money? who funds them? Who are they?
Stan57

11/18/2010 11:51 AM
- Flag