How to protect against Firesheep attacks

Experts suggest defensive measures to ward off Firefox add-on's hijacking of Facebook, Twitter sessions via Wi-Fi

1 2 Page 2
Page 2 of 2

A VPN encrypts all traffic between a computer -- a laptop at the airport gate, for instance -- and the Internet in general, including the sites vulnerable to Firesheep hijacking. "It's as good a solution as there is," Wisniewski said, "and no different, really, than using encrypted Wi-Fi."

One provider, Strong VPN, prices its service starting at $7 per month or $55 per year.

Gallagher, however, warned that a VPN isn't a total solution. "That's just pushing the problem to that VPN or SSH endpoint," he said. "Your traffic will then leave that server just as it would when it was leaving your laptop, so anyone running Firesheep or other tools could access your data in the same way."

"A blind suggestion of 'use a VPN' doesn't really solve the problem and may just provide a false sense of security," he said.

Strong VPN disagreed. "Our servers are in a secure datacenter, so no one's going to be able to 'sniff' the traffic coming in or going out," a company spokesman countered. "All the traffic from, for example, your laptop in San Francisco, is encrypted when it goes to one of our U.S. servers."

Storms echoed Strong VPN's assertion. "I can see [Gallagher's point], that a VPN doesn't solve the root problem, which is on the service end," he said. "But although it's true that the traffic would be clear text when it leaves the VPN server for the site, it's very unlikely that someone would snoop that traffic."

Sean Sullivan, a security advisor with F-Secure, recommended Comodo's TrustConnect as "a VPN in all but name only." Comodo, a rival of F-Secure, sells the service for $7 per month or $50 annually.

If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.

One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google's search engine.

The other choice, Force-TLS, serves the same purpose as the EFF's extension, but lets users specify which sites on which to enforce encryption.

However, other browsers, such as Microsoft's Internet Explorer and Google's Chrome, lack similar add-ons, leaving their users out in the cold.

"I expect that [Firesheep] will spur the EFF or others, maybe in the open source community, to some additional development [of such add-ons], maybe Chrome ports of those extensions," Sullivan said.

That could take months. In the meantime, Sullivan had another idea. "A MiFi device can encrypt [traffic], so with one you're always carrying your own Wi-Fi hotspot with you," he said.

MiFi isn't cheap, however. Verizon, for example, gives away the hardware but charges between $40 and $60 per month for the access to its 3G network.

Ultimately, moves users make to plug the holes Firesheep exposes are stop-gaps. The elephant in the room, said Butler and Gallagher as they defended the release of the add-on, is the lack of full encryption. And only the sites and services can fix that.

"The real story here is not the success of Firesheep but the fact that something like it is even possible," Butler wrote in his blog on Tuesday. "Going forward, the metric of Firesheep's success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."

But for the moment, even security professionals are worried. "I'm at the airport right now," Wisniewski told Computerworld. "And I'm wondering if someone is using Firesheep here. Maybe I should do a little 'shoulder browsing' to see if anyone has it running."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

1 2 Page 2
Page 2 of 2
7 questions to ask your EMM provider about GDPR compliance
  
Shop Tech Products at Amazon