HTTPS Everywhere Gets Firesheep Protection

coondoggie writes "The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that offers protection against 'Firesheep' and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors' log-in credentials."

And the ISP will sniff you.

There's no substitute for end-to-end encryption.

Re:Duh?

[The+MAZZTer]

Firesheep never used login credentials. It never needed to. Session cookies were enough to impersonate another user... so any visit to any HTTP page on any site allowed a Firesheep user to impersonate you on that site in theory (of course if you're logged out this is of limited use, but if you're logged in they can impersonate you without login details).

Re:Duh?

[blueg3]

Many of the sites that Firesheep attacks use HTTPS for their login, so you don't send your credentials in the clear, but fall back to HTTP for delivery of content. The point Firesheep attempts to make is that this is not sufficient -- your unencrypted HTTP requests contain the session cookie that your encrypted login obtained. The session cookie is just as useful, as long as you make use of it "soon".

Re:Duh?

[leptechie]

The extension forces requests to be sent over SSL/TLS for all communication, as long as the site supports it. Works on Facebook, even Google searches, so yes this is a useful countermeasure. Of course, it is wholly dependent on the site supporting HTTPS in the first place.

I've tried similar extensions, and Facebook gladly connects over HTTPS when manually instructed to, but reverts to normal HTTP on pretty much any click, this just keeps the connection on HTTPS regardless of the link target. The only downside, specifically on FB but certainly similar problems on other sites: no chat. So there are compromises, but probably worth it.

Re:Probably breaks lots of web sites

[oodaloop]

Um, no. That would be pretty dumb. IF the site has an https page, it directs to that. If not, it doesn't.

Actions you must take for firesheep protection

[Fnord666]

According to the release notes, there are specific actions that you must take to enable some of this protection:

The 0.9.0 release of HTTPS Everywhere is a new beta version designed to offer improved protection against Firesheep. Most notably, it can provide much better protection for Facebook, Twitter and Hotmail accounts, as well as completely new protection for bit.ly, Dropbox, Amazon AWS, Evernote, Cisco and Github. Unfortunately, in order to obtain maximum Firesheep protection, especially on Facebook, you must take two extra steps:

• Turn on the "Facebook+" rule. You can do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It isn't on by default, because it can cause Facebook Apps to raise errors. We're still waiting for Facebook to fix this, and the chat problem :(.
• Install the Adblock Plus Firefox extension too, and use it to block the insecure http:/// adds and trackers that Facebook (and other sites) sometimes include.

Re:Do Not Use Unsecured Wireless

It's actually pretty common, and possibly even the norm.

You can't just use a pre-shared key, so you have to use WPA enterprise. (a PSK is only slightly better than open, for privacy, if everyone knows it, and not terribly useful for regulating access to the network if you only want school affiliates to use the wireless resources).

Often times you can't use the more common EAP types because the authentication data isn't stored in a way that's friendly to your radius servers.

So now you have to write all sorts of documentation like "download this application that will take over your laptop's wireless card and you'll lose all your old network configs" or "Look for how your wireless card's supplicant configures EAP, and chose EAP-TLS, and then if it asks, select from the list of trusted certificate authorities verisign." Now get this information to all the users without standing around with out hiring a town crier, and hope that users actually read *and understand* the information when they don't even know if they've got a 32 of 64 bit system...

So, while it is simple for you to configure your linksys wireless network at home, it isn't nearly as easy in the real world.

Re:Do Not Use Unsecured Wireless

[bunratty]

It's not as simple as that. The traffic is encrypted only during one part of the way from your computer to the server, so cookies can be sniffed anywhere from the wireless router to the server. But it is as simple as using HTTPS. Then all traffic is encrypted all the way from your computer to the server, and you also have the stronger guarantee that your computer is talking to the server you think it is, so you cookies cannot be sniffed by third parties. StartSSL offers free SSL certificates to allow any site to encrypt all of its traffic.

Re:Secure cookies

[Mark+Hood]

It can be done, but it's not being done - that's why this happens.

Re:Do Not Use Unsecured Wireless

Enterprise or Pre-shared key WPA? Pre-shared keys are only marginally better than open, if everyone knows the key. If I know the PSK, I can force you to rekey your session then your traffic is unencrypted to me and I can use firesheep on you.

And the fact that they use "mac-filter" leads me to think it is just PSK.

That isn't to say these mechanisms are completely worthless, but they're not super-valuable.

And I stand by my initial statement -- enterprise WPA in a university setting where you don't manage the end stations is hard.