Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS Everywhere Gets Firesheep Protection

Posted by timothy on from the mitigating-malicious-mutton dept.

coondoggie writes "The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that offers protection against 'Firesheep' and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors' log-in credentials."

16 of 77 comments (clear)

  1. And the ISP will sniff you. by Anonymous Coward · · Score: 2, Informative

    There's no substitute for end-to-end encryption.

  2. Duh? by girlintraining · · Score: 2, Funny

    Wait, unencrypted signals sent over the air with your password and login is bad? If only someone had told me... /snark

    Seriously though: Unencrypted. Open. Network. Come'on guys.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Duh? by The+MAZZTer · · Score: 4, Informative

      Firesheep never used login credentials. It never needed to. Session cookies were enough to impersonate another user... so any visit to any HTTP page on any site allowed a Firesheep user to impersonate you on that site in theory (of course if you're logged out this is of limited use, but if you're logged in they can impersonate you without login details).

    2. Re:Duh? by blueg3 · · Score: 4, Informative

      Many of the sites that Firesheep attacks use HTTPS for their login, so you don't send your credentials in the clear, but fall back to HTTP for delivery of content. The point Firesheep attempts to make is that this is not sufficient -- your unencrypted HTTP requests contain the session cookie that your encrypted login obtained. The session cookie is just as useful, as long as you make use of it "soon".

    3. Re:Duh? by leptechie · · Score: 2, Informative
      The extension forces requests to be sent over SSL/TLS for all communication, as long as the site supports it. Works on Facebook, even Google searches, so yes this is a useful countermeasure. Of course, it is wholly dependent on the site supporting HTTPS in the first place.

      I've tried similar extensions, and Facebook gladly connects over HTTPS when manually instructed to, but reverts to normal HTTP on pretty much any click, this just keeps the connection on HTTPS regardless of the link target. The only downside, specifically on FB but certainly similar problems on other sites: no chat. So there are compromises, but probably worth it.

  3. Probably breaks lots of web sites by defaria · · Score: 2, Interesting

    Stated simply, many web sites just can't handle https.

    1. Re:Probably breaks lots of web sites by oodaloop · · Score: 4, Informative

      Um, no. That would be pretty dumb. IF the site has an https page, it directs to that. If not, it doesn't.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  4. How does HTTPS Everywhere do it? by Bromskloss · · Score: 2, Interesting

    Does it parse the webpage you are on and rewrite every link to use HTTPS or, better, does it intercept every request Firefox makes and rewrite that before it is sent?

    The reason I'm interested is that I want to create an extension that does rewrites in the latter way described, but don't know how to do it.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
  5. Re:CA's are the problem, not the crypto by Logic+Worshiper · · Score: 3, Insightful

    A self signed certificate would be fine for most of what HTTPS Everywhere does.

    End to end encryption is for stuff that really matters, not facebook and other crap that's public to the internet anyway.

  6. Actions you must take for firesheep protection by Fnord666 · · Score: 2, Informative
    According to the release notes, there are specific actions that you must take to enable some of this protection:

    The 0.9.0 release of HTTPS Everywhere is a new beta version designed to offer improved protection against Firesheep. Most notably, it can provide much better protection for Facebook, Twitter and Hotmail accounts, as well as completely new protection for bit.ly, Dropbox, Amazon AWS, Evernote, Cisco and Github. Unfortunately, in order to obtain maximum Firesheep protection, especially on Facebook, you must take two extra steps:

    • Turn on the "Facebook+" rule. You can do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It isn't on by default, because it can cause Facebook Apps to raise errors. We're still waiting for Facebook to fix this, and the chat problem :(.
    • Install the Adblock Plus Firefox extension too, and use it to block the insecure http:/// adds and trackers that Facebook (and other sites) sometimes include.
    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  7. Re:Apps? by pyster · · Score: 3, Insightful

    If you are using an open wireless you have the same http/https issues everyone else has, regardless of the device you are using.

  8. Re:Do Not Use Unsecured Wireless by Anonymous Coward · · Score: 2, Informative

    It's actually pretty common, and possibly even the norm.

    You can't just use a pre-shared key, so you have to use WPA enterprise. (a PSK is only slightly better than open, for privacy, if everyone knows it, and not terribly useful for regulating access to the network if you only want school affiliates to use the wireless resources).

    Often times you can't use the more common EAP types because the authentication data isn't stored in a way that's friendly to your radius servers.

    So now you have to write all sorts of documentation like "download this application that will take over your laptop's wireless card and you'll lose all your old network configs" or "Look for how your wireless card's supplicant configures EAP, and chose EAP-TLS, and then if it asks, select from the list of trusted certificate authorities verisign." Now get this information to all the users without standing around with out hiring a town crier, and hope that users actually read *and understand* the information when they don't even know if they've got a 32 of 64 bit system...

    So, while it is simple for you to configure your linksys wireless network at home, it isn't nearly as easy in the real world.

  9. Re:Do Not Use Unsecured Wireless by bunratty · · Score: 4, Informative

    It's not as simple as that. The traffic is encrypted only during one part of the way from your computer to the server, so cookies can be sniffed anywhere from the wireless router to the server. But it is as simple as using HTTPS. Then all traffic is encrypted all the way from your computer to the server, and you also have the stronger guarantee that your computer is talking to the server you think it is, so you cookies cannot be sniffed by third parties. StartSSL offers free SSL certificates to allow any site to encrypt all of its traffic.

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  10. Re:Secure cookies by Mark+Hood · · Score: 2, Informative

    It can be done, but it's not being done - that's why this happens.

    --
    Liked this comment? Why not buy me something nice
  11. Re:Do Not Use Unsecured Wireless by Anonymous Coward · · Score: 2, Informative

    Enterprise or Pre-shared key WPA? Pre-shared keys are only marginally better than open, if everyone knows the key. If I know the PSK, I can force you to rekey your session then your traffic is unencrypted to me and I can use firesheep on you.

    And the fact that they use "mac-filter" leads me to think it is just PSK.

    That isn't to say these mechanisms are completely worthless, but they're not super-valuable.

    And I stand by my initial statement -- enterprise WPA in a university setting where you don't manage the end stations is hard.

  12. Re:CA's are the problem, not the crypto by Onymous+Coward · · Score: 2, Interesting

    Here's a way of handling certs which doesn't rely on those organizations: Perspectives

    http://www.cs.cmu.edu/~perspectives/