back to article Firesheep developer poohpoohs mitigation tools

The developer of the Firesheep cookie-jacking plug-in has dismissed supposed easy-fix countermeasures as worse than useless. Eric Butler released the Firefox extension last month in order to illustrate the risk posed by the failure of many sites to encrypt session cookies used to authenticate their users, even if they might …

COMMENTS

This topic is closed for new posts.
  1. Keith T
    Grenade

    Would Eric Butler steal a child's bike?

    Would Eric Butler steal a child's bike to teach the child to keep his bike locked up?

    Would he beat up a staggering drunk to teach him binge drinking was wrong?

    Would he hurl bricks through windows to "encourage house builders to use better security practices"?

    Would he steal babies from a hospital maternity ward to promote better automated baby tracking systems?

    Would he hand out bags of bent nails to school children to be scattered on roads to protest the auto industries failure to use puncture-proof tires?

    Freely deploying Firesheep is no different.

    1. Rob Crawford

      <sigh>

      You forgot about 'think of the children'

    2. Ru
      Flame

      What Would Eric Butler Do?

      Just for fun, try replacing 'Eric Butler' in Keith's post with the name of you 'favourite' UK tabloid.

      Now, if you can take a break from your self righteous, 'ignorance is bliss' tirade (pausing, perhaps, to read up on logical fallacies) remember that any operating system that allows a user to trivially put a computer's wireless interfaces into promiscuous mode has been able to do this sort of thing for *years*

      Mr Butler has done nothing new; he's merely packaged up and presented a succinct demonstration of a flaw that shouldn't exist on any website. Google were very slow in fixing gmail, and even they provided a purely HTTPS interface years ago to prevent this very problem!

      Clearly, letting the industry sort itself out in its own good time has been an utter failure. They've been utterly irresponsible, orders of magnitude worse than a little skiddie application and some publicity.

    3. Hayden Clark Silver badge
      Stop

      In plain sight

      Sigh. You have the intention wrong. The hack that FireSheep does is already possible - and may have already been implemented by real black-hats. Facebook et al won't budge and protect their users until forced - and releasing FireSheep might just force them, by bringing the exploit out into the open.

      It's like this: You give a bank your money. Someone gets in the back door, and steals a bit now and again. The bank don't seem to mind, as not much is stolen. So, to force them to properly secure their vault, you go in and steal all the money, and leave it on the counter so everybody can see. Now they notice,and now they properly secure the vault, like they should have in the first place.

    4. thecakeis(not)alie
      Pint

      Wait...

      ...binge drinking is wrong? Well that's all the fun out of my life then. I always though so long as you didn't do it often enough to really be an "addiction" and you combined it with sensible actions like having a designated driver and/or sleeping arrangements then binge drinking was one of the greatest activities that humankind could engage in.

      Certainly has made for a large number of the really interesting and fun moments in my life!

      Pint; because I feel like drinking tonight...

    5. The Fuzzy Wotnot
      Stop

      Hold together a cogent argument!

      "Would Eric Butler steal a child's bike to teach the child to keep his bike locked up?"

      No, but that's theft and is illegal.

      "Would he beat up a staggering drunk to teach him binge drinking was wrong?"

      No, that's assault and is illegal.

      "Would he hurl bricks through windows to "encourage house builders to use better security practices"?"

      No, that's vandalism and damage to property, also illegal.

      "Would he steal babies from a hospital maternity ward to promote better automated baby tracking systems?'

      No, that's kidnapping ( and theft?! ), once again illegal.

      "Would he hand out bags of bent nails to school children to be scattered on roads to protest the auto industries failure to use puncture-proof tires?"

      No, that's endangering lives on the public highway. Again, illegal.

      Firesheep does nothing illegal, it merely pulls information from an open source. If you choose to abuse, then that's your business, but be prepared for th 6ft bloke who's just had his FB account cracked open to walk across the coffee shop and lump you one!

      Seriously though, if Eric went down to the B&Q ( DIY hardware store for those outside the UK ) and bought a crowbar, a hammer and a bag of nails. That's not illegal, he's done nothing wrong. If then goes on to commit the crimes you mentioned using those tools, that's not the fault of the Stanley or B&Q is it? I don't see B&Q being collared in a lot of burglary cases for 'adding and abetting', do you?

      Nmap, Wireshark, Aircrack, are any of these illegal? No, but they can be used for nefarious purposes if used in the "right" way.

  2. Anonymous Coward
    Grenade

    Android: when will we get proxy support

    So when will Android mobiles get a widget to connect to a proxy/ssh socks/openvpn tunnel?

    1. Anonymous Coward
      Anonymous Coward

      @Proxy

      As soon as you take ownership of your Android device and add one.....

      http://android-proxy.blogspot.com/

      ......its possible Google may never spoon feed you, they supposedly have issues with the potential for location spoofing and 'local' content filtering proxies would offer. Its fairly trivial from a development PoV, can't think of any other reason why its not implemented.

  3. Anonymous Coward
    Anonymous Coward

    Know for months?

    Screw that, I was updating a colleague's relationship status to engaged about two years ago. (Well he shouldn't have been on facebook during work hours).

    Was a little more involved that FireSheep though, it meant sniffing his HTTP connection, copying and pasting his facebook cookies and inserting them into Firefox using a cookie editor.

    Not AC because of the current boss (he thought it was bloody hilarious). Future ones may not think so though.

  4. banjomike

    illegal or at least unethical, maybe

    Stupid and unthinking, certainly.

  5. Richard 118

    Known for months?

    "The basic problem has been well understood in security circles for months"

    Erm try years, anyone with any knowledge of open WiFi networks could have told you years ago that your data was transmitted for anyone with enough knowledge to grab.

  6. The BigYin

    Is the answer really...

    ...as simple as using SSL?

    1. Raumkraut

      Yes

      All that's required is to always use SSL when logged in, or use a network secured with WPA (even with a publicly known password).

      1. The BigYin

        Hmm...

        ...I really thought I was missing something. I didn't realise that each WPA connection ran its own crypto, assumed that anyone connected could see data on that network (not read-up on the details of WiFi yet...really must).

        Good news: I don't run a public WiFi, you can all rest easy.

  7. Keith 21
    Grenade

    Well he would say that...

    ...wouldn't he?

    It's in his interest to claim that countermeasures are ineffective, otherwise his story and fame disappear in a puff of smoke.

  8. Anonymous Coward
    Pirate

    Wifi Encryption

    This is only possible on account of unencrypted Wifi or WLAN's using weak encryption like WEP. WPA2 which is what most Wifi network admins have switched to renders this attack obsolete.

    The same vulnerability exists when accessing non SSL sites at work - a rogue network admin with knowledge of Packet Sniffers like WireShark can easily harvest and hijack user cookie based sessions.

    > Is the answer really as simple as using SSL

    Yes and no. Correctly configured SSL encryption with a decent cipher and key length presents a major difficulty to a majority of crackers. However the additional processing overhead of packet encryption/decryption means to handle request volumes on a scale of Facebook's traffic would require major investment in additional server capacity and that means big dollars.

    Anonymous Coward (or someone pretending to be Anonymous Coward)

    1. Raumkraut

      SSL overhead is negligible

      The processing overhead of doing everything over SSL has been negligible for years. When Google switched to SSL by default for Gmail, they reported:

      "In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that."

      1. Anonymous Coward
        Anonymous Coward

        SSL overhead is negligible

        Google want to sell Gmail as a completely secure business solution so the engineering effort to reduce SSL memory overhead, handshake latency / roundtrips, optimisation of application/server data packet sizes, caching etc was likely considered a worthwhile investment.

        Facebook's use case is a billion teenagers exchanging idol chat, vanity photos and playing farmville - maybe this is why its not considered a priority for them?

      2. Anonymous Coward
        Anonymous Coward

        SSL overhead is negligible

        What's interesting about this is on the one hand you have a whole bunch of certificate authorities & vendors keen to push SSL technologies as a standard for commerical reasons and another group - the spooks, intelligence agencies and governments for whom widespread adoption of SSL by the general public would be a complete disaster in terms of their interception capabilities or plans for data mining!

  9. Gareth

    @The BigYin

    Yup, it's that simple. If you control the router, the answer is as simple as turning on WPA encryption. I manage a few small public wifi networks (cafes, hotels, that kind of thing) and gave them a simple key (the SSID, or "internet" or similar). No more Firesheep.

    1. The BigYin

      Cool

      I'll have to read-up on the details of WPA (when I do run the WiFi at home, that's what it uses, router is too old for WPA2). I do wonder how tools like Aircrack-ng could make this even worse, but I doubt it's possible to decrypt the packets in real-time, unless one manages to sniff the hand-shaking I guess.

      But I really am ignorant of the details.

  10. adnim

    SSL

    SSLSniff + SSLStrip

    http://thoughtcrime.org

    WEP is pointless may as well be plain text.

This topic is closed for new posts.