Herding Firesheep

Herding Firesheep

Summary: The only real answer for Firesheep is for all Web 2.0 sites to start using security. That won't be easy. Here's how to start.


The more I think about Firesheep, the network packet sniffer for dummies, the more I realize that end-users are never going to be able to deal with the problems that it brings to the table. Sure, there are lots of ways to handle Wi-Fi vulnerabilities from a user's desktop. But, at the end of the day, the easier methods, such as forcing a site to set up a secure HTTP connection, won't work with all sites and some people are too dumb to use any protection even after they've been told that they're letting anyone look over their virtual shoulders.

Yes, there is now a Windows program, FireShepherd that knocks out near-by Firesheep users with a brute-force attack of junk packets. But, as the author of FireShepherd wrote, "the user is still in danger of all other session hijacking mechanisms" and "this is only a temporary solution to the Firesheep problem." Exactly. I also wonder what transmitting a bunch of junk every 400-milliseconds or so is going to do to both your, and the network's, overall throughput-nothing good I'm sure.

So, bottom line, the real solution to Firesheep, is going to have come from the Web sites and their owners. Firesheep's author, Eric Butler, point that "The only effective fix for this problem [open, unencrypted Wi-Fi] is full end-to-end encryption, known on the web as HTTPS or SSL" is correct. There really isn't any other answer.

So why wasn't this done ages ago? After all, there's nothing remotely new about this security hole. It's as old as wireless itself. The reason is that Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be cost a lot in computer performance. Web site managers figured that since only people who really knew they were doing with sophisticated network packet sniffer programs like WireShark they wouldn't bother to protect users against the potential of this small group of people attacking them.

Oh, and by the way, FireShepard won't phase an experienced WireShark user for a minute.

Getting back to Firesheep, today, any idiot who can install a Firefox extension can not only snoop on the person the next table over, they can also grab their login information on such social networks as Facebook or Twitter to do with as they want.

This is going to blow up in a Web 2.0 site owners' faces. Someday soon, someone is going to lose important information to a Firesheep user and, this being America, they're going to sue the site owner and their Web hosting company for damages.

If you have any brains and you run any kind of Web site where your users enter personal or important data you need to start using TLS, SSL or HTTPS now.

In 2010, using these security protocols is not as hard on your server as it was once was. Google has started doing it, and so can you. For example, you can now securely search the Web with Encrypted Google.

Most Web servers include TLS/SSL as options. For Apache, for instance, you can use the Apache mod_ssl module and OpenSSL. Microsoft's Internet Information Services (IIS) also makes setting up secure connections pretty straight-forward.

If you discover your Web servers can't handle the encryption load, then you can always use SSL accelerators instead. An SSL accelerator is typically either a PC card with its own processor or a stand alone network device. Either one does the heavy processor lifting needed to run the encryption algorithms quickly.

There are many SSL accelerators, but over the years some of the more reliable brands I've found for this kind of work include: Barracuda SSL VPN; Cavium Networks' SSL accelerator boards; and F5's BIG-IP SSL Acceleration. Cisco and Juniper Networks, of course, have their own excellent line of SSL accelerators.

I'm going to be straight with you. Whatever you do, even if you can manage to get by just supporting encryption in software, it's going to cost you more money. If you're running a large, popular Web site, it could you well into the tens of millions. Really fast, really powerful SSL acceleration is not cheap. You just need to ask yourself: "Do I want to pay to upgrade my edge servers and network today, or do I want to pay some lawyer and his client tomorrow?" It's really that simple.

Topics: Networking, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Herding Firesheep

  • Never cost that much if used properly. You only need it for sensitive data.

    go ahead and keep sending your paris hilton gossip and banal youtube vids in the clear and let the sheep take a look...
    Johnny Vegas
  • They do not get their login information...

    The password is never sent in the clear, what they are getting is their session cookie and it is only valid @ that wifi spot. All the owners of the wifi hotspots have to do is turn on WPA and set the password to something simple and this issue goes away.

    I think we should be using SSL for connections for sites we keep personal information.
    • RE: Herding Firesheep

      Then the owner of the 'free WIFI' has to deal with people asking/complaining/having problems connecting.

      People need to learn, the hard way if necessary, how to manage their own security risks.
    • RE: Herding Firesheep

      @mrlinux <br><br>not entirely true.<br><br>i have many times shut down my laptop without logging off of sites, gone home, restarted my laptop, and the login session was still valid. with the number of networks that do many:few NAT, locking the cookie to an IP address would force users to log in repeatedly as their outgoing requests were distributed between the available outgoing channels.<br><br>i personally manage a network that has 4 separate internet connections, and the traffic is distributed between them by a single router, and have never had a session fail when the router shifted my requests to a new IP address
  • Pay now or later...hmmm!

    There is not doubt in my mind every CFO will go for the pay the lawyers later scenario.
    • RE: ...every CFO will go for the pay the lawyers later ...


      Exactly. Spending the money NOW is taking money out of the CFO's bonu$, or the stockholder's profits. Why worry about a potential lawsuit, until it actually happens; and then I will be out of here!!!


      [Just expressing the typical stupid corporate mentality aloud.]
  • Just forget about it.

    Let the sheeple go to the slaughterhouse! Its gonna be a lot of fun to hijack people for the next decade.
    Tommy S.
  • RE: Herding Firesheep

    The biggest thing I have against Firesheep is the number of script kiddies that will use it and think they're cool and/or know jack**** about anything. The author is a douche for that reason alone, nevermind the unethical nature of his actions.
  • Phase?

    "FireShepard won?t phase an experienced WireShark user for a minute."

    Yeah, but will it faze them?
  • RE: Herding Firesheep

    encrypted google?. what's the point. google are going to share your searches with their advertisers anyway
    if you are concerned about privacy never use google, for starters.

      • RE: Herding Firesheep


        Um tell us why? what did he say that was a lie? that google collects data? That they sell it to advertisers?
    • RE: Herding Firesheep

      @techguru@... Use a different search engine, such as Startpage by Ixquick, who promise not to record your IP or queries, normally connects via SSL, and leaves no cookies on your machine. (User preferences are stored in the URL string and can be saved in your browser's favorites or bookmarks.)
      • RE: Herding Firesheep

        And just why should we trust Ixquick? How are they any diffrent then all the others that have claimed they dont collect/sell and were found out to be liers?
        How are they making money? who funds them? Who are they?
    • RE: Herding Firesheep


      because while your gmail/Google docs/etc connection is encrypted, the session cookie that is also sent to Google search was not, so it was still possible to side-jack the session for a Google search, and once the session was side-jacked successfully, enter the encrypted gmail/docs/etc sessions with the stolen cookie.

      i tested this on my own account with two separate laptops, a Mac OS X PowerBook as my "victim" machine and a Windows XP system as my "attacker" machine.

      if the Google searches are not encrypted, side-jacking the cookie and getting into the encrypted email and docs worked fine. encrypted Google searches blocked the side-jacking successfully
  • RE: Herding Firesheep

    If someone walks in your house because you did not lock the door it is still trespassing. We should set some insane jailtime and fines to keep the bafoons from even getting into this sort of nonsense. I am a software engineer that could do these things, but folks, get a life please.
  • RE: Herding Firesheep

    Diggity -

    The difference here is simple; using an open WiFi connection in a public place is the electronic equivalent of opening your front door while there's a parade going by with crowds of people standing around. Using that connection for ANYTHING that you have to login to is the equivalent of standing next to that open door, beckoning to the above-mentioned crowd, and shouting at the top of your lungs a list of the valuables in your home, that you're about to leave and for how long, and that you don't intend to lock or even close your door when you leave.

    Your suggestion of jailtime and fines is absurd; you sound like the ignorant masses FireSheep was written to shock out of their complacency. The ones who expect those of us who know better to protect them from their own ignorance; most of which also expect us to fight them for the privilege.

    Not interested in that opportunity.
  • the root of the problem

    You just need to ask yourself: ?Do I want to pay to upgrade my edge servers and network today, or do I want to pay some lawyer and his client tomorrow?? It?s really that simple.
    Simple - right, what happened to - "I will do what I have to, to ensure my valued customers are given the best experience I can give them, safe in the knowledge that I will do my very best to keep them safe and secure"
    got that?
    It is this attitude that customers are sheep to be shorn for the least cost possible, this peculiarly American attitude, that leads to the cynical mass exploitation seen today. And leads to the demise of entire industries once the masses cotton on to the realisation that they are being screwed royally... leads to $65 bags of saline and medical treatment regimes that are designed to eke every cent out of people as they suffer... leads to military industrial complexes that a primed for an 'inventory purge' every decade or so...

    How about "I will implement SSL because it keeps my clients safer in unsafe waters, in an internet deiberately made unsafe, because I feel that it is my moral and ethical duty to act in the best interests of my fellow travellers"