Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

Summary: Firesheep isn't making headlines anymore, but it's still out there and causing trouble. Fortunately, there's a new version of HTTPS Everywhere to help block it.

SHARE:

Firesheep, the all too easy-to-use Web snooping tool, continues to expose the disaster that is modern Web site security. Sooner or later, a lot of people are going to lose a lot of valuable information to hackers using Firesheep and scream to high heaven about it. Then, and only then, will Web server administrators start offering HTTPS all the time.

You, however, don't have to be one of those victims. There are already tools that will help protect your Web wandering from Firesheep. One of the best of these, the Electronic Frontier Foundation's (EFF) HTTPS-Everywhere, has recently had a major upgrade.

As far as I'm concerned, this latest version is a must for anyone who uses public Wi-Fi spots and doesn't have the luxury of using a virtual private network (VPN). HTTPS-Everywhere forces many popular Web sites to let you connect to them with Transport Layer Security (TLS); Secure Sockets Layer (SSL); or TLS/SSL over HTTP (HTTPS).

In addition to providing better protection for Facebook, Twitter and Hotmail accounts, this version also adds protection for bit.ly, the popular URL shortening site; the Amazon Web Services (AWS) cloud service; Cisco; Dropbox, the online backup and file-sync site; Evernote; the Web-based note-taking system; and Github, a popular distributed version control system. Speaking as someone who uses Dropbox all the time and many of these other Web sites every now and again this makes HTTPS-Everywhere a must on all my laptops.

That's the good news. The bad news is that Facebook gives HTTPS-Everywhere problems. To protect yourself on Facebook to the best of HTTPS-Everywhere's abilities you need to Turn on the "Facebook+" rule. You do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It's not on default, because it can cause some Facebook Apps to break. A more significant problem for some users is that Facebook chat won't work at all with a HTTPS connection. Personally, I'd rather be safe than sorry, but if you like to live dangerously on public networks you can turn off the Facebook+ rule and take your chances.

You should also keep in mind that if a Web site doesn't support SSL, TLS, or HTTPS, and many don't, there's not a darn thing that HTTPS-Everywhere can do to protect you. I'm also sorry to report that HTTPS-Everywhere still works only with Firefox. Other popular Web browsers, such as Internet Explorer, Chrome, and Safari, don't, at this time, allow for the kind of URL rewriting that HTTPS-Everywhere uses to make sure that secure connections are always used when they're available.

On the plus side, the EFF has also made it possible to XML-savvy users to write their own rules for sites that support secure connection but aren't currently supported by HTTPS-Everywhere. After testing your rule sets, you're invited to share them with the EFF so that they can be included in future HTTPS-Everywhere releases.

Now, if only more Web sites offered secure connections by default we'd be a long way to solving the problems that Firesheep has uncovered. Since I don't see any rush by Web-site administrators to make their sites more secure, programs like HTTPS-Everywhere are still only going to be band-aids on the Web's privacy and security wounds.

Topics: Software Development, Browser, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • I really think this is a bunch of ado over nothing

    Seriously, how many people are going to be running Firesheep on a public network WITHOUT GETTING CAUGHT at it. Seriously? Not many!
    Lerianis10
    • Easy.

      @Lerianis10 Park across the street or around the corner from a hot spot and fire it up.
      ashdude
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @Lerianis10 And how do you propose that you catch someone running this tool? Do you know what you are talking about?
      sfouant
  • So, can PPTP work?

    Server 10.04.1 and I can VPN into my server and browse the web from there.
    Grayson Peddie
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @Grayson Peddie Yes you can use a PPTP VPN and you'll be immune to attacks from Firesheep.

      Steven
      sjvn
  • Why would anyone use unsecured WiFi?

    I use WiFi at home and at the office; both have WPA2-PSK AES.

    Anywhere else, I tether my smartphone through USB or Bluetooth or turn it into a WiFI hotspot.

    Problem solved...
    Daniel Breslauer
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @Daniel575 Why? Because it's easy and it's there. Not everyone has a smartphone that can double as a moden or hotspot. Another problem with using a phone as a hotspot is that for your newly created Wi-Fi network to be secure it also needs real protection. WalkingHotSpot, which is a popular Symbian and Windows Mobile solution, for example, only supports WEP. And, WEP, as we all know, is pretty much useless these days as data protection.

      Steven
      sjvn
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @Daniel575 Ummm hello? This isn't a problem which is only targetting Open Wireless networks. It can be done on wired networks as well as wireless networks secured with WEP or WPA. You can read my blog article at http://www.shortestpathfirst.net/2010/10/29/sidejacking-fun-with-firesheep/ to learn more, and if you are interested in learning how this can be exploited on wired networks I wrote another article at http://www.shortestpathfirst.net/2010/11/18/man-in-the-middle-mitm-attacks-explained-arp-poisoining/ The MITM attack can also be used to subjugate wireless networks using WPA/WPA2.
      sfouant
  • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

    This is pure fear mongering! This article should be about how to use simple practices to make sure you don't do anything stupid rather than make people afraid of the internet.
    If you are gong to talk about security then you should be focused on the real problems:
    1. Get everyone off Windows XP and Explorer
    2. Consider a Mac as a safer (not necessary more secure) system.
    3. Turn on your WiFI WAP2 on your networks

    The fear of firesheep is being blown way out of proportion.
    kpbpsw
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @kpbpsw

      you have completely missed the point...

      Windows XP and/or Internet Explorer are completely irrelevant to WiFi sidejacking

      Mac or PC is completely irrelevant to WiFi sidejacking

      WiFi encryption does not entirely block this either, as anyone on the same WiFi can still sniff. the Big Boy restaurant near my house uses WPA2 encryption, but hands out the key freely. I've confirmed I can sniff/sidejack my own sessions (two separate laptops) using FireSheep if the session is not using SSL/TLS

      and as an added bit of knowledge, i used a Mac with Firefox as my target machine, and a Windows XP system as my attack machine, the Mac did nothing to prevent this.

      if you actually read the article, you will see that the article is encouraging safer practices and encouraging people to push site admins for SSL/TLS all the time
      erik.soderquist
  • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

    Steven, you state that "Sooner or later, a lot of people are going to lose a lot of valuable information to hackers using Firesheep and scream to high heaven about it." Sidejacking is not a new problem and has been around since 2004. If there are vulnerabilities to losing valuable information, they've existed for a very long time.
    sfouant
  • Fear-mongering? Hardly.

    I've come to expect that sort of attitude from the 90%+ of Windows usees here in Singapore whose systems have been co-opted by one botnet or another; that estimate is courtesy of at least three local security firms. The entire island is on virtually every major DNS blacklist; I wonder why?

    Seriously, people. This isn't even a Windows problem; if you're using an unsecured 802.11 network using Windows or OS X or Joe-Bob-Briggs'-awesome-OS, your information is as public as if you were writing it on the walls in inch-high letters.

    If you're using a company-provided laptop/palmtop and your company doesn't have a VPN, ask why the heck not.

    Wow. Just? wow.
    Jeff Dickey
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @Jeff Dickey

      you indirectly pointed out a corollary attack vector: infected machines on the same WiFi

      if Firesheep can gather this information, so can an infection on a machine, which can also package and send the needed data to anywhere on the internet for an attacker to exploit remotely.

      it certainly would not be the first time we've seen multiple "minor" vulnerabilities chained together to get far more damaging reach than any of the individual vulnerabilities was capable of.

      i also note that Google now is offering fully encrypted web searching without logging in, and that they state plans to add SSL/TLS encryption to all products in the future
      erik.soderquist
  • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

    "You should also keep in mind that if a Web site doesn?t support SSL, TLS, or HTTPS, and many don?t, there?s not a darn thing that HTTPS-Everywhere can do to protect you."
    If you use "tor" (http://www.torproject.org), the first hop from your computer to the wireless router (and until the exit node) is *ALWAYS* encrypted regardless of the nature of the final site.
    JDThompson
    • RE: Putting a Band-Aid on Firesheep with the new HTTPS Everywhere

      @JDThompson Sure TOR is great because it's protects the "last-mile", but what is preventing those from running a TOR exit node from sniffing the traffic ;)
      sfouant