Firesheep: It's gonna cost you

Firesheep: It's gonna cost you

Summary: With the release of Firesheep, end-users need to be more vigilant about forcing Secure HTTP connections, and clients, servers and network infrastructure will need to be upgraded to support the additional overhead.


With the release of Firesheep, end-users need to be more vigilant about forcing Secure HTTP connections, and clients, servers and network infrastructure will need to be upgraded to support the additional overhead.

Well that certainly took long enough.

I mean, it's not as if packet sniffing unencrypted web traffic is rocket science. After all, free programs for network and traffic analysis such as Wireshark have been available for years -- it simply required a bit of analysis skills to set the right filters to watch what was happening over TCP port 80.

The only thing missing was for some smart hacker to figure out how to tie the packet sniffing driver (WinPcap) to a simple, web-based GUI that allowed any non-technical person to hijack user web sessions over the network segment they were connected to.

And that's really all FireSheep is -- a way to hand a packet analysis tool to the masses and package it in a user-friendly wrapper that any 10 year old could use, simply by watching unencrypted user sessions and cleartext passwords pop up on the screen and clicking on their avatar icon to impersonate them.

If that scares the hell out of you, it damn well should. We just handed every mischievous child and criminal an electronic equivalent of a map of all the houses in your neighborhood that have their back door unlocked.

My ZDNet Networking colleague, Steven J. Vaughan-Nichols outlines a number of ways we can stop this sort of thing, cold. It's a good start, but it's not enough, because it doesn't factor in the actual cost of what would happen if we started encrypting all traffic from the device to the server over the Internet, end-to-end by default.

Also Read: Five Ways to Shear Firesheep (Networking)

Also Read: Firesheep's real lesson, take Wi-Fi security seriously (Networking)

Also Read: Learning the wrong lessons from Firesheep (Linux/OpenSource)

The last thing Steven mentions in his article is forcing the use of TLS and SSL. Right now, there are only a few programs that do this, such as HTTPS Everywhere and Force TLS.

Essentially, what these programs do is make your web browser connect via port 443 instead of port 80, and then force encrypted traffic via the Transport Layer Security (TLS) protocol provided the site supports it. Google's sites and FaceBook support these protocols already, as do a large number of other major web sites, such as Amazon.

Page 2: [Forcing HTTPS/TLS is only half the battle...]  »

A Secure HTTP connection to FaceBook forced by the HTTPS Everywhere and Force TLS extensions for Firefox.

Sounds great, and everyone should use them, immediately. In fact, it should be the default behavior for all web browsers. The problem is, these two extensions only currently support Firefox. So we need to get Microsoft to patch this into Internet Explorer versions 7 and 8 pronto, and build it into the upcoming version 9, and Apple needs to get this into Safari, stat. Google obviously needs to get this default behavior into Chromium and Chrome as soon as possible.

[UPDATE: A nice developer has recently released the "Use HTTPS" extension for Chrome. If you use Chrome, download and use this immediately.]

But PC web browsers are only half of the story. There's also all the smartphones (and now Tablets, like the iPad) out there running Apps that use Web APIs to communicate with social networking sites like FaceBook and Twitter and other web sites and web services that require authentication of some kind.

We also have desktop/smartphone Twitter/Social Networking clients which talk over Web APIs that need to start sending their traffic encrypted by default using best practices, as per FaceBook's OAuth docs and Twitter's OAuth's docs here.

So we just turn on HTTPS and TLS for all of these apps in the next over-the-air patch, right?

Well, no. The problem is that smartphone embedded processors, as they exist today, are completely unequipped to do end-to-end SSL and TLS encryption all of the time. They're just not powerful enough to do the constant integer math required to do all their web communication fully encrypted for every running app talking to the Internet, it would significantly bog down performance.

There are C libraries for doing this in software, such as Polar SSL, but doing this constantly will heat up your ARM Cortex processor up like an egg on a hotplate and chew your battery life down to nothing in short order.

So we're going to have to get SSL/TLS acceleration coprocessors into the next generation of smartphone hardware and SoCs for consumer electronics that communicate and authenticate over the web, like XBoxes, Playstations, Rokus and Apple TVs. As an intermediate solution, we could also put this technology into the routers and firewalls, and also at the carriers, but that's not end-to end.

All of the above only addresses the clients. The big issue is the websites themselves. FaceBook and Google and Amazon might support HTTPS, SSL and TLS, but all the others? They don't turn it on by default because if you have a lot of incoming sessions and they turned HTTPS and TLS encryption on for everything, their server performance would go straight to hell.

Why? Because HTTPS/TLS eats up a bunch of Integer processor time. That's why companies like Amazon which heavily rely on this form of encryption to complete business transactions with their customers use TLS/SSL acceleration boards and appliances, which use specialized co-processors that offload the vast amount of CPU overhead associated with this type of thing at the scale that's needed for a large e-commerce operation like that. And they are extremely expensive.

This is going to be a serious concern especially if we start using 2048-bit encryption that is currently being recommended for wide adoption by January 2011 by the National Institute of Standards (NIST) in place of the 128-bit and 1024-bit keys which are more commonplace.

In decoding a 2048-bit key (which are 2 to the 32nd power times more mathematically complex than 1024-bit keys) you should expect to see about a 4-8 times performance degradation in decryption speed, yielding approximately 20 percent of 1024-bit key performance.

In order to secure the future of the web, everything, and I mean everything, end-to end is going to have to be encrypted. That means integrating TLS/SSL acceleration into the server chip, blade chassis and/or the network interface to compensate for all that encryption/decryption overhead.

And what does that mean for the enterprise and the end-user? Well it means it's going to increase the cost of our network overhead, the cost of the server and network infrastructure, the cost of the smartphones and smart devices, and the cost of delivering services to you, the consumer. Part of which you'll have to pay for.

Did you like your cheap broadband Internet and smartphone? Enjoy it while it lasts. Talk Back and Let Me Know.

Topics: Networking, Hardware, Servers


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    Get FireSheperd. It jams the Firesheep wifi packets and crashes the plug-in on the script kiddie. However other cracking tools in the hands of pros it doesn't work against. Just another self important jerk that does more harm through twisted benevolence.
    • RE: Firesheep: It's gonna cost you

      @osreinstall Really good thought and thanks for the great idea. <a href="">payday loan</a> | <a href="">payday loans</a>
      Lina roy
      • RE: Firesheep: It's gonna cost you

        Firesheep.For one of the most sophisticated blogs I've encountered in some time! It's just amazing how you can remove something just because of how beautiful it is visually.
        <a href="">Dissertation Writing</a>
        <a href="">UK Essay Writing</a>
      • Awesome Resource.

        You made some great points here with your post. I got to say i like visiting and reading your opinion Please maintain the good work.<br><a href="">essay writing</a> | <a href="">write my essay</a> | <a href="">research paper help</a>
      • I Really Like It!

        The collection is very good & amazing. Nice one to hold upon this. All the stuffs gives a meaning to the collection & symbolizes a lot. So overall good one
        <a href="">Logo Design Contest</a>
      • RE: Firesheep: It's gonna cost you

        I like all your comments expressed in this post.
        <a href="">Interview Questions and Answers</a>
      • RE: Firesheep: It's gonna cost you

        @Lina roy Being a new blogger, I would like to tell you that you have given me much knowledge about it. Thanks for everything.<a href="">suncorp internet banking</a> | <a href="">suncorp internet banking logon</a>
    • RE: Firesheep: It's gonna cost you

      good idea,thanks
      <a href="">yabanci dizi izle</a>
      • I Really Like It!

        Its such a nice blog which you have created.
        <a href="">Logo Design Contest</a>
    • RE: Firesheep: It's gonna cost you

      @osreinstall You said it! Thanks for telling it like it really is! <a href="">Landscape Lighting</a>|<a href="">Outdoor Security Lighting</a>|<a href="">Outdoor Motion Lights</a>|<a href="">Landscape Lighting Ideas</a>
      • RE: Firesheep: It's gonna cost you

        @john7334 Totally, you got that right. I'll be using it for my <a href=""><font color="#000000">plumber horsham</font></a> site for sure.
        toby juggles
    • RE: Firesheep: It's gonna cost you

      @osreinstall yea firesheep is amazingly sneaky. I hope there is one final stop to all this hacking for kiddies. Ivan @ <a href="">kirklands coupons</a>
  • RE: Firesheep: It's gonna cost you

    Network overhead? Interesting article, but I have to disagree with your conclusion. Software bloat, increasing consumption of high quality multimedia over the internet, online gaming, etc. has been, and will continue to, drive innovation in software and hardware design to keep pace with consumer internet consumption. Increasing network loads is not a new problem, and so far, the industry has found ways to pay for it without directly passing on the cost to users (If you disagree, I dare you to try putting your articles behind a paywall and see how that affects your bottom-line). Google seems to be doing fine last time I checked.
    Speaking of Google, some of their engineers recently released an article discussing their move https-by-default in GMail ( Note that they were able to so so without deploying ANY additional machines and or special hardware. While some sites running on older servers may not be able to handle Google's method, I think its clear that the question is one of adopting software and innovation rather than expensive hardware.
    As for smartphones and gaming consoles, they mostly already have alternative revenue streams set up to cover bandwidth costs, and if they can innovate to allow users to watch videos of dancing cats while riding on the bus, I think they can find a way to incorporate a little extra security.
    • RE: Firesheep: It's gonna cost you

      @stebidri Regarding Google, we're talking about a massive distributed server environment with GMail, so they can easily spread the load over a LOT of systems. They're using the 10,000 monkeys approach with commodity systems, which not everyone can do.
      • RE: Firesheep: It's gonna cost you


        Isn't Cisco or Intel trying to apply security measures on the chipset level already? I wonder if they are nearing any alpha testing on this.
      • RE: Firesheep: It's gonna cost you

        <a rel="follow" href="">Nation High School</a> | <a rel="follow" href="">Ashwood University</a> | <a rel="follow" href="">Rochville University</a>
      • RE: Firesheep: It's gonna cost you

        If you dont protect yourself, sad day for you. Hopefully this will slow down the adoption of cloud computing. <a rel="follow" href="">Woodfield High School</a> | <a rel="follow" href="">Woodfield University</a>
    • Reasons for bandwidth problems


      Of course there are other reasons for bandwidth problems.
      The point is that the added security measures will also add significantly to the problem.
      In addition, that these measures will have to "forced" upon end-users and online app/service providers will create a lot of debate on "rights" issues and the technical semantics of it also.
      • wow

        I completely agree with the above comment, the internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.??
        <a href="">analysis essay</a>
    • RE: Firesheep: It's gonna cost you

      <a rel="follow" href="">Diploma High School</a>
      <a rel="follow" href="">homeschool</a>
      <a rel="follow" href="">ged diploma</a>
      <a rel="follow" href="">accredited diploma</a>
      <a rel="follow" href="">online equivalency test</a>