Home & Office

Five Ways to Shear Firesheep

Firesheep has made it possible for any moron to raid your Web use, but there are ways you can stop it. Here are a few of them.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

While bad Wi-Fi security is my major Firesheep worry, I know it's already a major pain in the ass for everyone. Even as I wrote this, I see my fellow ZDNet blogger Ed Bott had his Twitter account hijacked by someone else in the Microsoft Professional Developers Conference press room. Fortunately, it was a friend so it all came out well. Since it wasn't you that might strike you as funny. Just wait until it happens to you though and someone changes your Twitter or Facebook password on you. You won't be laughing then.

So what can you do? Well, there are a lot of things. Some of them aren't perfect, but they will protect you on most of the major sites. Here they are in their order of efficiency.

1) Use your corporate VPN If you have a corporate Virtual Private Network (VPN) use it. Anything that gets sent along your VPN should be reliably authenticated and encrypted and will be kept out of Firesheep users hands.

There are several possible downsides here. One is that your VPN, by sending you into your corporate network will slow down your traffic. That slowdown, if your company has an overloaded Internet connection can be quite significant. In years past, I've used this method to try to avoid serious Wi-Fi network security threats--Hi Defcon--and at times my speed declined by 50%. It wasn't any fun, but at least I was safer than I would have been without it.

Another potential problem is that by going through your company LAN you may find yourself blocked from sites, like Facebook, that are blocked by your corporate Acceptable Use Policy (AUP). In addition, you may not want to let the boss know that you spent your business lunch hour on Farmville.

2) Set up a VPN of your own If you run your own site and Internet services, like I do, you can always set up your own VPN with programs like Openswan. While this is going to be beyond most users, there actually is a relatively easy-to-use and setup VPN solution for private users: OpenVPN.

OpenVPN is an open-source program that comes with server software for most major versions of Linux, a VMware Virtual Appliance, or a Virtual Appliance For Windows, which requires either Hyper-V or Virtual PC. In addition, there are versions of OpenVPN that will work with alternative Wi-Fi firmwares like DD-WRT and Tomato. If you use Windows at home, the VMware way is the easiest to set up. On the client side, OpenVPN supports Windows, Mac OS X, and Linux.

I won't lie to you. Setting up OpenVPN isn't a walk in the park, but the OpenVPN documentation is decent and a power-user who knows their way around networking should be able to set it up without too much sweat. The free community version can support up to two simultaneous clients.

If you have more cash than technical expertise, you can always add a VPN appliance to your home network. Some of the better SOHO devices with VPN support in my experience include the Cisco RV 120W Wireless-N VPN Firewall, the NETGEAR FVS318 ProSafe VPN Firewall 8, and the SONICWall TZ 100.

3) Use a Pay VPN Service Don't have a good deal of money or a great technical expertise? Then rent a VPN. These are several businesses that offer VPN for nominal sums. Some, like AlwaysVPN offer VPN accounts based on your bandwidth use, while other such as AceVPN and StrongVPN offer monthly rates. I haven't used any of the services myself, but I have good reports of these three. There are also "free" VPN sites, but, I wouldn't trust them.

4) Make your own Wi-Fi AP with MiFi MiFi technology enables you to turn a 3G or 4G mobile device into your own private Wi-Fi Access Point (AP). This will work just fine, but 3G/4G data rate charges being what they are it could be a very expensive solution.

I could also see some situations where, if this became a popular answer to Firesheep, people would start running into Wi-Fi congestion problems. Even without that, as many iPhone owners know to their sorrow there's often not enough cellular broadband to go around just for their phones never mind a laptop.

5) Force the use of TLS or SSL Many, but not all sites, support the use of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) but default to not encrypting your traffic. There are browser extensions, however, that will force those sites that support TLS or SSL to use these protocols. Once authenticated and encrypted, your traffic will be safe from Firesheep.

These extensions include HTTPS Everywhere and Force TLS. Other broader Web security extensions, such as NoScript, also include this functionality. That's the good news. The bad news is that they only work with Firefox. There are, to the best of my knowledge, no such add-ons for Internet Explorer, Chrome, Safari, or Opera. If anyone knows of some, I'd love to hear about them.

Another problem with these approaches though is that some Web-sites have no support for SSL, TLS or HTTPS. Thus, even with these programs installed you could still have your Web session lifted by a Firesheep user.

Regardless of which method you use, you must use one. Firesheep makes it trivial to not only peek at your private information, but, in some cases, actually take over your accounts. Mozilla will not be locking Firesheep out of its browser, so don't look for any help from them.

It wouldn't matter if Mozilla did try to blacklist it. The source code is out there. I know there are already Firesheep variations out there that can attack more social networking sites and I'm sure there will be others that work on different browsers. The genie of broken network security is out and until Web sites start using secure protocols by default you're going to being attacked.

Editorial standards