Home & Office

Herding Firesheep

The only real answer for Firesheep is for all Web 2.0 sites to start using security. That won't be easy. Here's how to start.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The more I think about Firesheep, the network packet sniffer for dummies, the more I realize that end-users are never going to be able to deal with the problems that it brings to the table. Sure, there are lots of ways to handle Wi-Fi vulnerabilities from a user's desktop. But, at the end of the day, the easier methods, such as forcing a site to set up a secure HTTP connection, won't work with all sites and some people are too dumb to use any protection even after they've been told that they're letting anyone look over their virtual shoulders.

Yes, there is now a Windows program, FireShepherd that knocks out near-by Firesheep users with a brute-force attack of junk packets. But, as the author of FireShepherd wrote, "the user is still in danger of all other session hijacking mechanisms" and "this is only a temporary solution to the Firesheep problem." Exactly. I also wonder what transmitting a bunch of junk every 400-milliseconds or so is going to do to both your, and the network's, overall throughput-nothing good I'm sure.

So, bottom line, the real solution to Firesheep, is going to have come from the Web sites and their owners. Firesheep's author, Eric Butler, point that "The only effective fix for this problem [open, unencrypted Wi-Fi] is full end-to-end encryption, known on the web as HTTPS or SSL" is correct. There really isn't any other answer.

So why wasn't this done ages ago? After all, there's nothing remotely new about this security hole. It's as old as wireless itself. The reason is that Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) used to be cost a lot in computer performance. Web site managers figured that since only people who really knew they were doing with sophisticated network packet sniffer programs like WireShark they wouldn't bother to protect users against the potential of this small group of people attacking them.

Oh, and by the way, FireShepard won't phase an experienced WireShark user for a minute.

Getting back to Firesheep, today, any idiot who can install a Firefox extension can not only snoop on the person the next table over, they can also grab their login information on such social networks as Facebook or Twitter to do with as they want.

This is going to blow up in a Web 2.0 site owners' faces. Someday soon, someone is going to lose important information to a Firesheep user and, this being America, they're going to sue the site owner and their Web hosting company for damages.

If you have any brains and you run any kind of Web site where your users enter personal or important data you need to start using TLS, SSL or HTTPS now.

In 2010, using these security protocols is not as hard on your server as it was once was. Google has started doing it, and so can you. For example, you can now securely search the Web with Encrypted Google.

Most Web servers include TLS/SSL as options. For Apache, for instance, you can use the Apache mod_ssl module and OpenSSL. Microsoft's Internet Information Services (IIS) also makes setting up secure connections pretty straight-forward.

If you discover your Web servers can't handle the encryption load, then you can always use SSL accelerators instead. An SSL accelerator is typically either a PC card with its own processor or a stand alone network device. Either one does the heavy processor lifting needed to run the encryption algorithms quickly.

There are many SSL accelerators, but over the years some of the more reliable brands I've found for this kind of work include: Barracuda SSL VPN; Cavium Networks' SSL accelerator boards; and F5's BIG-IP SSL Acceleration. Cisco and Juniper Networks, of course, have their own excellent line of SSL accelerators.

I'm going to be straight with you. Whatever you do, even if you can manage to get by just supporting encryption in software, it's going to cost you more money. If you're running a large, popular Web site, it could you well into the tens of millions. Really fast, really powerful SSL acceleration is not cheap. You just need to ask yourself: "Do I want to pay to upgrade my edge servers and network today, or do I want to pay some lawyer and his client tomorrow?" It's really that simple.

Editorial standards