' Fire Sheep ' Firesheep added a sidebar to Mozilla's ' fire fox ' browser. It tells anyone who visits an insecure website in an open network, such as a public Wi-Fi network at a coffee shop. A simple double click is a quick way for hackers to access the victim login page, from Twitter and Facebook to bit.ly and Flickr.
Since Eric Butler released Firesheep on Sunday October 24, 2010, the utility has been downloaded nearly 220,000 times. But users still don't know how to defend.
One way users can protect themselves against Firesheep users is to avoid unencrypted public Wi-Fi networks and only use passwords, experts said Tuesday. However, Ian Gallagher, senior security engineer at Security Innovation, rejected that simple point of view. Gallagher is one of two researchers who performed Firesheep last weekend at a conference in San Diego, USA. In a blog post on Tuesday, he said that this is not a flaw in the Wi-Fi network, but a lack of security from sites that users visit.
So, if you still have to use Wi-Fi, what do users need to do? The best defense, according to Chet Wisniewski, a senior security advisor at Sophos, is to use a virtual private network (VPN) when connecting to public Wi-Fi networks, such as at the airport or a cafe. While many business users use a VPN to connect to their office network when they are on the road, individual users often do not have a secure " tunnel " to the Internet.
" But there are some VPN services that you can sign up to use for $ 5 to $ 10 a month, " Wisniewski said. Strong VPN, an Internet service provider in the US is one of them. A VPN encrypts all traffic traveling between a computer and the Internet in general, including sites prone to " hijacking " Firesheep. " This is a good solution, and is really no different from using encrypted Wi-Fi networks ," Wisniewski said.
However, Gallagher warns that VPN is not a total solution. "Your traffic will then leave that server just as it would leave on your laptop, so anyone running Firesheep or other tools can access your data the same way. way ". " A blind offer 'using VPNs' doesn't really solve the problem and can only provide a false sense of security ," he said.
Strong VPN objected: " Our servers are located in a secure data center, so no one can 'sniff' in / out data traffic. For example, all saved. traffic from your San Francisco laptop is encrypted when entering one of our US servers ".
Andrew Storms, director of security supervision of security company nCircle Security, based in San Francisco, USA, denied Strong VPN's assertion. " I can see from Gallagher's point of view, that a VPN doesn't solve the root problem, it's the end-stage service ," he said. " However, although it is true that the traffic will be a clear character when it leaves the VPN server to websites, it is not certain that someone will steal them ."
If free is the goal, there are too many choices, Wisniewski said. Sean Sullivan (a security consultant with F-Secure) and Gallagher pointed out free Firefox add-ons that force the browser to use an encrypted connection when visiting certain websites. One of these Firefox add-ons is HTTPS-Everywhere. Utility provided by Electronic Frontier Foundation (EFF), works only with a list of pre-authenticated websites, including Twitter, Facebook, PayPal and Google's search engine. Alternatively, the Force-TLS utility, the same way it works, allows users to identify sites to enforce their encryption (used with HTTPS protocol).
However, other browsers such as Microsoft's Internet Explorer and Google Chrome lack similar utilities. Sullivan proposed another solution is to use MiFi equipment. Users take it as a safe Wi-Fi hotspot for themselves, as it can encrypt the traffic. But MiFi is not cheap. Verizon, for example, donates no hardware but charges a service fee of about $ 40 - $ 60 per month for access to 3G networks.
Eventually, mobile users create vulnerabilities that expose Firesheep to the use of unencrypted access. That's the point of Butler and Gallagher to protect the release of ' fire sheep '. And only website owners and service providers can fix that. According to Butler, Firesheep's " success " is not the attention it has earned, but the site will be more appropriately secured. And the real success will be when Firesheep no longer works. But, at the moment, even security experts feel anxious.