These days, half of us carry some kind of wifi capable device around with us – laptop, phone, MP3 player, swanky new iPad. We own something that we can browse the net on via wifi, that we can use while out and about.
And we’re all familiar with the experience of agreeing to meet someone in a pub or café, and finding that either we’re running early, or they’re running late, at which point we pull out this device and do something with it. Check Twitter. Check our email. Log in to Facebook and see who it is that’s been pissing on our wall, or whatever it is that Facebook users do these days. In any event, the point is this: we hook out little boxes of digital magic up to the wifi that’s available and start using it. Sometimes we might have to pay for the privilege, sometimes we might just have to give the username and password that’s written on a sign behind the counter, and in some places, we can just start surfing away.
We don’t stop think about the danger.
You see, most of these networks aren’t secured – even the ones that require a username and password to log on to, often only require the username and password as an authentication system – a confirmation that you have the right to be using the system – not as a method of securing communication. (How you can tell: if you try and get to a website, but then get an extra screen in between from BT Openzone, or The Cloud, or 02 or T-mobile or whatever, asking you for a username and password, or your phone number, without leaving your browser, then it may well just be authentication, and not security, that the wifi is checking.)
And then along comes Firesheep. I’m not going to link to it – if you’re really interested, you can Google it. What Firesheep does is exploit a technique called session sidejacking. Up until Firesheep, this was something it required a little skill to know how to do. Not a lot, but some – you needed to put a few different tools that most people would know nothing about together on a laptop, and know how to fiddle with some fairly advanced settings in your browser. Firesheep, on the other hand, makes it possible in two or three clicks. And it’s a Firefox extension that you install like any other. My not-very-tech-savvy mother could do it, if she wanted.
One of the often-unspoken truths of security is that there is no such thing as true, 100% unbreakable security. There is just “enough security that it’s more trouble than it’s worth to get around it”. It’s why we secure our houses with simple locks on doors, and not three different biometrics and a machine-gun turret. It’s the same on-line. With enough time and effort, any system can be hacked. It’s just about making it hard *enough* to hack that most people don’t bother – a good username and secure password will keep 99% of hackers out, and the odds of being targeted by the remaining 1% are quite small. This is why Firesheep is bad – because it’s made the effort involved in this hack so trivial.
So what is session sidejacking?
We’re all familiar with logging into websites – you stick in your username and password, and presto, you’re logged in. If you’re very tech savvy, you might even know that it’s important to check for https:// at then front of the URL and not just http:// when you log in. That’s the sign that the data you’re exchanging with the website is encrpyted – that your password isn’t just being sent through all the dozens of computers between your laptop and the website you’re using, in plain text for anyone to eavesdrop on. You see that, and you feel secure.
But there are plenty of websites out there – Facebook is one example, but they’re not even close to alone in this – I think Gmail even does it, if you don’t configure some settings just right, and apparently Twitter is vulnerable to, and that’s just a few quick big names, never mind all the other small sites – where once you’ve logged in, they stop using the https:// bit. The theory being that the thing it’s important to be secure about is the authentication. And up until Firesheep, they were probably right.
Now, the way you stay logged in on most websites is that they set a thing called a cookie. You’ve probably all heard of them. They’re ones of the things that get ditched when you clear your cache and cookies because you’re trying to fix a problem. Clearing your cookies means that you suddenly find yourself logged out of loads of websites, and you have to go to all the hassle of trying to remember your password to log back in.
That cookie contains a little bit of information (actually, it might contain quite a lot, but there’s only one thing that’s relevant here) – it contains what’s called your Session ID. When you log into a website, you get assigned a Session ID, and when your browser requests pages from that website, it says (roughly) “Hi – I’m a browser with Session ID 12345, and I’d like this webpage please.” And the site goes away and works out what webpage you want and what content Session ID 12345 should get, according it it’s records. Your session ID essentially *becomes* your username and password, and it’s sent back and forth with every request you make to that website.
And if the website isn’t using https:// and if you’re using a wifi network that’s not secure, then people using the same network as you can listen in. They won’t be able to get your username and password – that got sent over https://, after all. But they will be able to find your Session ID. And once they’ve got that, they can pretend to be you.
And Firesheep does all this, in three clicks, in a really easy to use manner.
And so they can pretend to be you. And get into your Facebook, or your Gmail, and discover all sorts of things about you.
So how can you make sure you’re safe?
Well, in the first place, don’t use unencrypted Wifi, unless you have no other choice. Key terms that will tell you it’s encrypted are things like WEP or WPA. And when you’re asked for password to go along with those, they won’t be in your web browser – it’ll be your operating system asking for them.
Secondly: if you are using unencrypted wifi, make sure everything you request is over https://.
As soon as you log in to Google or facebook, or any other site, if you don’t see the little ‘s’ in the URL, add it in yourself, and hit return to reload the page. This won’t be 100% foolproof on all sites, but it’s a good first step. And you’ll find that a lot of really secure sites – bank websites and that sort of thing, do everything over https:// already, even once you’ve logged in.
Other than that, well, there’s not a lot you can do. Sorry, folks. Fixing this one is going to require companies, and people like me to do something. They haven’t in the past, because the security we used to have was good enough. But as of last week, it isn’t, so we need to get on with fixing it. But in the meantime, do please be careful when using unsecured wifi.
(Just in closing, I should probably note that the chap who wrote and released Firesheep wasn’t doing it just to cause trouble – or rather he was, but with noble motives. He wasn’t doing it to make hacking easy, he was doing it to force companies to make exactly this kind of change, and improve their security all round.)