Firesheep, Week+ later
Nearly 500k firesheep downloads in 1 week. Microsoft, Facebook, others, have still not deployed SSL, granted this might be a complicated deployment.
But they didn't warn users either, how can this be justified? a warning is simple enough.
21 comments
[ 3.3 ms ] story [ 75.9 ms ] threadas the download numbers show, the tool is now accessible in a manner that makes an exploit trivial and require no technical knowledge. I am of the opinion that providers like facebook etc... would do their users a service, by explaining to them the risk of accessing their networks via open wireless networks for instance. Perhaps it is not their responsibility but it might be beneficial for them to help the public understand privacy concerns.
Except that Firesheep didn't expose any new security problem. "Hey everyone, in a few weeks I'm going to make it easier for people to exploit long-known security problems that you may have been happily ignoring" is different to "Hey everyone, I found a brand new vulnerability and I want to let you fix it before I publish it".
And, in a practical sense, who would you have expected the creators of firesheep to have warned? The top100 sites? the top500? At what point should github have entered the list? Again, this is not a vulnerability in a specific app, its a well known design error.
So, yes, I would have appreciated a heads up from those guys.
I suppose I'm unsympathetic since every authenticated web app I've done in the last 10 years has been SSL only. But that was too 'enterprisey' perhaps :). Also I imagine that this is such an obvious thing, it wasn't a case of being unaware of the issue, just taking a conscious risk-reward decision on being SSL-only. Particularly for the really smart developers at github. One could argue that since nothing bad (that we know of) happened before firesheep, it was a valid decision.
All in all, I think Firesheep has done a big favour to the web as a whole.
PS. this thread has degenerated to using github as an example, I should probably point out that I love and respect github. really.
www.web-privacy.edu.tc
The ferret and hamster tools did the same thing, just not packaged as an extension for firefox, and that was over three years ago. Just needed to find the cmd windows, run two programs, change your proxy and you're set.
See: http://erratasec.blogspot.com/2007/08/sidejacking-with-hamst...
Also how would you warn the right users? You don't know which of them are affected or at risk for this issue. Maybe promote http://hotspotshield.com/ or a similar product.
Lastly, if your on a unencrypted wifi network you're vulnerable to a lot more attacks than the firesheep one. So please don't assume that just using ssl is enough to protect you. One example: http://forums.remote-exploit.org/tutorials-guides/3157-ssl-s...
I wish that was correct; however, according to http://www.airtightnetworks.com/WPA2-Hole196 even WPA2 is vulnerable. It states: "AirTight Networks uncovered a weakness in the WPA2 protocol, which was documented but buried on the last line on page 196 of the 1232-page IEEE 802.11 Standard (Revision, 2007). Thus, the moniker "Hole196". [...] Exploiting the vulnerability, an insider (authorized user) can sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those devices. In short, this vulnerability means that inter-user data privacy among authorized users is inherently absent over the air in a WPA2-secured network."
The only prerequisite is for the attacker to be same WPA secured wireless network as the victim. There are ways to accomplish that even for private WiFi.
WEP has been cracked a long time ago. So, no actual security over WiFi alone. Need to use SSL, VPN, etc. for everything.