Firesheep, Week+ later

32 points by doron ↗ HN
Nearly 500k firesheep downloads in 1 week. Microsoft, Facebook, others, have still not deployed SSL, granted this might be a complicated deployment.

But they didn't warn users either, how can this be justified? a warning is simple enough.

21 comments

[ 3.3 ms ] story [ 75.9 ms ] thread
maybe because it's not a new threat and it's not their responsibility?
I think OP was suggesting that it's the responsibility of those companies to warn their users, etc. Not that it was the firesheep dev's responsibility.
exactly, it's MITM attack people have been able to do for at least a decade
That doesn't really make it less of a security threat. Sites still don't know how to secure it. On my own site we do the same, and have no other answer but end-to-end encryption which we then charge for.
(comment deleted)
I disagree, on a certain level it is new. Few security flaws (i actually cant recall any) made a change from a fairly technical and obscure possibility, into a browser plugin.

as the download numbers show, the tool is now accessible in a manner that makes an exploit trivial and require no technical knowledge. I am of the opinion that providers like facebook etc... would do their users a service, by explaining to them the risk of accessing their networks via open wireless networks for instance. Perhaps it is not their responsibility but it might be beneficial for them to help the public understand privacy concerns.

I agree with this. How is it facebook's responsibility if the user's wireless network is unprotected? Of course the companies are silent. It's not their vulnerability and it's nothing new, it's been like that since forever. Encrypting all traffic for them is expensive and breaks functionality. What are they supposed to say, to warn users? Something along the lines of: "Warning, HTTP session hijacking has become REAL USER FRIENDLY recently."
AGREED maybe because it's not a new threat and it's not their responsibility? This is nothing new
At least one site, GitHub, has certainly deployed changes as a result (and also pointed out that the author of Firesheep gave absolutely zero warning to the sites it targeted, which unnecessarily left a great many users vulnerable on sites like GitHub that would have otherwise been able to close the hole before Firesheep made it public information).
unnecessarily left a great many users vulnerable on sites

Except that Firesheep didn't expose any new security problem. "Hey everyone, in a few weeks I'm going to make it easier for people to exploit long-known security problems that you may have been happily ignoring" is different to "Hey everyone, I found a brand new vulnerability and I want to let you fix it before I publish it".

Yes, the problem was known before-hand by security researchers and a number of other people involved in web development. That doesn't mean it was known to users or to the developers of GitHub. In fact, given the fast response by GitHub and the tweet by pjhyett (http://twitter.com/#!/pjhyett/status/28924943340), it definitely appears that the GitHub team were not aware of this issue prior to the release of Firesheep. In any case, the release of Firesheep dramatically increased the likelyhood of this particular hole being exploited in the wild. The responsible action would have been for the author of Firesheep to notify the targeted sites about this hole with a reasonable delay before releasing the tool. His point would have still been made, but the sites that were willing to fix this would have been able to put a fix in place before users were unnecessarily left exposed.
I'm sorry, but this is a cop-out. Even five minutes of thought on how you authenticate your users would have shown that it depends on one string being a secret. Most people acknowledge that passwords shouldn't be passed in the clear. So what's the difference between a password and a session cookie in terms of its sensitivity. This is security 101. I think its highly irresponsible, and a disservice to users of all web applications, to suggest that this is new in any sense.

And, in a practical sense, who would you have expected the creators of firesheep to have warned? The top100 sites? the top500? At what point should github have entered the list? Again, this is not a vulnerability in a specific app, its a well known design error.

The vulnerability is wide-spread, but Firesheep was released with handlers written targeting specific sites, including GitHub.

So, yes, I would have appreciated a heads up from those guys.

OK, I understand why creating specific handlers might warrant a heads up.

I suppose I'm unsympathetic since every authenticated web app I've done in the last 10 years has been SSL only. But that was too 'enterprisey' perhaps :). Also I imagine that this is such an obvious thing, it wasn't a case of being unaware of the issue, just taking a conscious risk-reward decision on being SSL-only. Particularly for the really smart developers at github. One could argue that since nothing bad (that we know of) happened before firesheep, it was a valid decision.

All in all, I think Firesheep has done a big favour to the web as a whole.

PS. this thread has degenerated to using github as an example, I should probably point out that I love and respect github. really.

It doesn't matter if it's not new information or if the companies knew about it or not. It's something that should be done to avoid screwing people over. Users don't always know about this stuff. Before publishing a tool that makes it so easy to exploit users info it's a common practice to inform the companies related ahead of time in case they are motivated to fix this (such as github did) and perhaps the users so they can have heard about it before everyone has it and they are still logging in like this.
Why would they want to bring attention to something negative? What motivation do they have to make an announcement prior to fixing it unless the issue gets mainstream attention?
FYI, Hacker News is susceptible too.
Aye Aye Aye deal with it dude, quit whining. Use a good VPN and you dont have to worry!

www.web-privacy.edu.tc

This security-hole is for people surfing unencrypted networks. There are warnings you get from windows when you connect to such a network. I can assume OSX does the same.

The ferret and hamster tools did the same thing, just not packaged as an extension for firefox, and that was over three years ago. Just needed to find the cmd windows, run two programs, change your proxy and you're set.

See: http://erratasec.blogspot.com/2007/08/sidejacking-with-hamst...

Also how would you warn the right users? You don't know which of them are affected or at risk for this issue. Maybe promote http://hotspotshield.com/ or a similar product.

Lastly, if your on a unencrypted wifi network you're vulnerable to a lot more attacks than the firesheep one. So please don't assume that just using ssl is enough to protect you. One example: http://forums.remote-exploit.org/tutorials-guides/3157-ssl-s...

"This security-hole is for people surfing unencrypted networks."

I wish that was correct; however, according to http://www.airtightnetworks.com/WPA2-Hole196 even WPA2 is vulnerable. It states: "AirTight Networks uncovered a weakness in the WPA2 protocol, which was documented but buried on the last line on page 196 of the 1232-page IEEE 802.11 Standard (Revision, 2007). Thus, the moniker "Hole196". [...] Exploiting the vulnerability, an insider (authorized user) can sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those devices. In short, this vulnerability means that inter-user data privacy among authorized users is inherently absent over the air in a WPA2-secured network."

The only prerequisite is for the attacker to be same WPA secured wireless network as the victim. There are ways to accomplish that even for private WiFi.

WEP has been cracked a long time ago. So, no actual security over WiFi alone. Need to use SSL, VPN, etc. for everything.