Firesheep

Public wireless locations just got a bit more dangerous.   It has never really been ok to use open unencrypted wireless connections such as at the Library or Panera Bread.   Unencrypted wireless connections can be snooped on by anyone within range of the wireless.   Encrypted connections aren’t much more trustworthy.   While an ISP or a company might have controls in place to prevent snooping, the local coffeeshop doesn’t notice sniffers on its credit card terminal much less the internet connection.  

One way to battle this is through VPNs.   Unfortunately my company doesn’t use an always tunnel VPN or even make available an “always tunnel” profile for those of us who would like to be more secure.   Even with an always tunnel VPN you have to wonder what programs autolaunched (like AIM) and are performing an autologon before the VPN is established.   Are these apps logging in over SSL?   Are you sure?  Those who really need to be secure don’t use even an always tunnel VPN on “publis” wireless.

As I just said, SSL is another way to address a hostile environment.   The problem is how many of your sites implement SSL for the complete session.   SSL provides authentication of the remote website.   More precisely it demonstrates that they have purchased a certificate from a Certificate Authority that you have chosen to trust or has paid your browser or Operating System to be included as a trusted Certificate Authority.   SSL also provides data confidentiality.   Providing encryption is slower than just serving the webpage in cleartext so web providers often merely encrypt the username and password.    The problem is, websites generate a cookie that is used for the duration of the session and longer if you dont log out.   If that cookie is transmitted over HTTP rather than HTTPS it is possible to grab that cookie and use it for authentication.  (I believe the cookie could be tied to a specific IP, but most websites don’t do that.)

There is now a tool Firesheep being reported in the Infosec media and introduced at ToorCon.   It is a Firefox plugin that makes session stealing so easy a caveman can do it.  

The sad truth about security advice is until Mrs. O’Leary’s cow kicks over the lantern, you’re just Dr No.    As a security professional, I already mistrust public WiFi.   Hopefully this tool will publicize the existing danger of using public wireless connections.