FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Firesheep





loyal
Hey all,

There's been alot worry in technology news about firesheep, a firefox plugin. But no-one's really explained properly what it is or how it works. Anyone wanna explain?

Peace.
ahnguye5
The guy who wrote the plugin is trying to point out that web apps like Facebook and Flickr are insecure. Your login information is encrypted but everything else isn't. So, in an open wi-fi network, firesheep will hijack another person's account using the unencrypted cookies.
weableandbob
Pretty much, if someone has it installed and running, that person has access to accounts that other people on the same network log into.
loyal
ahnguye5 wrote:
The guy who wrote the plugin is trying to point out that web apps like Facebook and Flickr are insecure. Your login information is encrypted but everything else isn't. So, in an open wi-fi network, firesheep will hijack another person's account using the unencrypted cookies.


Oh, I see. But how does one solve that problem? Aren't you just using the cookie to be logged into someone's account? So how is that the websites fault?

weableandbob wrote:
Pretty much, if someone has it installed and running, that person has access to accounts that other people on the same network log into.


Unless that network has a password, right?

Peace.
kacsababa
It's a two side problem, ofcourse it's the problem of an unsecure wlan networks, mostly open wifi hotspots.

On the other hand the website could use an SSL connection whenever they authentication the user, this secures the site more and for example Firesheep can't stole the information because it "travels" encrypted.
silverdown
Never heard of it til now but it does sound interesting..... Shocked
ahnguye5
I think it's the websites fault because authentication is encrypted but session cookies aren't. So when you're communicating with the website, those cookies are sent in plain text. Firesheep sniffs it up and is able to spoof the you.

It only works on open wifi networks and if you're already logged in. It doesn't get your password.
ahnguye5
Zscaler released a Firefox add-on that detects if anyone is using Firesheep on the your current network. I think it only detects and notifies you but does not protect. Still, pretty clever how it is achieved. Check it out here.
menino
What if someone uses the https sites to login to their information, does firesheep still be able to decrypt the cookies info?
PureReborn
menino wrote:
What if someone uses the https sites to login to their information, does firesheep still be able to decrypt the cookies info?


No, the whole point of firesheep is to get vendors to support https for login.
FunDa
Well, FireSheep is a firefox add-on to make a "hacking" technique called session hijacking very very easy to do.

The author wanted us to realize that it IS very very easy for someone else to log into your account if you are using a public WiFi with the kind of security most websites like Facebook, and Flickr are using now.

He just made what used to be type-and-press-enter into point-and-click so that we know that it is dangerous.


Also, if the websites use https:// instead of simply http:// , then this attack would not be possible.



After Firesheep came out, FireSheep detectors and blockers have been released like BlackSheep and FireShepherd.
ahnguye5
Firesheep doesn't decrypt anything, it just sniffs out those session cookies that travel on the wire after you've authenticated to the website already. Because after the encrypted login, interactions, with Facebook for example, are no longer encrypted.

This brings about about a problem that is not so easy to solve. Rafal Los does a good job of explaining it here: http://ow.ly/36hHe

To summarize, websites cannot just encrypt everything because that would put a greater load on the servers. That would mean that companies would have to beef up the hardware to handle the extra work. For now, there are some solutions like the EFF's HTTPS Everywhere add-on for Firefox.
loyal
This deficieny in security was always present. Firesheep simply makes it available for anyone, even computer noobs, to "hack".

I think extra server load is a price worth paying for security.

Peace.
Hogwarts
ahnguye5 wrote:
Firesheep doesn't decrypt anything, it just sniffs out those session cookies that travel on the wire after you've authenticated to the website already. Because after the encrypted login, interactions, with Facebook for example, are no longer encrypted.

This brings about about a problem that is not so easy to solve. Rafal Los does a good job of explaining it here: http://ow.ly/36hHe

To summarize, websites cannot just encrypt everything because that would put a greater load on the servers. That would mean that companies would have to beef up the hardware to handle the extra work. For now, there are some solutions like the EFF's HTTPS Everywhere add-on for Firefox.

Actually, some of the more awesome ones are working towards it..

Now that CPUs are coming out with hardware accelerated AES and we're seeing speed increases in the order of 8x faster (and upwards), encryption is becoming much more viable.
the-guide
Interesting! I've never heard anything about "Firesheep" before, thanks to all for sharing the info.
I think I must beware more on the Net!

.
Related topics
Warning: refrain from using free wifi access
Reply to topic    Frihost Forum Index -> Computers -> Software

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.