Corrente

If you have "no place to go," come here!

Open Public WiFi Unhealthy?

okanogen's picture

I'm not a tech geek, so I don't know, but should we be concerned about this? Just as one example, how is our login info handled on Corrente?

The oicture and the following from Speed of Creativity:

If you use ANY website today which requires a login but does NOT use a "persistent https" secure connection thereafter, you're at MAJOR risk of having your accounts hacked

if you use open, wifi hotspots in coffee shops or other locations. Yes, this means Facebook, at least for now until they FINALLY deploy persistent https.

0
No votes yet

Comments

Submitted by Aaron Em on

[Background/bona-fides: I've been earning my bread as a programmer/analyst and sysadmin for six years now, and I spent the last eighteen years before that as an enthusiastic amateur, the kind of goober who used Linux back a decade and a half ago when Slackware 3.4 was the state of the art. One result of this is that I know how to do what Firesheep does without actually needing to use Firesheep.]

Is Corrente any safer than Facebook with regard to Firesheep? In a word, no.

Is this the end of the open public Wi-Fi world? In a word, no.

There are several reasons why Firesheep is more of a gimmick than anything else -- it (obviously!) serves its intended purpose of raising awareness among users that website user identification isn't anything like as secure as it could be, but it's not anything like the end of the world with regard to security.

The technique used by Firesheep is far from new; all that's really innovative about Firesheep is that it packages up all the necessary tools in a single easy-to-use installer, and provides a similarly easy-to-use ability to display and use the stolen login data in Firefox. Other than that, there's nothing new about it, and black-hat hackers have been doing what Firesheep does for years. (In fact, some people have automated it even more thoroughly than Firesheep does -- read the horror stories some time about the Defcon 'Wall of Sheep', and reflect on the fact that that's all done automatically, without any real need for human intervention.)

But what's really important to keep in mind here is: Most laptops aren't properly equipped to run Firesheep at all, and actually cannot be used for this kind of attack at all.

In order to do what Firesheep does, you need to have a Wi-Fi adapter (this 'adapter' is usually entirely internal, but anyway that's the term) in your laptop which is capable of what's known as "promiscuous mode" -- that is, the ability to listen to every piece of information going across the network it's on, instead of only the traffic that's actually intended for that particular computer. And it turns out that relatively few laptop Wi-Fi adapters have this capability -- which means that relatively few laptops will be able to capture anything at all using Firesheep. (Of course, the black-hats know which adapters work and which don't, and make sure to get ones they can use -- but the ones built into most laptops, in fact nearly all laptops, can't do it.)

So is Firesheep a reason to stop using public Wi-Fi altogether? No. But it is an excellent illustration of how easily real black-hats can impersonate you on all kinds of websites, especially since the Wi-Fi attack isn't the only way of stealing these cookies. (It is more or less the easiest, though.) With any luck, the website developers will take a hint and go to the relatively small extra effort to provide strong protection for their users. Unfortunately, though, I know a lot of reasons to be rather cynical on that particular score, with the exception of Facebook, Twitter, Gmail, and any other service who can expect a wide-scale compromise of user security to result in a complete and utter PR catastrophe of the sort which permanently decimates users' confidence in the platform, and with it their willingness to use the platform at all -- and when your users are your product, that kind of PR catastrophe can easily spell the death of your business.

It's also worth keeping in mind that the same attack can also potentially be used to steal credentials from your email client, your IM client, or anything else that sends a password over an unencrypted connection; if you're worried about Firesheep, it's worth also worrying about those things. Fortunately, almost all email clients, and most email servers, support encrypted connections, which will protect against this attack; check with your ISP or email service provider for help with setting that up.

Speaking of encrypted connections, they protect Web traffic from this attack as well; while Facebook, Twitter, and Gmail (to pick three easy examples) all support secure (HTTPS) traffic, they may not make it easy to use. Fortunately, there are Firefox plugins to solve that problem: try HTTPS-Everywhere, for easy coverage of the most common services, or Force-TLS, which can cover sites not included in the easy-to-use, but rather simple-minded, HTTPS-Everywhere plugin. (Remember what I said about being pessimistic of the chances for quick and widespread fixes for this kind of attack? These plugins are how you solve that problem from your end, instead of waiting for the developers of your favorite service to get off their thumbs and solve it from the right end.)

And, finally, the best defense is to avoid the problem entirely: if you don't log into anything over open Wi-Fi, then you won't be sending out any credentials to be stolen in the first place -- if you find it onerous to restrict yourself from using Facebook, Twitter, et al while you're at Starbucks, consider firstly that HTTPS-Everywhere or Force-TLS can protect you at the cost of slightly slower page loads, secondly that the security risk isn't all that much greater now than a couple of months ago anyway, and thirdly that taking a break from your social networking entanglements can be a surprisingly salutary experience in any case.

Hope this helps!

Submitted by lambert on

Ergo, Corrente is no more and no less safe than Facebook in terms of issue Firesheep is handling, as I understand it: credentialling happens in the browser, not at the site.

It would be possible for session information, stored in the form of a cookie, to be captured; which is why it's good to expire session information. The tradeoff is that sometimes users get logged out when the session is expired.

In terms of account information, the Drupal platform is very security conscious.

UPDATE Adding... Perhaps I could get my ISP to redirect HTTP to HTTPS? I know redirect the term, but you see what I mean.

Submitted by Aaron Em on

Corrente may not have control over the browser, but it certainly does have control over whether or not SSL (HTTPS) connections are required; I've written code to do that myself, so I know it can be done. (In PHP, you want to check whether $_SERVER['HTTPS'] is defined; if not, you want to redirect to (IIRC) 'https://' . $_SERVER['SCRIPT_NAME']), probably passing along some sort of session identifier since cookies for http://correntewire.com won't be sent to https://correntewire.com. Since you're using Drupal, though, I wouldn't recommend doing it by hand in that fashion; the platform almost certainly already provides a well-integrated way of enforcing SSL connections, and you just have to find it in the documentation.)

Expiring session information after some absolute length of time is by comparison an undesirable solution; not only does it occasionally boot the user (which can be really annoying if it happens while composing a long comment, let's say), but if you're not enforcing SSL and the client doesn't happen to have Force-TLS installed and configured to enforce it for you, then the cookie is just as vulnerable to sniffing and exploitation for as long as it's valid as it would be if you'd done nothing at all to try to improve security.

Drupal's developers seem more concerned with writing secure code than most PHP developers (which is almost damning with faint praise), but if you're bound and determined to shoot yourself in the foot, they can't stop you.

(FYI, SSL on correntewire.com appears not to be working in any case, so it seems a moot point at the moment.)

Anglachel's picture
Submitted by Anglachel on

[Technical bona fides - earning my paycheck in web development since 1997, support(ed) systems for major government, law enforcement and military agencies, subject matter expert on browsers, work with an information security team on web-based threats as a part of my daily job, have been working on computers since the days of DOS 3.x]

The threat of Firesheep is the same threat as someone walking down a street in a suburb pretending to be a door-to-door flyer guy, but who tries each door to see if it is open and grabs small valuables as he passes through. Sudden, shocking, and usually preventable by locking your door.

First, be sure your own wireless network at home, if you are on WiFi, is encrypted. Your router will have instructions.

Don't go anywhere on a public WiFi where you will need to provide a password. Just don't. No, not even once. If you are dealing with a life/death situation, your phone is faster. Short of that, don't connect. There is NOTHING you have to say or read that is worth logging in over open WiFi, even with add-ons that force things to https. Those add-ons themselves are susceptible to hacking.

Next, never use any site where money is exchanged (a bank, an online merchant, etc.) where the web site you're going to is not using the https:// protocol. Some browsers strip that information out (I believe Chrome does by default, but can be forced to show it) and prevent you from knowing how your information is being communicated. All reputable sites will use it. If you can't confirm the https protocol, close the browser window.

Encryption for email is, frankly, overkill for most people unless you are emailing a password. In that case, use an encrypted service, but understand that if it is web-based, your email has been read. I really hate the fetishization of email encryption.

Never use a site where money is exchanged except using your browser's version of "InPrivate" browsing. That mode will isolate your browsing session and prevent add-ons and other things on your computer from injecting themselves into your browsing session.

Never allow PDFs to open in your browser. Make them open as standalone documents. You are FAR more likely to be hit by a malicious PDF than have someone hijack your Facebook session at Starbucks.

Don't ever use the same password for a financial or payment site as you do for your Facebook account! NEVER. A log in to Facebook is useless for anything except Facebook unless you have used the same one for your bank, your PayPal account, and your Amazon account.s

Your account for Facebook, Corrente, Blogger, whatever, is more likely to be compromised by a key logger program already resident on your machine than by a stranger using Firesheep at Starbucks. If you have a Windows machine, install Windows Security Essentials, a free download, and run it all the time. Keep your PDF out of your browser (the biggest attack vector in computing today), turn off auto-recover in your browser, and always keep your browser updated to the latest version or patch.

Long story short, you are most likely to have your accounts taken over by a family member than by anything else. Next, you are most likely to have trouble from a malicious program resident on your system that you got from a PDF or from an email link. You are really not likely to be hijacked at a public WiFi.

Put threats into perspective and act rationally and methodically to reduce them.

Please read my online article Safe Browsing for detailed instructions on how to secure your machine. It is Windows-centric, but the overall approach will work for any system.

I run Windows 7 with IE9 Beta as my primary browser and Firefox 3.6.x as my secondary, with WSE as my only anti-virus/malware. My local WiFi is encrypted. I haven't yet been hacked, but there's always tomorrow.

Anglachel

Submitted by Aaron Em on

Encryption for email is, frankly, overkill for most people -- I'm not talking about PGP/GnuPG/what-have-you, but just about using an encrypted connection to your mail server so that your password isn't being transmitted in the clear.

Anglachel's picture
Submitted by Anglachel on

Hi Aaron,

Yes, if you have https as an option for email, then use it. Also, thank you for your post - it is good, solid info all the way around!

One way to ensure https for email is to only connect via an email client (Outlook, Live Mail, Thunderbird, etc.) rather than going directly to a web site for your email. The email clients use encrypted connections to the mail servers by default. Always double check your settings to ensure it is encrypted inbound and outbound.

Anglachel

okanogen's picture
Submitted by okanogen on

Especially Anglachel for that fantastic security settings resource! I had a "computer guy" working for me and about the only good thing he did was set up Windows Security Essentials. The rest of these settings for PDF and browser were total greek to me, but following the simple, well-described settings has put my mind at ease.

Two computers down, 8-9 to go....

But what about smart phones?