As an update to my recent post, This Week in Tech, the FireSheep browser sidebar application has become quite the buzz. It’s a talked about application in our office, and we’re getting word from other companies about it too. Official responses from the large social media sites we use on a daily basis are starting to trickle out onto the bandwires and it’s turning out to be quite a hot topic. I want to share with you a few different angles and hope that this helps to understand this some what elusive, but well talked about program.
The first cause for concern as originally stated is on the basis that the Internet as a whole isn’t a very safe place to be. No matter how long our passwords may be, they really don’t do anything except create a session via our browser and the server by means of a cookie. We’ve all heard about cookies. They store little bits of data in text files which are then read by the site that created them (we would like to believe these are only accessible by the site that created them). The data saved in these files establish our identity, and then various functions and tools are presented so that we can perform various tasks and then have our name and associated with them; our identity. It’s important to stress what I’ve just said, Our Identity.
You may remember last year in November, a Barrow County teacher had lost her job because of postings she made on Facebook. CNN also posted an article in April ’09 called Fired for Facebook: Don’t Let it Happen to You, in which a few different examples of how Facebook messages and Twitter tweets can get you fired. This stuff also stands up in court, and considering that there’s also geolocation information that can be attached with a tweet or status update, it’s all the more reason why we would want to keep Our Identities intact.
So here we are, we’ve logged into a website using our ultra secure, sixteen character uppercase, lowercase, exclamation point, dash, number password, and a simple cookie is then written to the hard drive saying that we were successful in authenticating with the server. This cookie is then read by the website and upon the existence of the correct textual information, functions and information are presented that is relevant to our privilege level, and/or who we are. As a user running FireSheep, with the necessary network sniffers picking out bits of information in the network chatter, you are presented with options that you can act upon, which enable you to essentially hijack another person’s session with an insecure site. Security on the web has mostly been limited to online transaction sites and pages, including PayPal, Amazon.com, account functions, email such as Gmail, online banking, to name a few specifics. The area,however, where security isn’t really emphasized remains as a whole for the rest: Information services such as online news, review boards, forums, and also sites that take information from users to add to their databases. Most services don’t need security, but big mega sites such as facebook and twitter really should.
The given norm is that security should only be implemented where it’s needed because it’s expensive and can be slower than normal http traffic. Security certificates are also pretty expensive, unless you know that there are much cheaper certificates out there that can be a considerably less amount than the 600 odd per year (and sometimes more) from the big cert providers. There are certificates out there that cost less than $50 per year, and they’re all valid, and contain the same security levels. Then, not only are you now looking at hosting costs, security certificates, SSL layer addon, but there’s also a static IP needed. This can also drive the cost of implementing security, and it can be tens of dollars more, or hundreds, depending on the hosting solution you choose. There are many sites out there that don’t even recoup the costs of their website but merely have it because “everyone has a website”. Occasionally the odd inquiry comes through which may potentially lead to a sale. Sites like these do not need such security measures. With the larger sites though, you’re talking millions of dollars worth of business being carried out via that presence on the web and in such cases security is a vital must.
Facebook is in the process of getting SSL setup on the site, however it will only be fully implemented in the coming months as reported by Forbes earlier this week: Facebook Responds to Firesheep WiFi Security Controversy. It’s interesting to read that Google has been able to make security implementations at relatively lower costs than expected. One really should take note that Google has indeed made huge technological strides that have taken the Internet by storm. They’ve created the largest data centers we’ve come to know, and I feel that we have a whole deal to learn from what has been discovered and created. What ever the secrets, now would be a great time to learn them so that the whole web can benefit from the holy grail: affordable, high quality internet services and valuable content.
A colleague of mine kindly provided me with a link to a very interesting article about the legal implications, if any, that would come about if FireSheep was used, and in what sort of context. ComputerWorld asks, Is it legal to use Firesheep at Starbucks?. Firesheep is much like any tool. You can use a hammer in the right way, by driving a nail into the wall as a fastener, or you can use the hammer to break a window and gain unlawful entry. There are two sides of the fence to this program. The first is that this program was created to highlight the insecurity of the web and what is needed to fix it, and the other is the use of this program for illicit activities, or personal or fraudulent gain. The overall publicity that this application has gained over the past couple of weeks clearly shows that the objective the creator set out to achieve has certainly been met. Everyone is talking about it, and yes, there are also people that are abusing it.
In the Facebook Responds article mentioned above, there’s a link to another Forbes article that introduces FireShepherd, which counteracts the FireSheep application with garbled junk which crashes the application. It’s also important to have a good password policy. The two biggest rules: Regularly change your passwords, and never use the same password for a different site, ever. Be street wise and never share your password with anyone. Think of what would happen if someone gained your online identity, even if only a fraction of it. Until a fix is found, don’t rely on unsecured WiFi networks for communications if not secured via SSL (look for https in your address bar).
Finally, don’t panic. This is like our reaction when we first came to realize that we were surrounded by microscopic organisms and bacterium that could kill us. They had always been there, but we never knew they were there because we couldn’t see them. The main thing is that everyone has now been educated about insecurities, and steps are being taken to improve online security as a whole. Just stay vigilant and speak out if you know something isn’t right.
Do you have any questions about the use of Firesheep? What are your thoughts on the program?