Life In The Time Of FireSheep

A couple of weeks ago at Toorcon security researcher Eric Butler released a curious new plug-in for the the popular Firefox web browser. Known as FireSheep this plug-in allows even an unskilled person to monitor traffic on an open wifi network. It further allows its users to capture the login data exposed as web browsers of other people on that WLAN perform logins to sites like Facebook, Twitter, FourSquare, etc.

I won’t go into how it works since others had done a nice job of that already. Suffice it to say that this is scary stuff given how common it is for people to use open wifi networks at public places, usually without giving it a second thought..

FireSheep was not intended as a tool for criminal or malicious activity. It’s release was intended to expose a security issue in the way web browsers handle cookies arising from login. While the login process itself is secure, the handling of the resulting cookies usually is not.

Whatever the intent, it’s certain that some less scrupulous people will use it or the lessons learned from it for illicit purposes such as identity theft.

If you follow some of my writing here you’ll know that I travel frequently for business. In my meanderings I routinely make use of unsecured wifi networks at airports, hotels, restaurants, conference centers and even some of my customers sites. Do I worry about FireSheep and the possibility of someone stealing my logins? No. Not one bit.

In response to FireSheep some have called for a migration away from open wifi in public places. Others have suggested that all web sites should make use HTTPS to secure more of their their traffic. Both of these are fine ideas, but not likely to happen any time soon.

These ideas require that many people or companies act on behalf of users to secure their online activities. The simple fact is that, in some quarters, security is not the high profile issue that it should be. Those companies or services may not act until pressed.

There is another way. You can act to secure your own activities. By using a personal virtual private network (VPN) connection when using an open wifi network you effectively thwart FireSheep, passing all your traffic over an encrypted tunnel.

Companies have long used VPNs to secure their traffic between remote users and network resources. However, a personal VPN is also easy to setup. In my case I have VPN access to my home office network since my router (m0n0wall) supports VPN connections from the outside. As I travel I can connect back to the office to fetch files or perform admin functions on systems inside my LAN.

When I am connected back to my office by VPN all of the traffic to/from my laptop is passed over a secure tunnel to my router. There is a networking setting called “use the default gateway on the remote network.” This setting defaults to enabled when you establish a VPN connection under Windows. Thus when VPN connected the rest of the world sees me as being at my office, regardless of where I might actually be.

This wholly DIY approach to a personal VPN is essentially free. Some will find such measures a perfectly adequate solution. However, the truth is that I don’t use my home office VPN connectivity in this manner.

I find that directing all my traffic via my home network can slow down my network access, especially if I’m far from home. Being an impatient sort I’d prefer to avoid this.  So when I travel I make use of a personal VPN service offered by WiTopia.

There has been a community of people concerned about personal information security for as long as the internet has existed. The people who founded WiTopia come from that community. They were contributors to the open-source OpenVPN project and reportedly the first entity to offer a commercial service based upon OpenVPN.

WiTopia offers several kinds of service, supporting different types of VPN connectivity. The most basic service, at $40/year, uses “Point-to-Point-Tunneling Protocol” aka “PPTP.” PPTP is quite old and not regarded as highly secure.

A determined hacker can crack PPTP. Nonethless, PPTP remains widely deployed. It remains in use because it is doesn’t require an installed client application. It’s supported by all major computer platforms with no added cost, and it’s relatively easy to setup.

Some experts feel that poor security, as exemplified by PPTP, is as bad as no security. It provides only the illusion of being secure.  It’s also worth noting that a simple door lock keeps my neighbors at bay, but a skilled and determined thief can break-in to just about any home.

For $70/yr WiTopia also offers a more secure connect method based upon the IPSEC standards. This connect method is considered very secure. It would take a very serious effort to decrypt the traffic passed over an IPSEC tunnel. This is the WiTopia service that I use.

Their IPSEC service requires that you install a client application that is cryptographically signed, linking it specifically to your WiTopia account. The installer for the client software is automatically generated when you sign up for your account. A single account allows for a single connection to one of their proxy servers, but can be installed on any number of computers. I have it installed on both my laptop & netbook.

Witopia maintain a large pool of proxy servers around the world. These are listed in the client application. By logging into a proxy server near your actual location you should have the fastest access. Logging into a more distant proxy makes you appear as if you are at that location.

More distant proxies can be useful for specific purposes. Perhaps you are traveling in Europe but want to watch some US television via Hulu? Logging into a proxy in the US could make this possible.

Be warned: some services, including Hulu, try to track the IP addresses of such proxy services. They want to force you to stay within their terms of service, which specific prohibit viewing from outside of the US. Companies like Witopa play a strange game of whack-a-mole, constantly moving their servers IP addresses to stay ahead of such efforts.

I have occasionally found WiTopia‘s personal VPN service to be helpful in odd or unexpected ways. For example, on my last business trip to Montreal I was frustrated by poor internet access at my hotel. The basic IP connectivity was fine but the ISPs DNS server was often unresponsive. The result was that I was technically online, but not always able to reach other sites or services.

Once I logged into a nearby WiTopia proxy all of my traffic was routed through that server and they provided DNS services. This free’d me from the troubled DNS of the hotel’s ISP.

The WiTopia client is a small application that runs in the background. When I’m on unsecured wifi I simply select a nearby proxy and login. The client remains running through laptop suspend/resume to hibernation cycles. When I next power-on it automatically tries to re-establish the connection to the proxy. It’s all very automatic, which I appreciate.

Some people will likely view the use of a proxy service like WiTopia as suspicious, a sign that the user is up to no good. I think that things like Fire Sheep highlight the importance of such services as tools for securing our personal data, even for routine online activities.

I encourage you to take your online security seriously. Act where you can to provide a sensible measure of security, especially when using open Wifi networks. Don’t wait for companies like Amazon, Facebook, Google, Twitter or FourSquare to do it for you.

By the time everyone else takes security seriously you may find that someone has already raided your Farmville account, stolen all the animals and driven off with your tractor.

To close I’ll leave you with a memory from the TV show Hill Street Blues:

“Be careful out there.”