Stealing Passwords at Starbucks?

As a web development company, we got asked quite a few technical questions (obviously).  Some of those questions fall outside the scope of what we do – we design and develop great websitea, we don’t fix your brother’s Windows XP machine.

But, one typical question that we get a lot of relates to security.  Specifically, how can I (or my company) be safe online.

Well, this really is a complicated questions.  But recently, I was at a local Starbucks and just had to try out a new firefox plugin.

Recently a firefox plugin was released called FIRESHEEP.  This simple little plugin takes just seconds to install, is incredibly simple to use, but can wreak amazing havoc!

Just what exactly does FIRESHEEP do?  After installation, it adds a sidebar to your Firefox browser.  This sidebar has one simple button labeled “Start Capturing”.  When enabled (meaning you click the button) it captures anyone’s (yes, anyone) login credentials!  What does this mean?  Well, take a look at what I grabbed in just a few minutes at Starbucks:

Fire Sheep Output

I’ve blurred out all the names and replaced all the images with the blank people.  But, in just 5 – 10 minutes at a local Starbucks, I was able to log into 3 different facebook accounts, 1 twitter account, 1 wordpress web site, 1 amazon account, and 1 GitHub account (it’s a code storage service for programmers).  Amazing.  Or Terrifying…  All this without ANY special knowledge on my part.  All I had to do was start the plugin.  Then when I clicked on the top Facebook icon, I was instantly logged into facebook AS THAT USER.  I can change things, update things, delete things – do anything I wanted.

So, how does this work?  Well, first of all, I did not ever have access to the users password.  We’ll use Facebook for our example here.  I never had the user’s facebook password.  When you log into facebook, typing in your username and password, you are on a secured web site – your browser has HTTPS at the start of the web address.  What this means is that all the communications between you and the server (Facebook) are totally encrypted and can’t be read by anyone who happens to “capture” them.  So, this is good.  But, once you are logged into Facebook, the pages go back to HTTP – meaning the communication is NOT encrypted and if someone just happens to capture the communication, they can read it.  Now, it gets a bit complicated, but the next step in the process involves how Facebook knows you are already logged in.  Obviously, as you navigate your way around Facebook, you don’t want to type your password in every single time.  So, how does Facebook know you are indeed you?  Well the answer is your cookie.  Websites you visit regularly stores bits of information on your computer called cookies.  These cookies contain various bits of information.  One bit of information is typically a session id.  This session id is a unique number or ID that proves to Facebook that you are who you say you are.  So, when you click on a link on Facebook, the web site asks for this Session ID to verify it is you who really did this.  Without the Session ID, you would have to log in again.  But, the problem is that this Session ID is sent unencrypted to the server.  So, anyone who is listening can get this session ID.  And, once someone has your Session ID, they can “pretend” to be you until you log out (which essentially kills your session id).

Sound scary?  It should.  This means anyone at a public wi-fi hotspot (like Starbucks) anyone can log into your facebook, twitter, google, amazon and other accounts (by the way – firesheep only works on 30 or so sites – but it includes all the big ones).   They could post updates, send tweets, send messages, and more.  All without your knowledge.

So, what can we do to prevent this?  Well, here’s a few simple (and a couple not so simple) solutions:

  1. Avoid unsecured wireless – the simplest solution is to have use wi-fi security.  If the coffee house would simply turn on WPA encryption, most of the problems would be solved.  The could freely advertise the password, or just make the password password.  Just by simply using WPA, they would fix most issues.
  2. Realize that this is limited to certain sites.  Sites such as you bank always use HTTPS.  And, by it’s very nature HTTPS isn’t vulnerable to this problem. But, it’s still not a good idea to do banking on unsecured wi-fi networks (for many reason).
  3. If you use Firefox, consider using HTTPS EVERYWHERE plugin (http://www.eff.org/https-everywhere).  This plugin will attempt to convert HTTP connections to HTTPS connections.  Again, this would solve the problem.  The best solution is just to make Facebook, Google, et. al. use HTTPS.  But, realizing that they probably won’t change soon, this plugin does it for them.  It works on Amazon, Facebook, Twitter, Google Search, Paypal and others.  This is a good solution requiring very little work.
  4. Use a VPN solution – a VPN is a Virtual Private Network.  Basically, a VPN creates a private and secure line from your computer to another server.  Then the connection goes out to the internet.  This method virtually guarantees that you are secure.  It definitely solves the Firesheep problem.  However, VPN’s can be a bit complicated and sometimes cost money.  A decent free solution is provided by HotSpot Shield.  This free option does have advertisements and is limited to approx. 2 GB a month.  But, it is a really good solution when at a public wi-fi access point.

What about you?  Any ideas?  What do you do to be secure when out in public?

Leave a Reply