Mozilla Security

Firesheep Is Just The Messenger

I must say that I’m glad to see there are no plans to pull Firesheep. Add-ons have a lot of power since they run in a privileged space. Anything your browser can access, your add-ons can access. The point to being able to kill add-ons was to protect the user in situations where an add-on was either bundling malware or sending information without the users consent. Firesheep does none of that. It behaves exactly as advertised. It also causes no harm to the user or their computer.

Firesheep doesn’t do anything that couldn’t be done with a packet sniffer, it just makes it trivial enough that the average person can do it. It just makes a flaw in many websites more visible. The more technical folks have known this for years. Firesheep is just the messenger. These insecure bits of traffic have traveled across the wire for a decade or more. All traffic across Ethernet is visible to all devices. This is how Ethernet works. The network is a shared medium. It’s just a matter of looking at it. WiFi is a slightly different ballgame but at the end of the day if a wireless signal is unencrypted, it’s just a matter of listening.

I am not a lawyer (nor do I play one on TV) but from a legal perspective I suspect Gregg Keizer is correct in suggesting that it’s likely legal under federal wiretapping statutes (ethics is another debate). However a company likely can still fire you for using it, and a school likely can still kick you out for using it on their network. Private networks have their own rules and policies.

That covers the detection of a session. If you were to actually session jack, that would likely be considered fraud, hacking, identity theft, etc. depending on what you do. Generally speaking, unauthorized access to a computer system is illegal. If you are using someone else’s credentials, that’s by definition unauthorized access.

Electronic communications law is hardly considered developed or mature but generally there isn’t an expectation of privacy when no encryption is used and transmission is done over a shared connection. It’s akin to speaking to someone on the street and being overheard. That said, if someone reads their credit card number while on a cell phone call and you use the credit card information you overheard, it’s still fraud regardless of the interception method.

Bottom line: It’s time to start securing connections.

2 replies on “Firesheep Is Just The Messenger”

For what it’s worth, I’d suggest not using the phrase “expectation of privacy” when discussing this, as (as I’m sure you know) “reasonable expectation of privacy” as a term of art applies only to the privacy of a person’s affairs against government “searching”. Maybe that’s actually the meaning you intended to convey in that sentence, but as the thrust of the article concerned hijacks by non-governmental third parties, it seems unlikely to me that that was your intent.

David- That’s a pretty bad idea for a bunch of resonas. First, routers don’t generally accept push updates- it’s a fetch operation. And second, removing administrative choice from our electronics isn’t a cause we need to further. Agreed. I like Steve’s notion of a universally-agreed free WPA password as a start. It sounds like it’d be a lot of administrative overhead for most places, though- I doubt Starbucks can just flip a switch and have this happen. In fact, they can, and do. Like the company that administer’s Panera’s website access, the 3rd party company that administer’s Starbuck’s wifi (AT&T), they just run a script to push out anything they need to to every single router in their system. And then there’s support! Free WiFi just works- but now Baristas will have to help troubleshoot users’ connection problems? Barista’s have been doing that already this would probably save them time as the most recent spate of Firesheep hijinks have inundated a lot of Starbucks’/Panera/WholeFoods employees to date. If companies like Starbucks and Panera dont start doing their part in fixing this issue, they could very easily find themselves in seperate and class-action lawsuits for NOT handling their Wifi affairs. [That’s not from me; I heard that argument on This Week in Law on the TWiT Network] We as users of open WiFi can also assume responsibility for the security of our own data by using VPNs or tunnels to get out of the “hot spot.”That only works when hotspots allow such activity and Panera’s doesnt. You have to sign in through an shttp portal before you get to the internet at all. Once on the net, you could do what you suggest below, but you first must go through the portal, and they can see anything you do on that portal, until you get your VPN on. Although I might have missed something here on VPNs and how they work behind-the-scenes. My $20/month web host allows me to do a simple SSH proxy by issuing something like the following command in terminal:SSH -C -D I then use FoxyProxy to easily switch between when I’m using this proxy and when I just want to use the connection. When you are signing in through a portal you are not using your ISPs service.

Leave a Reply

Your email address will not be published. Required fields are marked *