arsyan's virtual playground

Protect Yourself from Firesheep (Kambing Berapi)

2010-10-26 16:25:24


As per my blog yesterday about my experience with Firesheep, i can hardly sleep now and always become "kancheong" and skeptical of my use of un-encrypted office wifi over here. (Since it's the only way i can go online here in the office). I have looked around and read tons of comments regarding the matter and here are my findings of how you can avoid being a victim Firesheep just temporarily until a proper solution has been figured out by the world. Since im a full-time Chrome user, i would start of with Chrome Extensions you can use to protect yourselves.




1. KB SSL Enforcer (Better but buggy)



This extension works best, i havent encountered any "Content Unavailable" yet on Facebook with this. However, you would notice that Facebook disabled the chat feature if you are on a HTTPS page. Note that there is a slight flicker on the unencrypted page during the forwarding due to a Chrome limitation. (Soon to be fix in Chrome 7). After installing the extension, you would have to go to Chrome Extension Manager and click Options on KB SSL Enforcer and then add:

www.facebook.com
facebook.com
www.twitter.com
twitter.com


...in your Whitelist. Make sure all these common domains are added, else the extension wont have an effect and you are still vulnerable to Firesheep. THIS IS AN IMPORTANT STEP.



You can add other website domains as well, as long as the website supports HTTPS, else you would be brought to a non-existant page of the particular domain. Note that not all web service supports HTTPS protocol. If you add one that doesn't, you will be brought to a default page for HTTPS protocol of that website/server. Once the plug-in is installed, you should see your Facebook URL on Chrome to look like this:



And this means that you are safe from Firesheep the Kambing Berapi. The downside by doing this is that all your pages are actually encrypted, more effort and overhead for processing your request and sometimes could be a little buggy. Buy hey, this is way better than getting your account hijacked.




Forces SSL for Twitter and Facebook, as said on its README it only forces you to HTTPS for Facebook and Twitter ONLY. It works, and will secure you from Firesheep. However, i find that it is still buggy and some content and link that is brought to you did not forward to HTTPS correctly and you will be facing some "Content Not Available" error sometimes with this extension.



If you are confident that you are in a secure network (or not) but you are convince that nobody is listening, you can disable this extensions by going into Chrome Extensions Manager and click "Disable" on their extensions. Then everything will be normal again as Facebook and Twitter or any site intended. If you're at a public wifi again, "Enable" it again and surf a care-free surfing experience. Best thing about Chrome is enabling and disabling extensions doesn't require you to restart. Unlike Firefox.



For Firefox Users


I would recommend the following plug-ins that does the same job.


1. Force TLS (Very stable i personally use this)
2. HTTPS Everywhere

Remember, some of these extensions/plug-ins requires you to manually add domains you want to be HTTPS forward, so remember to configure it first.

Conclusion and Rule of Thumb

All and all, bottom line is that, if you are on the internet, your privacy is always at risk. Just make it your rule of thumb that if you are in a public wifi or in a no security encryption wifi network, always remember not to login sensitive websites. Instead, use a 3G connection, tether with your iPhone or USB modem which is much harder to intercept and sniff. If you're in wifi network WPA2/PSK encryption, i think you are safe from Firesheep. However, I tested with WEP and Firesheep is still able to hijack the session, so it's best to use WPA2/PSK encryption on your routers to avoid this mishap. Hope this helps, surf safe.