Firesheep protection

dbtrade · 10/30/2010, 12:09 PM

I know my connections have been insecure, but now that it has been publicized and the firesheep plugin has been released, I am very concerned about my Pre and WiFi out in the world.

Lamely, I have not provided links, but as you are probably aware, Firesheep can steal the cookies and sidejack accounts on most of the social sites. this INCLUDES gmail, facebook, twiiter etc.

So, in the past I have kept my WiFi on for my Pre as I walk about town. It logs into Starbucks for example if I am in there.

The autosync feature of my pre will automatically log onto some of the services that Firesheep can steal.

Therefore, I am looking for someway to insert VPN into the WiFi path of my phone and I guess disable automatic syncing of e-mail, or at lease automatic insecure WiFi log on.

While I can poke around the internals of my Pre and do some experienced user stuff, I am no expert at Linux security etc.

I am wondering if the real gurus of these forums have done any thinking about this and could proffer some ideas??

db

wushu2004 · 10/30/2010, 12:34 PM

I'd like to see this happen.

whodo_voodoo · 10/30/2010, 03:23 PM

Quote:

The autosync feature of my pre will automatically log onto some of the services that Firesheep can steal.

Is it logging in each time though or are the services storing log in cookies between sessions?

Not that it helps secure you from Firesheep if you did need to log in but might make the phone slightly more secure if the cookies are stored already.

dbtrade · 10/30/2010, 03:37 PM

Quote:

Originally Posted by whodo_voodoo

Is it logging in each time though or are the services storing log in cookies between sessions?

Not that it helps secure you from Firesheep if you did need to log in but might make the phone slightly more secure if the cookies are stored already.

Well my understanding is that Firesheep grabs the cookies as they transmit. So, either way, no?

RickNeff · 10/30/2010, 04:20 PM

Quote:

Originally Posted by dbtrade

Well my understanding is that Firesheep grabs the cookies as they transmit. So, either way, no?

Why not just use the SSL connections instead of unencrypted connections? I believe that was the whole reason why Firesheep was developed: To highlight the need to connect via SSL rather than unencrypted traffic.

whodo_voodoo · 10/30/2010, 04:20 PM

In which direction though? I'm assuming it can grab cookies being transmitted to you but can it also grab the details when they're being sent from your device to the service you're using (ie have previously logged into a service elsewhere so still have the cookie stored and its then used when I next connect to the service).

Of course this all assumes my impression of how cookies and Firesheep works is correct.

RickNeff · 10/30/2010, 04:24 PM

Palm actually has a small whitepaper on WebOS security features: http://www.palm.com/us/assets/pdfs/b...r_Security.pdf

Of course, I'd also recommend not leaving WiFi on all the time.

RickNeff · 10/30/2010, 04:25 PM

Quote:

Originally Posted by whodo_voodoo

In which direction though? I'm assuming it can grab cookies being transmitted to you but can it also grab the details when they're being sent from your device to the service you're using (ie have previously logged into a service elsewhere so still have the cookie stored and its then used when I next connect to the service).

Of course this all assumes my impression of how cookies and Firesheep works is correct.

SSL encrypts both directions, so that should never be an issue.

dbtrade · 10/31/2010, 04:51 PM

Firesheep sniffs all packets on the open network on which it is active.

I have some accounts that will not use SSL

RickNeff · 10/31/2010, 07:42 PM

Quote:

Originally Posted by dbtrade

I have some accounts that will not use SSL

But, that's the actual problem which WebOS really can't do anything about. You have to either use SSL or a VPN connection. Or, simply don't use sites that use unencrypted traffic.

Regarding your original questions, I'm not aware of any settings that allow for what you want to do.

dsei · 10/31/2010, 08:12 PM

For now, you're pretty much at the mercy of the services that use non-SSL connections. Your best defense is to use 3G instead of non-encrypted Wifi.

When 2.0 is released, you'll have the option to use IPSEC VPN which will facilitate what you're asking for. Of course, you'll need something to "VPN to" first.

ryleyinstl · 11/01/2010, 09:31 AM

Gmail should be using SSL on your webOS phone by default...check the settings to make sure.

BobKy · 11/16/2010, 06:09 PM

Using Wi-Fi? Firesheep may endanger your security

Some thoughts on BlackSheep and Firesheep

helidos · 11/16/2010, 07:04 PM

WoW so a guy creates an extension for firefox to prove a point but instead of doing so in a controlled way. He releases it to the masses so that millions of peoples security are at risk. Brilliant!!

And people wonder why the world is in the shape it is in. Hey I need to prove a point about this toxic material, how could I do this? I know I'll dump it out by the ton into every major city and go see I told ya. /facepalm

dbtrade · 11/17/2010, 09:27 AM

Quote:

Originally Posted by dsei

For now, you're pretty much at the mercy of the services that use non-SSL connections. Your best defense is to use 3G instead of non-encrypted Wifi.

When 2.0 is released, you'll have the option to use IPSEC VPN which will facilitate what you're asking for. Of course, you'll need something to "VPN to" first.

Thinking about a proxy server for the Pre

knobbysideup · 11/17/2010, 02:06 PM

What services are you running on the phone that:
1) automatically connect to web sites and
2) use cookies?

I think the actual threat is likely less than you think it is. The things I have checking automatically are mail and some IM stuff, and that is all done over SSL or TLS.

The obvious solution is to keep wifi off. Is there a reason that you have it enabled to automatically connect to untrusted networks constantly?

knobbysideup · 02:18 PM

Quote:

Originally Posted by helidos

WoW so a guy creates an extension for firefox to prove a point but instead of doing so in a controlled way. He releases it to the masses so that millions of peoples security are at risk. Brilliant!!

And people wonder why the world is in the shape it is in. Hey I need to prove a point about this toxic material, how could I do this? I know I'll dump it out by the ton into every major city and go see I told ya. /facepalm

Your security has always been at risk. If you don't understand how trivial it is to sniff a public network and grab session IDs, that is nobody's fault but your own. HTTP is stateless, so you have to always send an identifier back to the server. Bummer. This also highlights how dumb it is for so-called webmasters to set up an SSL encrypted login page, only to then take the user to the actual site in cleartext. Cool, I can still get into your account.

You don't need a special firefox plugin to do this, and never have. The release of this makes the ignorant public aware of this, and perhaps puts pressure on web administrators to use SSL, since it's been around pretty much forever now.

Just wait till you see what one can do to you with DNS poisoning and metasploit reverse shells. Not even your firewall can protect you, my friend. And pretending to be the airport or unsecured coffee shop's wifi is always a good time.

steev182 · 11/18/2010, 01:27 PM

I personally think Firesheep is proving an excellent point and by doing this, it should be forcing the likes of facebook to think a lot harder about their user security policies.

If you are so worried about Facebook being highjacked, stop using it, or only use your 3G connection.

friedchicken · 11/19/2010, 02:26 AM

1. Connect your phone to your private wifi at home
2. Use facebook or ohter non https service
3. Use firesheep on your computer
4. check to see if it is able to access your account.

lordbah · 11/24/2010, 11:30 AM

Are Calendar and Contacts automatically making unsecured connections periodically? If so, can't we patch them to use HTTPS?

10/30/2010, 12:09 PM	#1 (permalink)
dbtrade Member Join Date: Jun 2009 Posts: 110 Likes Received: 0 Thanks: 19 Thanked 9 Times in 8 Posts	Firesheep protection I know my connections have been insecure, but now that it has been publicized and the firesheep plugin has been released, I am very concerned about my Pre and WiFi out in the world. Lamely, I have not provided links, but as you are probably aware, Firesheep can steal the cookies and sidejack accounts on most of the social sites. this INCLUDES gmail, facebook, twiiter etc. So, in the past I have kept my WiFi on for my Pre as I walk about town. It logs into Starbucks for example if I am in there. The autosync feature of my pre will automatically log onto some of the services that Firesheep can steal. Therefore, I am looking for someway to insert VPN into the WiFi path of my phone and I guess disable automatic syncing of e-mail, or at lease automatic insecure WiFi log on. While I can poke around the internals of my Pre and do some experienced user stuff, I am no expert at Linux security etc. I am wondering if the real gurus of these forums have done any thinking about this and could proffer some ideas?? db
	Liked by

10/30/2010, 12:34 PM	#2 (permalink)
wushu2004 Member Join Date: May 2010 Location: Illinois, USA Posts: 551 Likes Received: 0 Thanks: 172 Thanked 59 Times in 54 Posts	I'd like to see this happen.
	Liked by

10/30/2010, 04:20 PM	#6 (permalink)
whodo_voodoo Member Join Date: May 2010 Posts: 147 Likes Received: 1 Thanks: 30 Thanked 24 Times in 17 Posts	In which direction though? I'm assuming it can grab cookies being transmitted to you but can it also grab the details when they're being sent from your device to the service you're using (ie have previously logged into a service elsewhere so still have the cookie stored and its then used when I next connect to the service). Of course this all assumes my impression of how cookies and Firesheep works is correct.
	Liked by

10/30/2010, 04:24 PM	#7 (permalink)
RickNeff Member Join Date: Jul 2009 Posts: 340 Likes Received: 4 Thanks: 119 Thanked 133 Times in 74 Posts	Palm actually has a small whitepaper on WebOS security features: http://www.palm.com/us/assets/pdfs/b...r_Security.pdf Of course, I'd also recommend not leaving WiFi on all the time. __________________ Richard Neff My tutorials on WebOS development: Beyond 'Hello World!' \| Getting Started - WebOS Development My apps: Percent Table \| SierraPapa
	Liked by

10/31/2010, 04:51 PM	#9 (permalink)
dbtrade Member Join Date: Jun 2009 Posts: 110 Likes Received: 0 Thanks: 19 Thanked 9 Times in 8 Posts	Firesheep sniffs all packets on the open network on which it is active. I have some accounts that will not use SSL
	Liked by

10/31/2010, 08:12 PM	#11 (permalink)
dsei Member Join Date: Oct 2007 Location: Fargo, ND Posts: 194 Likes Received: 2 Thanks: 36 Thanked 39 Times in 27 Posts	For now, you're pretty much at the mercy of the services that use non-SSL connections. Your best defense is to use 3G instead of non-encrypted Wifi. When 2.0 is released, you'll have the option to use IPSEC VPN which will facilitate what you're asking for. Of course, you'll need something to "VPN to" first.
	Liked by

11/01/2010, 09:31 AM	#12 (permalink)
ryleyinstl Member Join Date: Jun 2009 Location: The Red Brick Momma Posts: 4,317 Likes Received: 0 Thanks: 209 Thanked 1,263 Times in 822 Posts	Gmail should be using SSL on your webOS phone by default...check the settings to make sure.
	Liked by

11/16/2010, 06:09 PM	#13 (permalink)
BobKy Member Join Date: Sep 2009 Location: KLEX - USA Posts: 399 Likes Received: 26 Thanks: 98 Thanked 80 Times in 64 Posts	Using Wi-Fi? Firesheep may endanger your security Some thoughts on BlackSheep and Firesheep
	Liked by

11/16/2010, 07:04 PM	#14 (permalink)
helidos Member Join Date: Sep 2007 Posts: 802 Likes Received: 0 Thanks: 32 Thanked 143 Times in 95 Posts	WoW so a guy creates an extension for firefox to prove a point but instead of doing so in a controlled way. He releases it to the masses so that millions of peoples security are at risk. Brilliant!! And people wonder why the world is in the shape it is in. Hey I need to prove a point about this toxic material, how could I do this? I know I'll dump it out by the ton into every major city and go see I told ya. /facepalm
	Liked by

11/17/2010, 02:06 PM	#16 (permalink)
knobbysideup Member Join Date: Oct 2009 Location: Central PA Posts: 840 Likes Received: 3 Thanks: 305 Thanked 108 Times in 70 Posts	What services are you running on the phone that: 1) automatically connect to web sites and 2) use cookies? I think the actual threat is likely less than you think it is. The things I have checking automatically are mail and some IM stuff, and that is all done over SSL or TLS. The obvious solution is to keep wifi off. Is there a reason that you have it enabled to automatically connect to untrusted networks constantly? __________________ : (){:\|:&};:
	Liked by

11/18/2010, 01:27 PM	#18 (permalink)
steev182 Member Join Date: Nov 2010 Posts: 14 Likes Received: 0 Thanks: 0 Thanked 2 Times in 2 Posts	I personally think Firesheep is proving an excellent point and by doing this, it should be forcing the likes of facebook to think a lot harder about their user security policies. If you are so worried about Facebook being highjacked, stop using it, or only use your 3G connection.
	Liked by

11/19/2010, 02:26 AM	#19 (permalink)
friedchicken Member Join Date: Jun 2009 Location: Santa Ana Posts: 70 Likes Received: 1 Thanks: 5 Thanked 2 Times in 2 Posts	1. Connect your phone to your private wifi at home 2. Use facebook or ohter non https service 3. Use firesheep on your computer 4. check to see if it is able to access your account.
	Liked by

11/24/2010, 11:30 AM	#20 (permalink)
lordbah Member Join Date: Aug 2005 Location: Rochester, NY, USA Posts: 343 Likes Received: 8 Thanks: 16 Thanked 15 Times in 12 Posts	Are Calendar and Contacts automatically making unsecured connections periodically? If so, can't we patch them to use HTTPS?
	Liked by

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode