Firesheep cometh; is open WiFi safe anymore?
Given how many active cruisers rely on WiFi, the advent of Firesheep — which apparently makes it super easy to break into people’s web accounts when they are on the same WiFi network — deserves more than my comment on the Rogue Wave entry. I first heard about the problem via a dire-sounding ActiveCaptain newsletter, and I’ve since corresponded with Jeff Siegle who says boaters need to be warned. To get an idea of how dangerous Firesheep and copycat programs are, Jeff tried one while anchored off a marina and reports that he “got passwords from half the boats with people aboard – all
without them knowing.” This tech blog, home of the illustration above, is also pretty dire, but, like so many internet security issues, this one seems somewhat confusing…
For instance, while Jeff thinks it’s important for marinas to encrypt their open WiFi, Richard — the tech whiz at Wave WiFi — says this new problem applies to any AP “including a marina using encryption.” Some sources seem to say that the dangers lie mostly with social sites like Facebook, others say it’s more pervasive. And of course lots of tech sites have suggestions about what we should do, like TechCrunch, and Technologizer. Is there a significant problem, should cruisers avoid open WiFi networks as much as possible, or what?
PS I asked Jeff for an illustration of his sniffer testing and while he decided grabbing real passwords was a “bad idea” he did demo the process on his own email server, illustration below. Note that the POP email account is faked and the password failed. Jeff used Wireshark, which he says is not for the “average person” but he goes to say that “What’s happening now is that
tools like Firesheep are making it much more user-friendly to grab this
type of information and exploit it. THAT’S the big change.”
Jeff’s explanation of what’s happening on this screen: “sysscanner > pop3” is a computer on the network asking to speak to ActiveCaptain’s email server; “Response: +OK Dovecot ready” is ActiveCaptain saying, go ahead; “Request: USER jeff” is the computer asking for the account name “jeff” (as in [email protected]); “pop3 > sysscanner” is an acknowledgement that the packet was received; “Response: +OK” is ActiveCaptain saying the the account is OK; “Request: PASS password_is_XXXXX” is the computer sending the password
for “jeff” in the open – I actually entered “password_is_XXXXX” for the
account. In this case, the server responded that the password is no good because,
well, I’m not giving out my password…
Grabbing other things like cookies, forms being typed on a web site, and
a whole host of other things is just as easy.