Two weeks ago, an automatic session-hijacking plugin was released for Firefox. It was named Firesheep, and it’s been downloaded over 600,000 times so far.
The decision to release Firesheep publicly is a controversial one. On the good side, it’s reminded people that some of their common web surfing habits are dangerously insecure.
Many websites use HTTPS (secure HTTP) for login, which protects your password. But they revert to insecure HTTP for the rest of the session. After you have logged in, security relies on the browser sending a session cookie – a secret authentication token – in every request.
Websites which send session cookies in unencrypted HTTP requests are exposing your login credentials – albeit only for one session – to anyone else nearby on the network. If you’re on an unencrypted WiFi connection, for example at a local coffee bar, then anyone within range of the WiFi access point can hijack your login.
Since Firesheep proves just how dangerous it is to send session cookies in insecure network packets, it is likely to push businesses such as Facebook and Twitter to adopt HTTPS as an all-session default much sooner than they might otherwise have done.
On the bad side, those 600,000 downloads of Firesheep are 599,999 more than were strictly needed for the software to prove its point.
The author of Firesheep, Eric Butler, is unrepentant about releasing the tool. He’s publicly commented that, “like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends.”
He’s also aghast that Microsoft has started detecting his software as a potential threat, ranting that “by installing anti-virus, you grant a third party the ability to remove files from your system trusting that only malicious code will be targeted. Microsoft and other anti-virus vendors abuse this trust and assert what they think you should or should not be doing with your computer.”
Butler wants to have his cake and eat it.
He’s suggesting that anyone who consents to install his tool – even though its primary function is to hijack other people’s accounts – should be free to do so. Indeed, in his own blog, he offers the viewpoint that “code is a form of speech, and the freedom of speech must remain protected.” (As it happens, I don’t disagree.)
But he vigorously denies the right to Microsoft – and all other security companies – to express an opinion about his software when they come across it. That, opines Butler, is tantamount to censorship.
In Butler’s world, a network administrator who decided to scan his network for potentially unwanted software, including tools that can be used for hacking purposes (the category in which Microsoft, rather reasonably, has placed Firesheep), would have to accept that his security tools could not report openly on what they find, because that would be censorship.
Seems that Butler has a rather one-sided view of free speech.
Moral of the story:
* Just because you can write code to prove a point doesn’t mean you have to release it.
* If you do release it, you don’t have to package it with a one-click install and a use-it-without-understanding-it GUI.
* If you download code which makes anti-social (and probably also illegal) online behaviour easy, don’t be anti-social with it.
33 comments on “Firesheep author takes backhanded pot-shot at free speech”
I wholeheartedly agree that releasing Firesheep was controversial, but then so is Metasploit. I think it was you yourself, Paul, who compared Metasploit to duct tape – it has a sticky side and a dark side, and it holds the world together.
But Firesheep is not Malware installed by a malicious 3rd party, and if I deliberately install it, with whatever intent, and fully aware of what it purports to do, it’s not for Microsoft to come along and question my motives. Perhaps my government might have a view, or my coffee shop owner, or my ISP, but not my AV or OS vendor. Their job is to protect me against things I *didn’t* intend.
In the same way, I get fed up when my AV (not yours, unfortunately) quarantines netcat – a really useful tool. However I can see the reason there as it might be one of the first things an attacker would install on a system to create a back door.
Regards – Philip
We don't really consider our product an "anti-virus" any more. It keeps out those things that either you don't want by default (undoubted malware) or you decide you don't want (what we call "potentially unwanted apps", such as adware, and "controlled apps", like Wireshark).
We do detect Metaspolit. (Why wouldn't we?)
It's in our category of "controlled applications". It's not blocked by default, since – as I did indeed say – it's like duct tape, for the reasons you gave above 🙂
It's up to you whether to identify, report, or block Metasploit. On the average corporate network, there isn't much reason for, say, staff in HR to have a copy lying around on their PCs. We offer an opinion. Not a judgement.
In a corporate environment, certainly, you might very well flag this as an unwanted app, and for Sophos (a corporate product) to mark it as a controlled app is absolutely correct. The IT Dept will certainly have a view (I hope) about whether someone in HR really ought to be running Firesheep, or Metasploit, or netcat for that matter, on their corporate PC. There may well be legal implications for the company apart from anything else.
But MS Essentials is specifically for non-corporate private use. So if a private user has deliberately installed something, knowing full well what it is and what it does, why should MS come along and flag what they already know? They are making a moral judgment. At that rate, they should be warning people when they visit porn sites, or bomb-making sites, or … where would it end? Not that I’d want to condone any of those things, any more than the dark side of Firesheep.
What they probably should have done is waited a few weeks first, then they could justifiably have said “hey, you downloaded this thing and you had your fun – or you did your legitimate research. Maybe you’d now like to reconsider whether you really think it’s a good idea to keep it lying around.”
How is Microsoft meant to know what is a "deliberate install" and what isn't?
Firesheep is certainly a Potentially Unwanted Application (PUA), but most certainly not malware. How is Firesheep different from, say Wireshark?
As mentioned above, we detect Wireshark as a "controlled application" – so you have to decide whether you want to ignore it (the default), report it, or block it.
We suggest. You decide.
so, under the guise of “freedom of speech,” I can post racist and sexist comment here? How about some links to illegal content? Exploit code should be covered, too, right. As well as your home address, children’s names, and… oh, so now you don’t believe in freedom of speech when it is personal? Check your beliefs, tard.
Looks like someone is having a hard time distinguishing "freedom of speech" from "right to privacy". Doesn't surprise me in the least though…. the way our education system has been run the last 20 years or so I'm rather surprised he managed to only misspell a few words and construct at least 90% understandible grammar.
Trolls are so cute when they think they have open license to use other people's resources to exercise their right to free speech.
These are privately held blogs. The Sophos folks are well within their rights to censor and moderate content that they pay to provide. If you want to post defamatory content, or content that invades someone's privacy, buy your own blog, if you can find an ISP who's willing to let you purchase their resources to host it.
Or, if you like, you can go stand on a public street corner and shout all you want.
Microsoft has a reasonable right to control what goes into their software, and you have a right to purchase it or not as you see fit. If you really want to go after someone about controlling content on their platform, go pick on Apple.
Obviously none of the readers above especially muhabo have any idea of what they're talking about, let alone the author of this blog post.
We've been exploiting this for years, the only reason you now know about it is because some guy released some program to prove his point. Without him you would've been oblivious.
Just remember, we're watching you…
Free speech is the right of the people to speak out against the Government without the Government be able to censure you for that.
Since when is this guy or Microsoft the Government?
Two, This guy is no better than Pirate Bay and other warez sites. This tool will enable people to hijack personal information? Then I want an Anti-FireSheep tool. Pirate Bay and Warez site claim to be out for the little people and sticking it to the big corporations. This guys is claiming he is out to prove websites are unsecured…
See the Parallel here? In both cases, they are allowing tools into the hands of the unscrupulous.
If he has the right to publish an exploit (Which should be actionable under some of the newer laws) , Then another company has the right to block him.
It isn't about Free Speech, folks. That's just clouding the real issue.
Huh? Freedom of speech is the right to speak freely. About anything and anybody. It does not have to be about the government, although the right to free speech is most often challenged by governments. You could be speaking out against your employer, rapper 50 Cent or the CEO of McDonalds and in each case you might be grateful for the protection of freedom of speech.
And you don’t need “an anti-firesheep tool” you’ve got it already, just avoid insecure Wi-Fi and/or avoid sites that don’t use HTTPS login.
No Alan. There are restrictions on the right to speak freely. According to Wikipedia "There are exceptions to these general protection, including the Miller test for obscenity, child pornography laws, speech that incites imminent danger, and regulation of commercial speech such as advertising. Within these limited areas, other limitations on free speech balance rights to free speech and other rights, such as rights for authors and inventors over their works and discoveries (copyright and patent), interests in "fair" political campaigns (Campaign finance laws), protection from imminent or potential violence against particular persons (restrictions on fighting words), or the use of untruths to harm others (slander). Distinctions are often made between speech and other acts which may have symbolic significance."
"According to Wikipedia"
I guess you don't watch the news much. There are all kinds of restrictions on the right to free speech. Your employer can (and has many times) monitor your online activity, for example, and decide to fire you based on what you "free speech" out all over the internet. Just ask a couple of High School teachers about their facebook pages…..
The protection ends as soon as you damage someone else, i.e. as soon as you step on someone else's freedoms. Viruses are not protected speech just 'cause you used a keyboard to punch 'em in for chrissake. What's next – orders to execute innocents are protected 'cause someone scribbled them on a piece of paper?
You should think about what you're typing in here before you do it.
Oh I see. Sam Spade and learningtospell have interpreted my comment as some legal commentary on the specific US constitutional right to freedom of speech. Neither I nor Butler discussed specific laws. I was talking generally, about the concept of speaking freely, not about the 1st amendment or any specific law. I myself am a UK citizen, (and incidentally we have more limits on freedom of speech than in the US).
My comment was aimed only at Meredith, who asserted that Free Speech was about criticising the government. My point was simply that you might use a "freedom of speech" defence in many contexts. I did not say anything about whether you would be successful.
I also did not assert that freedom of speech is or should be unbounded nor comment on the restrictions that are or should be placed upon it. I just pointed out that you might use the freedom of speech protections in your jurisdiction in more contexts than just government criticism. That was my only point.
So you're both arguing with a straw man right now, and might think about what you're typing in here before you do it. 🙂
Firesheep exposes a flaw in other software. It doesn’t hack secure systems or find stuff that wasn’t already publicly available.
To block users from installing it – whether you don’t release it or are Microsoft and are preventing installation doesn’t address the security vulnerability firesheep exposes. Anyone could go make watersheep or firelamb. Blocking those too doesn’t fix the root cause.
When I downloaded it, I was alerted and given the option to quarantine it or ignore the warning. I wasn't blocked from installing it. I'm not sure about the behavior of MS Essentials, but I would expect a similar option. There's nothing wrong with Microsoft categorizing a download…
Quick where is my Chrome? The use of Firefox, add-ons especially, is proving to be less secure than IE8. But I see the point of how websites have a login with HTTPS then revert to HTTP, I have never favored this.
This is nothing to do with any the security of Firefox add-ons. Having the Firesheep add-on installed does not render your computer insecure (insofar as no vulnerabilities in Firesheep code have been discovered yet).
This is why categorizing Firesheep as a malware infection is a mistake—it confuses people like Charles who think his system is under attack who then go on to blame Firefox—something I am sure is not lost on Microsoft, the makers of a competing browser!
Firesheep exposes an existing exploited vulnerability in HTTP; it does nothing to create it.
Microsoft has categorised it as a “hacking tool” like Wireshark. What’s wrong with that? As a parent I’m grateful, because I want to know when my kids install hacking tools. As a sysadmin I’m grateful because my users have no business installing this tool.
A lot of nonsense has been talked about this, if you don’t like your AV software detecting this obvious hacking tool, then make an exception for it.
I'm OK with that Alan and your reasons are sound. I just read the text on Microsoft's site where they refer to Firesheep as "an infection" which is incorrect terminology, and I suspect a lexicon that will spread to ordinary users who will ignorantly blame Mozilla Firefox for the "infection", like Charles did.
"As a parent…"
@Charles: Of course, you realize that this isn’t a browser thing…it has more to do with packet sniffing. Doesn’t matter which browser you’re using, unless you want to run the add-on. Your password is compromised in the packets themselves, according to whether the website you’re using is totally secure or only has secure login.
I have an idea and don't know whether it's feasible, or where to present it if it is.
This Add-on exploits a weakness in the IP packets transmitted (over wireless, I presume) and the issue is transmitted session cookie information in unsecured packets after the secure login.
Would it be easier, instead of encrypting all the information in every single packet, to instead encrypt JUST the session cookie information of the packets? It seems to me that there would be a lot less encrypting and decrypting of information required.
Perhaps the TCP and/or IP protocols could be modified such that all session cookie information was encrypted by default, which would at least eliminate THIS problem without causing everyone everywhere to change the basic way their sites operate.
Like I said, I don't know whether this is feasible or not. I have no idea whether it could be modified by software, or if hardware would have to be modified to accomplish it. I would think it would be software, though, since otherwise "https:" would not exist. How many software titles is another thing altogether.
This solution would still involve negotiated encryption – a partial HTTPS, if you like.
I'm not crazy about this idea, for two reasons.
Firstly, if you're going to go through the overhead of encrypting some parts of each request, why not encrypt the whole thing? (One reason is that there are some tricks you could do with caching if the entire page didn't have to be different every time, but I'll ignore that here.)
Secondly, if the data is personalised in any way – as social networking traffic usually is, and as email always is – then encrypting just the session cookie still leaves the rest of the data sniffable.
Firesheep showcases one extreme consequence of the lack of HTTPS, namely that others may be able to act as you online. But it's the sniffability of the personalised traffic _in general_ which is the problem.
Personalised data in transit should really be both read and write protected. That means HTTPS throughout.
Has anyone heard of how Blacksheep falls into play with this? Being an anti-firesheep tool which alerts you when someone is trying to grab/sniff your detail with Firesheep, I would think it could be going over pretty well with all the Firesheep hype and mass downloads. But then again, would the people who are getting their details stolen even know about either one to begin with?
Blacksheep does what you say – it transmits decoy packets which Firesheep will detect as a hijackable account. If the Firesheep user goes ahead with the hijack, then Blacksheep counter-sniffs this Firesheep activity and identifies the offending user's IP number.
Amusing idea. Spy vs. Spy.
Remains to be seen if Mr Butler regards his point as already proved, in which case he will do nothing, or if he wants to flex his freedom of speech again and to add anti-BlackSheep technology into his hijack code 🙂 (Computer security is an arms race. The Halting Problem [q.v.] pretty much proves that it can't be anything else.)
As many have already pointed out, Blacksheep is just a stopgap – rather like a defensive manoeuvre against an individual item of malware out of the millions which exist – and not a generic cure.
The fix is for service providers to use HTTPS whenever any personalised content is transmitted over the web, not just when the password which unlocks that perosnalised content is sent.
Interesting topic, Freedom of Speech. It's quite an easy one for people to hide behind when they don't want their motives questioned.
I've read a lot of the comments posted here, and want to weigh in with my 2c. The problem is that FireSheep is essentially code that can perform tasks/behaviours that can be used to a malicious end. This is not the only code out there that can do what it does, and there are many tools similar to it (Wireshark etc) that are used legitimately as well as maliciously.
The problem centres around education of the end user. There's (Hopefully) enough education on the web that if people just googled FireSheep, they would find news articles etc, and be able to make up their own mind to install it or not. The fact that the EULA states what the app will do when installed, and people click OK to it, means people aren't even reading it, and if they do, they are fully aware of the risks of installing it.
Hopefully those aware of the risks are also skilled enough to use it for security testing, and aren't doing anything too dodgy, but that's up to them.
Unfortunately AV companies (as well as MS) have to assume that software that is exhibiting behaviour that is undesireable (From a Security and Privacy point of view) should at the very have some kind of intervention that the user must accept (Inherently accepting the risks as well).
As an administrator, if you don't trust the user to make this decision on good vs bad apps, then block things as a rule, and create exceptions. Again, it's an education problem, if you don't understand something, don't install/run it until you do..
Interesting article but cringing at the fact you used insecure to describe a network. Dictionaries tend to associate insecure with anxiety opposed to lacking encryption or fortification. Don’t le that get you down though. Thanks for the article.
1. (of a person) Not confident or assured; uncertain or anxious.
2. (of a thing) Not firm or set; unsafe.