Weekly Edition
Return to the Security page
| |||||||||||||||||||
EFF Tool Offers New Protection Against 'Firesheep'
Electronic Frontier Foundation Media Release For Immediate Release: Tuesday, November 23, 2010 Contact: Peter Eckersley Senior Staff Technologist Electronic Frontier Foundation pde@eff.org +1 415 436-9333 x131 Chris Palmer Technology Director Electronic Frontier Foundation chris@eff.org +1 415 436-9333 x104 EFF Tool Offers New Protection Against 'Firesheep' HTTPS Everywhere Updates Web-Surfing Security San Francisco - The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking. Unfortunately, while many sites on the web offer some limited support for HTTPS, it is often difficult to use. Websites may default to using the unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. EFF's HTTPS Everywhere tool uses carefully crafted rules to switch sites from HTTP to HTTPS. This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention. "These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool," said EFF Senior Staff Technologist Peter Eckersley. "It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal." Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly. "Firesheep works because many websites fail to use HTTPS," said EFF Technology Director Chris Palmer. "Our hope is to make it easier for web applications to do the right thing by their users and keep us all safer from identity theft, security threats, viruses, and other bad things that can happen through insecure HTTP. Taking a little bit of care to protect your users is a reasonable thing for web application providers to do and is a good thing for users to demand." The first beta of HTTPS Everywhere was released last June. Since then, the tool has been downloaded more than half a million times. To download HTTPS Everywhere for Firefox: https://www.eff.org/https-everywhere For more on implementing HTTPS in websites: https://www.eff.org/pages/how-deploy-https-correctly For this release: https://www.eff.org/press/archives/2010/11/23 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at https://www.eff.org/ -end- _______________________________________________ To unsubscribe or manage your email options: https://mail1.eff.org/mailman/listinfo/presslist (Log in to post comments)
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 23, 2010 20:40 UTC (Tue) by mve (subscriber, #54709) [Link]
This tool seems to work very well also in the Nokia N900's default Microb browser. At least Facebook and twitter are now using https.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 1:53 UTC (Wed) by Lennie (subscriber, #49641) [Link]
What I don't really get is why people are now of a sudden starting to all add this. This has always been a problem. I do obviously agree that it's a good idea in general.
But do we really want to start burning through those last IPv4 addresses, so every site out there can have their own SSL-cert. ? An IPv4-address per site, that's an administrative nightmare at any hosting site.
I guess it's to late, but I just want to urge Microsoft to deploy an update for IE on XP (and thus Safari) so that it supports SSL vhosts (SNI).
Without it, we have to wait for XP to die or IPv6 to get widely deployed.
I wonder what will come first.
I guess we could also look at it from an other standpoint, if we deploy SSL on IPv4 for as many sites as possible then IPv6 can't be far off. :-)
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 2:17 UTC (Wed) by mattdm (subscriber, #18) [Link] What I don't really get is why people are now of a sudden starting to all add this. This has always been a problem. I do obviously agree that it's a good idea in general.Because Firesheep made it very easy. Before, it was easily done theoretically, but the intersection of people with the knowledge to do it and people with the will to was vanishingly small. Suddenly, it's something you can do if you're just curious. But do we really want to start burning through those last IPv4 addresses, so every site out there can have their own SSL-cert. ? An IPv4-address per site, that's an administrative nightmare at any hosting site.The answer is Server Name Indication, and (surprisingly, perhaps), this is a reasonable medium-term solution, as it is supported by Firefox >= 2, IE >=7, Opera >= 8, Safari >= 3.2.1, and etc.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 4:26 UTC (Wed) by Kit (guest, #55925) [Link]
Lennie mentioned it in his comment, but IE (any version) on XP doesn't support SNI, which is what is reference to the patch he mentioned. From the sound of things, the functionality in the OS itself doesn't support SNI, which is why the version doesn't matter.
(based on his comment, it sounds like Safari on XP also doesn't support it)
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 9:08 UTC (Wed) by mfedyk (guest, #55303) [Link]
and yet firefox, chrome and opera manage to support sni on xp just fine.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 11:14 UTC (Wed) by Lennie (subscriber, #49641) [Link]
Yes, this is true, but here is the list:
- Firefox uses it's own library and certificate store (which is derived from the one Netscape created) which supports SNI - Opera has it's own library and certificate store (or it's just builtin) which supports SNI - IE and Safari uses the Windows library and certificate store - the library in Windows 2000 and XP does NOT support it. - IE on Vista and higher (Windows 7 and server OS versions) uses the newer Windows library which supports SNI - Safari on Mac OS X supports SNI (it uses the Mac OS X library if I understand it correctly) - Chrome on Linux uses the same library Firefox uses - Chrome on Windows uses the certificate store from Windows. But I don't know what library they use on Windows. Chrome does support SNI on all versions of Windows. - Chrome on Mac OS X (it used to use the Mac OS X library, not sure what they use now)
And IIS on Windows did NOT support SNI only since, I think, Windows 2008 but their is no GUI. Which, when you look at the current UI, could have been added easily. I guess they didn't add it, to prevent people from configuring something which doesn't work with old IE/Windows versions.
lighttpd, Apache, nginx and node.js all use OpenSSL which supports SNI and. Not sure if node.js can be setup that way. The Pound SSL-proxy supports it.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 4:25 UTC (Wed) by MattPerry (guest, #46341) [Link]
> But do we really want to start burning through those last IPv4 addresses,
> so every site out there can have their own SSL-cert. ?
Yes, absolutely. There is a need so use them. It's too late the be conservative with IP addresses now. They will all be gone in about eight months and we'll have to make the move to IPv6 anyway.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 12:08 UTC (Wed) by Lennie (subscriber, #49641) [Link]
OK, IANA will run out in eight months, I guess ? Then we still have the RIR's (5 regions), which will be a few months more. Let's say 11 and total.
Most providers will have atleast some IPv4-addresses left and maybe that will last a few months, maybe even a year.
In the mean time, maybe HP/Compaq or some other big organisation might return a large part of their /8.
Otherwise all that is left is a 'blackmarket'. Where you transfer IPv4-blocks from provider to provider directly and just use the RIR's for the administration.
Maybe by that time, XP can be considered dead ? Because I have some doubt about IPv6 already being deployed on a large scale by then. Otherwise we'll have to resort to workarounds like one certificate with many alternative names on the same IPv4-address.
Possibly Microsoft sees this differently, but I just wanted that one change to go into Windows XP SP3.
Was it really to much to ask ?
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 26, 2010 3:28 UTC (Fri) by rloomans (guest, #759) [Link] OK, IANA will run out in eight months, I guess ? Then we still have the RIR's (5 regions), which will be a few months more. Let's say 11 and total. See http://www.potaroo.net/tools/ipv4/. The current estimates are closer to 4 months for IANA, and roughly 12 months for the RIRs... but that should be taken with a large grain of salt as the estimates have changed significantly, mostly for the worse: http://www.potaroo.net/tools/ipv4/predict.png
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 26, 2010 11:03 UTC (Fri) by Lennie (subscriber, #49641) [Link]
Predictions depend on many factors and it's more about definition then anything else. Because with the 'blackmarket' where you can buy/sell IPv4 we will never run out of IPv4 addresses, it will just be like the predictions for oil, it will just get more expensive.
There is also this tool:
http://www.ipv4depletion.com/?page_id=77
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 13:19 UTC (Wed) by jackb (subscriber, #41909) [Link]
Wouldn't site operators be better off implementing IPsec instead of SSL in terms of server load? A web server configured for passive opportunistic encryption would serve pages normally until a client requested encryption and when one did would be more efficient because an IPsec tunnel doesn't need to renegotiate keys with every click like SSL does.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 17:32 UTC (Wed) by foom (subscriber, #14868) [Link]
SSL doesn't need to renegotiate on every request either, it supports session resumption.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 24, 2010 20:05 UTC (Wed) by Lennie (subscriber, #49641) [Link]
Actually, with the right extension SSL/TLS can even speed up page loading.
This is because currently, to handle parallel requests/responses a webbrowser has to open several TCP-connections (this used to be set to 2 and is now 6, only IE6 and IE7 still use 2), but because of the TCP-slow-start algorithm it takes to much time to fully utilise the available bandwidth.
As SSL allows for extensions, it should be possible to add multiplexing of several streams over the same TCP/SSL-connection thus avoiding TCP-slow-start.
This is exactly what Google proposed:
http://www.chromium.org/spdy/spdy-whitepaper
If you want to know more about the impact of TCP for multiple HTTP-connections, you should take a look at this:
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 25, 2010 12:33 UTC (Thu) by nye (guest, #51576) [Link]
>As SSL allows for extensions, it should be possible to add multiplexing of several streams over the same TCP/SSL-connection thus avoiding TCP-slow-start.
>This is exactly what Google proposed:
>http://www.chromium.org/spdy/spdy-whitepaper
Whatever happened to SPDY? Has there even been any mention of it since the original announcement? Nobody seemed to point out any serious downsides and it looked promising so it would be a pity if it's silently forgotten forever.
EFF Tool Offers New Protection Against 'Firesheep' Posted Nov 25, 2010 22:33 UTC (Thu) by Lennie (subscriber, #49641) [Link]
I think this is the current state:
|
|||||||||||||||||||
