November 4, 2010
By Woody Leonhard
In his Oct. 28 In the Wild column, Robert Vamosi showed how easy it is to snoop a Wi-Fi connection using a clever Firefox add-in called Firesheep.
If you're serious about protecting your surfing from prying eyes while on an unencrypted public Wi-Fi connection, the onus is on you to lock down your connections. Using virtual private networking (VPN) is one of the best ways I know to do that.
Firesheep has raised the awareness — and hackles — of Wi-Fi users all over the world. It exploits an old, well-known problem called sidejacking. Eric Butler, the author of Firesheep, describes the situation succinctly in his Firesheep post:
"When logging into a Web site you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a 'cookie,' which is used by your browser for all subsequent requests."
Most Web sites protect your username and password with a secure HTTPS connection. Unfortunately, many immediately drop back into insecure HTTP once a visitor is signed in — and the site sends its cookie back over a now-insecure connection. Anybody snooping on your conversation can make a copy of the cookie and use it to interact with the Web site in precisely the same way you do. This is a process known as sidejacking.
Firesheep makes it point-and-click easy to monitor Wi-Fi signals and look for cookies shouted out in the clear. It specifically sidejacks interactions with popular sites such as Amazon, CNET, Facebook, Flickr, Windows Live (including Hotmail), Twitter, WordPress, Yahoo, and others.
More than one way to stop sidejacking
Eric released Firesheep specifically to prod Web-site owners into implementing secure HTTPS connections — when and where they make sense. For example, it's unconscionable in this day and age that Hotmail, for one, sends its cookies (and your e-mail) over an insecure connection. (As Robert notes, Gmail uses HTTPS, so it's impervious to Firesheep.) Banks, investment companies, and other financial institutions made the switch to HTTPS many years ago. It's puzzling why other sites we trust with personal information have not invested the time and money into switching to HTTPS.
As noted in Robert's column, forcing HTTPS use can also happen in your browser. Chrome and the Firefox Force-TLS add-on (download site) can force Web sites to use HTTPS pages — when HTTPS is available.
Wi-Fi Protected Access 2 (WPA2) is another way to subvert Firesheep in particular and sidejacking in general. Connect to any wireless access point that uses WPA2 encryption (info site), and you're protected. At least at this point, nobody I know has figured out a way to sidejack a WPA2 encrypted Wi-Fi connection.
But given that HTTPS is far from ubiquitous and most public hotspots do not require a password (and consequently do not have data encryption), you need alternative ways to protect your transmissions. Fortunately, they exist and one — virtual private networking — is reasonably easy to set up.
How to stop sidejacking with your own VPN
You've undoubtedly heard of VPN or used it with business PCs you've taken outside the office. VPN is commonly used by companies to secure their data over the Web — and they have experts to manage it. So you might assume it's too difficult for regular Windows users to set up. But that's not the case — there are good choices now for you, too.
VPN started out as a way for big companies to securely connect PCs over the regular phone network. It used to take a lot of specialized hardware. But if you worked for a bank and had to get into the bank's main computers from a laptop in Timbuktu, VPN was the only choice.
Fortunately, times have changed and now you can get free or low-cost VPN connections that don't require any special hardware on your end. And they work surprisingly well!
When you set up a VPN connection with a server, you create a secure tunnel between your PC and the server. The tunnel encrypts all data flowing between your PC and the server, provides integrity checks so no data gets scrambled, and continuously makes sure no other computer has taken over the connection.
In Wi-Fi environments, VPNs prevent sidejacking by running the connection between your PC and the wireless access point inside the tunnel. Firesheep and other sniffers can see the data going by but can't decipher what it means.
VPNs do much more than simply foil Firesheep-like attacks; they provide complete end-to-end security, so nobody — not even your Internet Service Provider — can snoop on your communications or discover whether you're using services they don't like, such as BitTorrent. (The Lifehacker article, "How to boost your BitTorrent speed and privacy," recommends using VPN with torrents, for many good reasons.)
With a VPN, data goes into the tunnel from your PC and out of the tunnel at the VPN server; it then goes to whatever site you're accessing. Data returning to your PC comes back via the same route. Web sites see the VPN server's IP address, not yours. So your IP address is effectively cloaked from everyone except the VPN server. Short of a court order, your IP address is protected.
(If you're very paranoid about being discovered, see my Aug. 10, 2006, article on cascading proxies. Some of the information there is a bit dated, but aside from a rename — the Java Anonymous Project is now known as JonDo — things haven't changed much.)
Setting up and running a personal VPN
I've used the free VPN sites OpenVPN and ItsHidden; they both work, but I've had problems with speed in both cases. They also don't support features I'm looking for, such as (saints preserve me) VPN protection for my mobile phone connection. And there are times when I wish to connect to a European VPN server instead of one in the U.S.
I've been using Golden Frog's VyprVPN (info page) for several years because it runs on Windows, Mac OS/X, Linux Ubuntu, iPhone, iPad, and Android phones. Plus, Golden Frog has servers in Los Angeles; Washington, D.C.; Amsterdam; and Hong Kong.
It isn't free — the basic package runs U.S. $14.95 a month. For $19.99 a month, VyprVPNPro adds two additional VPN protocols, OpenVPN SSL and L2TP/IPsec. They're handy if you have an ISP or travel or live in a country that tries to block VPN. There, the older PPTP VPN protocol gets snagged, but the newer OpenVPN SSL or L2TP/IPsec does not.
Here's how hard it is to get VPN running on your computer (or phone, for that matter):
- Go to the Golden Frog order site and sign up. You'll get an e-mail message with a link.
- Click the link in the e-mail and go to your account's control panel.
- Click the link labeled Get Started.
- On the left, click on the link for the protocol you want to install. If you choose to install PPTP, there's no software to download or install — the Control Panel takes you through the steps necessary to set up Windows. For the other protocols, there are a few extra steps (such as changing Registry entries) and a software download.
Once installed, you turn on VyprVPN by clicking on the connections icon in the system tray (down near the time — see Figure 1) and choosing the VPN connection that you want. A connection dialog appears; click Connect and you're done. From that point on, your communication is cloaked. Easy!
Figure 1. Establishing a VyprVPN connection is easy. Click the connection icon (circled in yellow) in the Windows system tray, select the VPN you want from the pop-up dialog box, and let VyprVPN do the rest.
Golden Frog is offering a special deal through the end of the year. If you're interested in subscribing to the Usenet newsgroup, provider Giganews' (site) US$ 29.99-a-monthDiamond package includes free VyprVPN. (I've written about Giganews in my various Windows All-In-One For Dummies books for years, and I use it extensively for accessing newsgroups. The price on the Diamond package is going up on January 1, so now's a good time to give it a try.)
________
http://windowssecrets.com/2010/11/04/01-Cloak-your-connection-to-foil-Firesheep-snoopers
