Cloak your connection to foil Firesheep snoopers
By Woody Leonhard
In his Oct. 28 In the Wild column, Robert Vamosi showed how easy it is to
snoop a Wi-Fi connection using a clever Firefox add-in called Firesheep.
If you're serious about protecting your surfing from prying eyes while on
an unencrypted public Wi-Fi connection, the onus is on you to lock down
your connections. Using virtual private networking (VPN) is one of the
best ways I know to do that.
Firesheep has raised the awareness — and hackles — of Wi-Fi users all over
the world. It exploits an old, well-known problem called sidejacking. Eric
Butler, the author of Firesheep, describes the situation succinctly in his
Firesheep post:
"When logging into a Web site you usually start by submitting your
username and password. The server then checks to see if an account
matching this information exists and if so, replies back to you with a
'cookie,' which is used by your browser for all subsequent requests."
Most Web sites protect your username and password with a secure HTTPS
connection. Unfortunately, many immediately drop back into insecure HTTP
once a visitor is signed in — and the site sends its cookie back over a
now-insecure connection. Anybody snooping on your conversation can make a
copy of the cookie and use it to interact with the Web site in precisely
the same way you do. This is a process known as sidejacking.
Firesheep makes it point-and-click easy to monitor Wi-Fi signals and look
for cookies shouted out in the clear. It specifically sidejacks
interactions with popular sites such as Amazon, CNET, Facebook, Flickr,
Windows Live (including Hotmail), Twitter, WordPress, Yahoo, and others.
More than one way to stop sidejacking
Eric released Firesheep specifically to prod Web-site owners into
implementing secure HTTPS connections — when and where they make sense.
For example, it's unconscionable in this day and age that Hotmail, for
one, sends its cookies (and your e-mail) over an insecure connection. (As
Robert notes, Gmail uses HTTPS, so it's impervious to Firesheep.) Banks,
investment companies, and other financial institutions made the switch to
HTTPS many years ago. It's puzzling why other sites we trust with personal
information have not invested the time and money into switching to HTTPS.
As noted in Robert's column, forcing HTTPS use can also happen in your
browser. Chrome and the Firefox Force-TL add-on can force Web sites to use
HTTPS pages — when HTTPS is available.
Wi-Fi Protected Access 2 (WPA2) is another way to subvert Firesheep in
particular and sidejacking in general. Connect to any wireless access
point that uses WPA2 encryption (info site), and you're protected. At
least at this point, nobody I know has figured out a way to sidejack a
WPA2 encrypted Wi-Fi connection.
But given that HTTPS is far from ubiquitous and most public hotspots do
not require a password (and consequently do not have data encryption), you
need alternative ways to protect your transmissions. Fortunately, they
exist and one — virtual private networking — is reasonably easy to set up.
How to stop sidejacking with your own VPN
You've undoubtedly heard of VPN or used it with business PCs you've taken
outside the office. VPN is commonly used by companies to secure their data
over the Web — and they have experts to manage it. So you might assume
it's too difficult for regular Windows users to set up. But that's not the
case — there are good choices now for you, too.
VPN started out as a way for big companies to securely connect PCs over
the regular phone network. It used to take a lot of specialized hardware.
But if you worked for a bank and had to get into the bank's main computers
from a laptop in Timbuktu, VPN was the only choice.
Fortunately, times have changed and now you can get free or low-cost VPN
connections that don't require any special hardware on your end. And they
work surprisingly well!
When you set up a VPN connection with a server, you create a secure tunnel
between your PC and the server. The tunnel encrypts all data flowing
between your PC and the server, provides integrity checks so no data gets
scrambled, and continuously makes sure no other computer has taken over
the connection.
In Wi-Fi environments, VPNs prevent sidejacking by running the connection
between your PC and the wireless access point inside the tunnel. Firesheep
and other sniffers can see the data going by but can't decipher what it
means.
VPNs do much more than simply foil Firesheep-like attacks; they provide
complete end-to-end security, so nobody — not even your Internet Service
Provider — can snoop on your communications or discover whether you're
using services they don't like, such as BitTorrent. (The Lifehacker
article, "How to boost your BitTorrent speed and privacy," recommends
using VPN with torrents, for many good reasons.)
With a VPN, data goes into the tunnel from your PC and out of the tunnel
at the VPN server; it then goes to whatever site you're accessing. Data
returning to your PC comes back via the same route. Web sites see the VPN
server's IP address, not yours. So your IP address is effectively cloaked
from everyone except the VPN server. Short of a court order, your IP
address is protected.
(If you're very paranoid about being discovered, see my Aug. 10, 2006,
article on cascading proxies. Some of the information there is a bit
dated, but aside from a rename — the Java Anonymous Project is now known
as JonDo — things haven't changed much.)
Setting up and running a personal VPN
I've used the free VPN sites OpenVPN and ItsHidden; they both work, but
I've had problems with speed in both cases. They also don't support
features I'm looking for, such as (saints preserve me) VPN protection for
my mobile phone connection. And there are times when I wish to connect to
a European VPN server instead of one in the U.S.
I've been using Golden Frog's VyprVPN (info page) for several years
because it runs on Windows, Mac OS/X, Linux Ubuntu, iPhone, iPad, and
Android phones. Plus, Golden Frog has servers in Los Angeles; Washington,
D.C.; Amsterdam; and Hong Kong.
It isn't free — the basic package runs U.S. $14.95 a month. For $19.99 a
month, VyprVPNPro adds two additional VPN protocols, OpenVPN SSL and
L2TP/IPsec. They're handy if you have an ISP or travel or live in a
country that tries to block VPN. There, the older PPTP VPN protocol gets
snagged, but the newer OpenVPN SSL or L2TP/IPsec does not.
Here's how hard it is to get VPN running on your computer (or phone, for
that matter):
Go to the Golden Frog order site and sign up. You'll get an e-mail message
with a link.
Click the link in the e-mail and go to your account's control panel.
Click the link labeled Get Started.
On the left, click on the link for the protocol you want to install. If
you choose to install PPTP, there's no software to download or install —
the Control Panel takes you through the steps necessary to set up Windows.
For the other protocols, there are a few extra steps (such as changing
Registry entries) and a software download.
That's it. Windows will do the rest of the heavy lifting.
Once installed, you turn on VyprVPN by clicking on the connections icon in
the system tray (down near the time — see Figure 1) and choosing the VPN
connection that you want. A connection dialog appears; click Connect and
you're done. From that point on, your communication is cloaked. Easy!
Figure 1. Establishing a VyprVPN connection is easy. Click the connection
icon (circled in yellow) in the Windows system tray, select the VPN you
want from the pop-up dialog box, and let VyprVPN do the rest.
Golden Frog is offering a special deal through the end of the year. If
you're interested in subscribing to the Usenet newsgroup, provider
Giganews' (site) US$ 29.99-a-month Diamond package includes free VyprVPN.
(I've written about Giganews in my various Windows All-In-One For Dummies
books for years, and I use it extensively for accessing newsgroups. The
price on the Diamond package is going up on January 1, so now's a good
time to give it a try.)
--
Opera's e-mail client
Main Machine:
Generic Steel Case
ASUS M4A89GTD Pro/USB3 Mobo
AMD Phenom II X6 1055T (Default speed)
OCZ DDR3 1333 (2x2=4)
Palit GTX460 1 Gig (OC'd to 865 MHz)
WD Cariar Black 640 Gig
Lite On 22X DVD Burner
ASUS 21.5" 1080P Monitor
fold...@home (11,000 PPD)
Game Box:
Cooler Master CM690 Mid-Tower
Gigabyte 785G/SB710
AMD Phenom II X2 555 C3
Corsair Dominator RAM 2 gigs
PowerColor HD5770 1 gig
Seasonic 550 watt PSU
2 Seagate 7200.12 500 gig (RAID 0)
LiteOn DVD Burner
