Cloak your connection to foil Firesheep snoopers
By Woody Leonhard
In his Oct. 28 In the Wild column, Robert Vamosi showed how easy it is
to snoop a Wi-Fi connection using a clever Firefox add-in called Firesheep.
If you're serious about protecting your surfing from prying eyes while
on an unencrypted public Wi-Fi connection, the onus is on you to lock
down your connections. Using virtual private networking (VPN) is one of
the best ways I know to do that.
Firesheep has raised the awareness — and hackles — of Wi-Fi users all
over the world. It exploits an old, well-known problem called
sidejacking. Eric Butler, the author of Firesheep, describes the
situation succinctly in his Firesheep post:
"When logging into a Web site you usually start by submitting your
username and password. The server then checks to see if an account
matching this information exists and if so, replies back to you with a
'cookie,' which is used by your browser for all subsequent requests."
Most Web sites protect your username and password with a secure HTTPS
connection. Unfortunately, many immediately drop back into insecure HTTP
once a visitor is signed in — and the site sends its cookie back over a
now-insecure connection. Anybody snooping on your conversation can make
a copy of the cookie and use it to interact with the Web site in
precisely the same way you do. This is a process known as sidejacking.
Firesheep makes it point-and-click easy to monitor Wi-Fi signals and
look for cookies shouted out in the clear. It specifically sidejacks
interactions with popular sites such as Amazon, CNET, Facebook, Flickr,
Windows Live (including Hotmail), Twitter, WordPress, Yahoo, and others.
More than one way to stop sidejacking
Eric released Firesheep specifically to prod Web-site owners into
implementing secure HTTPS connections — when and where they make sense.
For example, it's unconscionable in this day and age that Hotmail, for
one, sends its cookies (and your e-mail) over an insecure connection.
(As Robert notes, Gmail uses HTTPS, so it's impervious to Firesheep.)
Banks, investment companies, and other financial institutions made the
switch to HTTPS many years ago. It's puzzling why other sites we trust
with personal information have not invested the time and money into
switching to HTTPS.
As noted in Robert's column, forcing HTTPS use can also happen in your
browser. Chrome and the Firefox Force-TL add-on can force Web sites to
use HTTPS pages — when HTTPS is available.
Wi-Fi Protected Access 2 (WPA2) is another way to subvert Firesheep in
particular and sidejacking in general. Connect to any wireless access
point that uses WPA2 encryption (info site), and you're protected. At
least at this point, nobody I know has figured out a way to sidejack a
WPA2 encrypted Wi-Fi connection.
But given that HTTPS is far from ubiquitous and most public hotspots do
not require a password (and consequently do not have data encryption),
you need alternative ways to protect your transmissions. Fortunately,
they exist and one — virtual private networking — is reasonably easy to
set up.
How to stop sidejacking with your own VPN
You've undoubtedly heard of VPN or used it with business PCs you've
taken outside the office. VPN is commonly used by companies to secure
their data over the Web — and they have experts to manage it. So you
might assume it's too difficult for regular Windows users to set up. But
that's not the case — there are good choices now for you, too.
VPN started out as a way for big companies to securely connect PCs over
the regular phone network. It used to take a lot of specialized
hardware. But if you worked for a bank and had to get into the bank's
main computers from a laptop in Timbuktu, VPN was the only choice.
Fortunately, times have changed and now you can get free or low-cost VPN
connections that don't require any special hardware on your end. And
they work surprisingly well!
When you set up a VPN connection with a server, you create a secure
tunnel between your PC and the server. The tunnel encrypts all data
flowing between your PC and the server, provides integrity checks so no
data gets scrambled, and continuously makes sure no other computer has
taken over the connection.
In Wi-Fi environments, VPNs prevent sidejacking by running the
connection between your PC and the wireless access point inside the
tunnel. Firesheep and other sniffers can see the data going by but can't
decipher what it means.
VPNs do much more than simply foil Firesheep-like attacks; they provide
complete end-to-end security, so nobody — not even your Internet Service
Provider — can snoop on your communications or discover whether you're
using services they don't like, such as BitTorrent. (The Lifehacker
article, "How to boost your BitTorrent speed and privacy," recommends
using VPN with torrents, for many good reasons.)
With a VPN, data goes into the tunnel from your PC and out of the tunnel
at the VPN server; it then goes to whatever site you're accessing. Data
returning to your PC comes back via the same route. Web sites see the
VPN server's IP address, not yours. So your IP address is effectively
cloaked from everyone except the VPN server. Short of a court order,
your IP address is protected.
(If you're very paranoid about being discovered, see my Aug. 10, 2006,
article on cascading proxies. Some of the information there is a bit
dated, but aside from a rename — the Java Anonymous Project is now known
as JonDo — things haven't changed much.)
Setting up and running a personal VPN
I've used the free VPN sites OpenVPN and ItsHidden; they both work, but
I've had problems with speed in both cases. They also don't support
features I'm looking for, such as (saints preserve me) VPN protection
for my mobile phone connection. And there are times when I wish to
connect to a European VPN server instead of one in the U.S.
I've been using Golden Frog's VyprVPN (info page) for several years
because it runs on Windows, Mac OS/X, Linux Ubuntu, iPhone, iPad, and
Android phones. Plus, Golden Frog has servers in Los Angeles;
Washington, D.C.; Amsterdam; and Hong Kong.
It isn't free — the basic package runs U.S. $14.95 a month. For $19.99 a
month, VyprVPNPro adds two additional VPN protocols, OpenVPN SSL and
L2TP/IPsec. They're handy if you have an ISP or travel or live in a
country that tries to block VPN. There, the older PPTP VPN protocol gets
snagged, but the newer OpenVPN SSL or L2TP/IPsec does not.
Here's how hard it is to get VPN running on your computer (or phone, for
that matter):
Go to the Golden Frog order site and sign up. You'll get an e-mail
message with a link.
Click the link in the e-mail and go to your account's control panel.
Click the link labeled Get Started.
On the left, click on the link for the protocol you want to install. If
you choose to install PPTP, there's no software to download or install —
the Control Panel takes you through the steps necessary to set up
Windows. For the other protocols, there are a few extra steps (such as
changing Registry entries) and a software download.
That's it. Windows will do the rest of the heavy lifting.
Once installed, you turn on VyprVPN by clicking on the connections icon
in the system tray (down near the time — see Figure 1) and choosing the
VPN connection that you want. A connection dialog appears; click Connect
and you're done. From that point on, your communication is cloaked. Easy!
Figure 1. Establishing a VyprVPN connection is easy. Click the
connection icon (circled in yellow) in the Windows system tray, select
the VPN you want from the pop-up dialog box, and let VyprVPN do the rest.
Golden Frog is offering a special deal through the end of the year. If
you're interested in subscribing to the Usenet newsgroup, provider
Giganews' (site) US$ 29.99-a-month Diamond package includes free
VyprVPN. (I've written about Giganews in my various Windows All-In-One
For Dummies books for years, and I use it extensively for accessing
newsgroups. The price on the Diamond package is going up on January 1,
so now's a good time to give it a try.)
