Encrypting WiFi with Known Passwords Still Misses the Point of Firesheep

Slashdot links to the proposal advanced by one security researcher to have safer wireless without necessarily denying access. The reasoning of Chester Wisniewski who works for security firm Sophos isn’t wrong. Firesheep is able to hijack sessions with popular web sites because the communication after login is done entirely in the clear. Using WPA or WPA2 should encrypt that traffic with a distinct key, even for users on the same hot spot. While WPA isn’t one hundred percent secure, it raises the cost of hijacking beyond the point-and-click ease of Firesheep.

Increasing the security of hot spots is a laudable goal in and of itself. Unfortunately, like the variety of mitigation tools that have cropped up, it is distracting from the main point Firesheep’s author, Eric Butler, was trying to make. The simplest, best solution is for web sites to ensure that session identifiers, usually encoded as browser cookies, are not easily snarfed by an attacker. Just turning on SSL encryption and making sure web applications behave well with it would be enough. All reputable online banks already do so. It is unclear why other services are so reluctant to do so, despite many of the costs and limitations of SSL being erased by beefier computers and devices coupled with faster connections.

Glenn Fleishman at BoingBoing has some further excellent analysis of Wisniewski’s proposal. Steve Gibson, a high profile security writer and developer, made the same suggestion but had enough time to contemplate possible flaws.

Gibson notes the key problem to this approach in the comments to his post: every user with the shared key can sniff the transaction in which another client is assigned its unique key, and duplicate it. Further, if you join a network with many clients already connected, you can use the aircrack-ng suite to force a deauthentication. That doesn’t drop a client off the network; rather, it forces its Wi-Fi drivers to perform a new handshake in which all the details are exposed to derive the key.

Fleishman goes on to explain how it may be possible to tweak a hotspot and clients far enough to overcome most of the further cracks, but ultimately ends with the same conclusion. Access points and end users aren’t in the best position to deal with a security problem known and largely ignored by web service developers and operators.

Sophos Researcher Suggests Password ‘Free’ to Spur Wi-Fi Encryption, Slashdot

One Reply to “Encrypting WiFi with Known Passwords Still Misses the Point of Firesheep”

  1. Well, yes. While the point of Firesheep was to bring into the limelight the need for SSL encryption support on many websites, all these suggestions are to give folks some sort of band-aid until SSL does become more widespread.
    I agree that it’s ridiculous that so many web apps don’t already do this. It has been a personal pet peeve of mine for some time now. I do find it somewhat amusing, however, that many are only now just realizing the intelligence of encryption. How long has SSL and other cryptographic protocols been around? Mid-nineties and earlier? Come on people. Get with the program, Internets.
    Something of related interest, though. When my uncle, who lives in France, got his internet connection, the wireless router that was given to him by the ISP had been locked down pretty tight by default with encryption turned on and a complex password. It does make me wonder why that isn’t done more often in the US.

Leave a Reply

Your email address will not be published. Required fields are marked *