

How to screw with those firesheep snoops - FireShepherd  - Mikecsi
http://blogs.forbes.com/andygreenberg/2010/10/28/how-to-screw-with-firesheep-snoops-try-fireshepherd/

======
raesene
From what I've read of FireShepard, it's a really bad countermeasure.
Basically as described it's doing a DoS attack on people using FireSheep,
probably triggered by a coding error that could be fixed.

Two big problems

1) What if the DoS affects other parts of the infrastructure like the Wireless
Access Point. Can't imagine hotspot owners will be too happy if people start
doing this all the time.

2) False sense of security. Using FireShepard is unlikely to stop other means
of getting access to the data (eg, kismet), it only stops FireSheep (for now).

~~~
cstuder
Plus it probably can be fixed easely by FireSheep with an update.

If FireShepard were to flood the network with fake personalities and their
cookies instead, it might help hiding real accounts.

~~~
krosaen
yeah, and if each fake personality lead to a rick roll or worse...

~~~
pavel_lishin
Wouldn't be subtle enough.

------
look_lookatme
This a naive question, but what would prevent Google from buying one of the
trusted CAs (or fast tracking their own service into most browsers) and
knocking the bottom out of the cert market with a free and easy SSL solution?

It doesn't make much business sense, but it fits in with some of Google's more
philanthropic initiatives for a healthier net.

~~~
cobbal
As I understand it, certificates are not the only problem. SSL requires
significantly more overhead on the server as well, which is why it is commonly
used just for logins.

~~~
eli
The overhead of running your webserver itself of SSL isn't that huge a deal.
But it usually means you also need to load all images and static assets off a
HTTPS server, which makes things a bit more complicated than just throwing
them on a cheap CDN. And, of course, using HTTPS means you skip any caching
proxies that are between you and the user.

------
chapel
A better solution would be for those sites targeted by FireSheep to force
encrypted connections to login.

Also a simple fix for open networks is to enable WPA encryption with a simple
password and give it to everyone that wants to use the network. It works the
same to the end user (just one extra step) but at the same time protects them
from unwanted snooping.

On a side note, all those coffee shops that don't like people solely using
their networks and monopolizing tables, this news could push people to use
unsecured networks less.

~~~
die_sekte
Actually, just encrypting the login is not enough. FireSheep steals session
keys, not passwords. Everything that needs to have the session key needs to be
served over SSL.

~~~
chapel
That's what I meant, but obviously didn't explain it correctly. Thanks for the
correction.

