marahmarie: my initials (MM) (Default)

If I'd only checked for more news on BlackSheep last night I could have written a much more vitriolic and dismissive post without even singling you and TechCrunch out! So I'm handing out mea culpas now: So sorry! As it turns out, Mashable, AOL's Switched, and ubergizmo, just to name a few websites, also wrote completely misleading posts about Blacksheep. So it's not just you guys. Whew! That was awfully close.

So...should I be comforted - or horrified - by the fact that getting the story wrong is just so...common?

There's an upside, though: at least the truth is finally coming out (but even PCMag screws it up: at no point does BlackSheep warn you to log out when it detects Firehseep activity - it simply notifies you that Firesheep activity is present on your network by showing you the IP of the person doing the sidejacking).

marahmarie: my initials (MM) (Default)

It isn't rocket science. You're paid to write for a blog, so you read other blogs for ideas and follow-ups to what you wrote for the blog that you write for, right?

So the question becomes: Alexia: CAN YOU READ? And by the way, Alexia, you rock, you're the only female writer on TechCrunch whom I like, but you can't be serious: How in the name of all that is tech did you get this:

Firesheep accesses your Facebook, Foursquare, Twitter and other logins through cookies — Blacksheep subverts this by tricking Firesheep with a fake login cookie [emphasis mine] and alerting the user when Firesheep is detected, displaying the IP address of the person using it (see below), and warning the user to log off.

Out of this?

BlackSheep detects the active connection made by Firesheep. It does this by making HTTP requests to random sites handled by FireSheep every 5 minutes (configurable) with fake values. BlackSheep then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.

Use Firesheep to combat.... Firesheep!

BlackSheep is based on the Firesheep source code. It reuses the same network listening back-end and the list of sites and corresponding cookies, etc. This ensures that the fake traffic generated by BlackSheep is what Firesheep is expecting.

At no point does Zscaler, the makers of the BlackSheep Firefox extension, say that "fake login cookies" are used [edit: actually, this was said in Zscaler's video, which I didn't get to watch until after I published this post], only "corresponding cookies". And just once every five minutes (configurable) which means, according to the screen shot on Zscaler's post, that the most BlackSheep can check for Firesheep is once every minute, which is not frequently enough to keep your log-ins from getting sidejacked. Nor does Zscaler claim that BlackSheep will "warn you to log off".

Why do I have to sit here pounding out this post in a state of almost complete fury to try to get these points across? BlackSheep does not "protect" you from Firesheep, it simply warns you of its presence, but not often enough to do much good, nor does it "warn you to log off" before any sidejacking occurs. Those are important points that Alexia missed.

Between the misleading headline on TechCrunch, followed by the article, which leads you to believe that BlackSheep is THE ANSWER to Firesheep, when it is only the INDICATOR, I'm fit to be tied. Good luck using an indicator to protect your log-ins from being sidejacked!

Say someone broke into your house, so you install a silent alarm that can ring your cell phone to alert you when other break-ins occur. This alarm won't scare off intruders; it won't stop them from breaking in; nor will it stop them from robbing you blind. All it will do is alert you to the problem. That's it. That's all BlackSheep is: a silent alarm for Firesheep. Seriously.

You build up trust in a website like TechCrunch, which is read by nearly everyone, then they get the facts wrong on this sort of scale, and you realize that the unquestioning faith you have in them will trip you up. That's not the sort of mistake TechCrunch can afford to make.

marahmarie: my initials (MM) (Default)

I don't want to sound panicky, but holy shit, all your cookies are mine. In fact, all your cookies are anyone's now that the new Firefox extension, Firesheep, is here; it's designed to steal your cookies, your user names, and your passwords whenever you use an open Wi-fi connection.

So there you are, innocently using your laptop at home, at work, at the library, wherever, mindlessly logging into http://dreamwidth.org/ for the tenth time today...and there's someone with their little Firesheep extension waiting nearby to gobble up your cookie, your user name and your password on every website you visit - unless you sign in with the safer (note I didn't say "bulletproof" - it isn't) https:// protocol.

You might not want or think to use the https:// protocol every time you log into a website, but you won't want someone stealing your cookies and getting your picture and passwords, either, so you'll probably want to install EFF's HTTPS Everywhere to somewhat minimize any collateral damage.

If you use Firefox, you might want to try the ForceTLS extension (it doesn't work in Firefox 3.6.12, but hey, don't let that stop you). You can also set up the NoScript add-on to block http:// on a case-by-case basis, but have fun with that.

None of these add-ons work for me, since I can't get them to force Dreamwidth.org or Yahoo.com to use https:// (and I spend most of my life on those websites, so this is a serious gripe), so I'll have to re-install Speed Dial to bookmark https:// log-ins, or else I'll type "dreamwith.org" or "yahoo.com" into the address bar endlessly.

10-28-2010: My first version of this post ended with a paragraph portending that thanks to its extensibility (something I normally adore) problems like Firesheep would probably make me hate Firefox 4 with the same burning passion I hated Firefox 3 with. It was a reflexive reaction, probably the same one that makes Microsoft devs want to keep Internet Explorer closed source - as though that's the only way to protect the end user.

But after I published this post with my end-rant intact, I surfed Google and came upon this: most of ForceTLS's functionality will be baked right into Firefox 4 - right out of the box. From Mozilla's blog:

Not too long ago we announced HTTP Strict-Transport-Security that can be used to — among other things — ensure your Facebook or Twitter cookies can’t be sniffed by someone using a tool like Firesheep. In fact, it’s built into Firefox 4. To protect their users from the this attack, [emphasis mine] a site simply needs to set the Strict-Transport-Security HTTP header when they serve you a secure log-in page, and make the rest of their site available over HTTPS. Firefox will take care of the rest: automatically fetching that site over a secure connection and blocking any third parties from seeing the unencrypted traffic.

We recommend that website authors make use of this header in order to protect their users.

So I ask the coding gods at Mozilla to forgive me my fleeting moment of tempestousness: having this sort of functionality baked right into Firefox 4 was what I wanted. As long as the goddamn thing doesn't chew up and spit out my extensions like Firefox 3 did - I won't even touch the Beta for "not wanting to know" - I guess Firefox 4 might be alright.