Wi-Fi security
Articles Blog

Wi-Fi security

Hi there, I’m Brian and this is Gary. We’re two-fifths of the privacy and security
startup Disconnect. In this video, we’ll show you three things: first, what we think is the biggest security
threat to most web users; second, a new vulnerability that increases
the threat; and third, a feature we just implemented in
Disconnect that defends against the threat. When you use a wireless network, your computer
or mobile device sends and receives data the same way a radio does. Unless the data is encrypted, anybody else
with access to the network can “tune in” to view your web-browsing history,
read your email messages, steal your credit-card info, and
so on. Plain, old web data is transferred over a
protocol abbreviated “HTTP”. Encrypted data is transferred over “HTTPS”. Although wireless networks may add a layer
of encryption themselves, there are tools that can crack their encryption
schemes. Financial and healthcare websites are pretty
good about forcing you to use HTTPS across all their pages. A few major social sites, these being Google,
Facebook, and Twitter, began letting you opt in to always use HTTPS
in the last couple years. But if you don’t opt in on these sites or
you go to other sites, only login pages tend to require HTTPS. Since a site will set cookies to authenticate
you after you log in, an eavesdropper could get your cookies when you
visit any non-login page. The cookies could then be used to break into
your account, which is called “sidejacking”. Sidejacking is a well-known attack. What’s not well known is your accounts on
Google, Facebook, et cetera can be hijacked through social widgets, even
without you going to these sites. The risk is greatest when you use a public
wireless network, which has no extra encryption, like at an airport, library,
or coffee shop. Gary and I are going to demonstrate the two
steps needed for an attacker to take control of a Facebook account
from a victim who hasn’t visited Facebook. I’ll be the attacker and Gary will be the
victim. We think understanding how quickly and easily
a nonexpert can compromise your security is important and,
of course, Gary has consented to this demo. Otherwise, what I’m about to do might be considered
wiretapping where you live and shouldn’t be tried at home. You can see I’m logged into Facebook as myself
right now. In a minute, I’ll be logged in as Gary and
posting on his wall, breaking up with his girlfriend, and poking
Mark Zuckerberg. Step one is inspecting the traffic on the
network we’re using, which I’m going to do with a program referred to
as a “packet sniffer”. I have to tweak the program’s capture options
to make sure my wireless card is active and in “promiscuous mode” so
traffic besides mine is intercepted. I’ll filter out non-web traffic next and start
intercepting. Meanwhile, Gary is browsing “reuters.com”. The homepage includes a Facebook widget. I’m going to find the request for the widget
in the packet sniffer, where I can copy Gary’s exposed Facebook cookies
to my clipboard. Step two is modifying my cookies, which I’ll
be doing with a graphical database interface. Chrome and Firefox keep their cookie database
under the “Library” and “Application Support” folders on a Mac. I’m going to swap my Facebook cookies with
the copy I have of Gary’s. Cookies consist of name-value pairs separated
by equal signs and semicolons when formatted in a request, so
I’m substituting the copied value for each name. After saving my changes, you’ll see I’m logged
into Facebook as Gary. The Firefox add-on Firesheep used to be able
to simplify this attack further by combining the two steps into one. Our app Disconnect was created to stop third
parties and search engines from tracking your browsing and search
history. By default, Disconnect already blocks common
social widgets that leak your cookies. We want you to be protected when you unblock
widgets or go to a social site directly, too, so we’re releasing this
“Secure Wi-Fi” feature. Whenever possible, the feature will encrypt
the data you exchange with the major sites in Disconnect and related
sites such as YouTube and their widgets to prevent eavesdropping. There are browser extensions with similar
security functionality. You may’ve heard of NoScript or HTTPS Everywhere. These extensions are powerful but prone to
break pages by unintentionally blocking elements and they
aren’t cross-browser compatible. One of our design principles is “don’t break
the web”, so we use a bit of clever code to fall back to an HTTP resource
when the HTTPS version doesn’t work. We’re also limiting Disconnect to a small,
well-tested list of sites, which we plan to expand as we thoroughly test
additional sites. The security feature is available for Firefox
and Chrome with support for encrypting full pages and embedded widgets
and for Safari with support for encrypting some types of widgets. To get Disconnect, go to “disconnect.me”. And to find out more about the widget vulnerability,
go to our blog from there.

43 thoughts on “Wi-Fi security

  1. Guys, I appreciate this video, but I don't know who it's for. Someone who wanted all the technical details is better served with a blog post. My non-technical friends, whom I urge to use Disconnect, won't be able to follow this at all.

  2. If you will forgive a suggestion, what a non-technical person needs is a story, not an explanation. Like, you show someone stealing a Facebook login (to emphasize that it's easy, make it a 15-year-old kid), and then show how they are foiled by Disconnect.

  3. There is no way to thank you enough now that the NSA has partnered with big G and big FB to monitor everyone's ars… I hope this app can be turned into the most advanced protection extension tool ever.

  4. well a wooden wheel is fully capable of rotating in the same way formula one does, and yet we don't use wooden wheels in high-tech important equipment. Get your shit straight, no programmer uses mac.

  5. You either don't program or only program in dot net. Certain of it. Lots of programmers use macs. Tons. Maybe even the majority.

    Google programming and operating systems.

    Also your analogy is shit. All you need on a computer to program is a good text editor, you can compile on any system. On a car tire you need a material that can withstand the physical force so that it does not break.

    You know nothing about this.

  6. I have a question? 🙁 i been having a problem. almost 2 week my facebook is not loading/ not in my laptop ipad or iphone but on other wifi services i use it is available but just at my home. 🙁 is there anything i can do besides unplug the router cause i already did that.

  7. Do you own the router or does somebody else (e.g parents) own it? Because in the latter case it is possible to configure a router in such a way that certain websites are blocked. From what you have written, that seems to me, to be the most plausable explanation.

  8. Actually, since OS X 10.5 (May 18, 2007 to be exact), it has received UNIX certification. Meaning it is a true UNIX OS.

  9. I dropped Ghostery for Disconnect and am really liking your addon! It creates a good easy of mind, while NOT breaking web pages.
    When I have some money, I'll be sure to donate

  10. not all hackers use a DOS-like interface computer and type random shit at high speeds and use a headset which they communicate with their base… that only happens in movies…
    and they don't scream "GOT IT!" when they crack the code…

  11. I don't think they're shitty, overpriced for sure. I use both Mac and Windows, I like them both for different reasons.

  12. As one who would fall into your "Non-Technical" friends group I have to respectfully disagree. I hear what you're saying Neil but we N.T.'s understand what happens so showing this 15 yr old hacking away would neither illuminate or educate. . only reiterate. Whereas what @BrianKennish did was show us something we don't really think will happen to us because we don't really understand how it can, how it can. You see NT's as dullards who need tending & spoken down to. I'm thankful Brian doesn't.

  13. I wasn't too impressed with those pay for services. But, I'd love to have a VPN connection. Unfortunately I don't have another computer to use as a server. :-/

  14. From my understanding you can whitelist with Disconnect. You seem knowledgeable about this stuff. Why don't you try it first, and then get back to us. Thanks.

  15. Thanks for an informative video. The sound quality could've been better had you used a clip-on microphone, sometimes you're difficult to understand and i've had to replay several passages.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top