NewbieNetywork Analysis Master
How to Protect Yourself from Network Sniffing
The kind of network sniffing demonstrated here is something anyone can do without much experience. As Mike from the password video points out: "Technology is like a gun. You can use it for good, to hunt for your family, or you can use it for bad, to rob a store." This dissection of Wireshark is aimed at education, but the fact is, anyone interested in using Wireshark for skeezy purposes need only spend a few minutes on YouTube to dig up the same information.
So now that you have a better idea of how easy it can be for anyone on the same network as you to poke around and potentially sniff out your passwords, cookies, and so on, what can you do about it? Here's a quick rundown of some of your best bets, from least practical or effective to most effective.
Avoid working on the same network as people you don't trust: The kind of network sniffing we've demonstrated here can only be done by people on the same network as you. Keep in mind that it doesn't even have to be an open Wi-Fi network—coworkers on your password-protected work network can sniff your packets just as easily as someone at your local coffee shop. The catch: You probably don't want to be limited to only using the internet when you're at home or on a network where you trust everyone.
Always use HTTPS: A lot of sites—like Facebook and Gmail—have made HTTPS the default connection, and as we explained earlier, packet sniffing won't reveal your password or cookies on a properly encrypted HTTPS connections. Other sites support HTTPS but don't make it the default, which means you often have to manually type in https:// before the rest of your URL. Some of those sites, like Twitter, allow you to set your account to always use HTTPS (for Twitter, go to your Account settings and tick the Always use HTTPS checkbox at the bottom of the page). Some sites don't offer an Always use HTTPS setting, which is where HTTPS-forcing browser extensions come in. The most popular is probably the HTTPS Everywhere extension for Firefox (written by the Electronic Frontier Foundation). This extension automatically directs your browser to the HTTPS version of over 1,000 sites. The catch with HTTPS Everywhere is that it only redirects sites in its list, so if you'd like to be able to redirect any site to HTTPS, you may want to check out Force-TLS for Firefox or HTTPS Everywhere for Chrome. Both of these extensions allow you to add new sites to the automatic HTTPS redirect.
The Catch: First, lots of sites still don't support HTTPS at all, and others only support it for logins (meaning your password is safe, but your session cookie isn't). On a separate technical note, Eric Butler (the developer of Firesheep) noted last year that some sites don't correctly support HTTPS anyway, and on those sites, in order to get the full benefits of HTTPS, you'd need to manually type out the https:// part every time you visit:
Some sites support full encryption everywhere, but don't implement it properly by failing to set the "Secure" flag on authentication cookies, negating most of the benefits and leaving users at risk. What that means is that any time you type the URL (e.g. "manage.slicehost.com") into your web browser (without explicitly typing https:// beforehand, which people rarely do) you will inadvertently leak your cookies with that first request, prior to being redirected to the HTTPS page. Slicehost and Dropbox are good examples of this mistake.
Use a VPN or SSH Proxy (BEST OPTION): A VPN or SSH tunnel will act as the middleman between your computer and the dubiously secure servers on the internet so that everything sent between your computer and your VPN or SSH server will be encrypted—in effect encrypting all traffic that someone on your current network might want to try sniffing. I'm not going to show you how to set up a VPN or SSH server here, but I will point you in the direction of some good do-it-yourself options: If you happen to already pay for access to a web server to which you have SSH access, you can use that to encrypt your web browsing session with an SSH SOCKS proxy. If you don't feel like paying, you could set up your own personal home SSH server. If you're willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $0.50/month or pay $1 one time for access to Silence is Defeat.
For another free option, check out our guide to secure and encrypted web browsing on public networks with Hamachi and Privoxy.
Android users should check our guide to encrypting all internet use on your Android phone.
If you're on a Mac, I'd highly recommend installing previously mentioned Sidestep. The app automatically reroutes your traffic through a secure proxy whenever you connect to an open Wi-Fi network, and you can also turn it on any time you want from its drop-down in the Mac menu bar.
The Catch: The biggest hole in this option is that at some point along the line, your VPN or SSH proxy needs to submit the unencrypted version of a request to the web server, so if there were someone sniffing packets on the same network as your VPN or SSH server, they could sniff out the unencrypted data going between the middleman and the web server.
Tags for this Thread