Un-Trusted.Net

Firesheep makes it trivially easy for even non-advanced users to highjack authenticated web sessions being transmitted over wifi networks under the following circumstances:

1. If you’re using a non-https site (i.e. Twitter, Facebook, and lots of others)
2. If you’re using an https site with poor session management (such as redirecting some of the site to http and transmitting cookies for the authenticated session over http). Lots of sites that use https put https protections at risk by mis-handling session cookies.

Not using https and/or not using good session/cookie management have been calculated/mitigated risks or just laziness on the part of site designers. For lots of medium sensitivity sites (like social network sites), users who understand the choice have been ok with not using https as a mitigated risk. Then of course there are lots of users who don’t understand the choice.

The thought process has basically been that it’s hard enough to intercept traffic in most usage scenarios and the sensitivity of the data is low enough (i.e. it’s not like its your banking site) that it’s a good security tradeoff. It’s been regarded as secure enough, and the rate of incidents of session highjacking could be expected to remain low.

The availability of something like Firesheep changes this equation considerably on open wifi networks. The rate of incidents of session highjacking on sites not using https or using https with poor session/cookie management and being accessed via open wifi networks can be expected to become much higher in pretty short order.

Open wifi isn’t the problem in particular. Poor website security design is the problem. The same basic risk of interception of sensitive data exists as your web session traffic moves across the various intermediate networks between your computer and the website you’re using. But the interception of traffic on those networks is much more difficult and is generally exposed to a much smaller set of potential bad actors. With firesheep, on open wifi networks the degree of difficulty has been reduced to the point that the risk of session highjack is much, much higher.

More information:

http://codebutler.com/firesheep-a-day-later

This post is slightly off topic, but it does have some connection to my blog topic of trust, and is something I wanted to speak out about.

I recently had the shock of logging into my mobile provider’s website (T-Mobile) to review and pay my most recent statement, and realized that my current bill which is normally in the $100 range had exploded to $685. This after I had recently changed plans and was expecting my bill to be even smaller than it had been recently.

So I got to looking at the details and realized that the majority of the excess amount resulted from a single charge for “roaming data services”. It was at this point that I remembered that I had made a business trip to Winnipeg during that statement period.

I called my provider to inquire about this charge, and learned that I had been charged a premium rate for data services used while roaming, that the unlimited rates for data and SMS included in my service plan do not cover roaming charges, that I should have known this, and they could have helped me avoid these charges if I had called them prior to international travel. Despite various degrees of complaining, railing, and pleading on my part, they are not going to reduce the charge, and I will have to pay it. They did offer to set up a payment plan for the excess charge to be paid over several billing periods (gee, thanks).

Here’s what’s going on

Mobile providers need to engage in capacity planning. Like any service provider they need to be able to operate their networks with some logical relationship between revenue and cost that results in a profitable business. I have no problem with this.

So for mobile operators this means that providing services for roaming subscribers of other mobile operators is a big unknown in their cost model. They know how many subscribers they have on their own network and they have lots of usage data that they can use for capacity planning, in order to arrive at a logical revenue model that drives what they then charge their subscribers. It’s difficult to know how much roaming usage they need to plan for. The solution is to charge a high wholesale rate to a roaming user’s home operator when they provide services to roaming subscribers. The home operator in turn marks up that wholesale rate to arrive at a retail rate charged to their subscriber. Which in my case noted above, resulted in a rate in excess of $10 per Megabyte.

The problem is, it appears to me, that this system has become exploitative and predatory in practice. Instead of being a cost/revenue projection problem, it has clearly now turned into a huge revenue stream for mobile operators.

In my mind there are three key elements that make this an egregiously exploitative and predatory business model: first, the wholesale rates being charged are far in excess of the foreign operator’s actual costs; second, the markup being earned by the home operator is excessive; and third, these rates are being paid without any notification to the subscriber at the time of consumption. Is there any other situation where an individual consumer makes a purchasing decision in the range of hundreds to thousands of dollars without knowing he is making that decision? Not many that I know of.

So the European Union has figured out that this is a problematic practice that needs to be addressed. The European Regulators Group has passed regulation, which goes into effect in early 2010, providing limits on wholesale roaming rates, and requiring notification to subscribers when they first initiate a connection subject to a roaming rate. Glad to see this, and hoping to see North American regulation follow suit.

Meanwhile, I’ve determined how to set my phone to avoid roaming for data services. For anybody interested, on a G1 it is as follows:

Settings -> Wireless Controls -> Mobile Networks -> Data roaming (connect to data services when roaming)

:: :: :: :: :: :: :: :: :: :: ::

• Let every eye negotiate for itself and trust no agent. – William Shakespeare

• No way of thinking or doing, however ancient, can be trusted without proof. – Henry David Thoreau 

• Trust not yourself, but your defects to know. Make use of every friend and every foe. – Alexander Pope

• Watch a cat when it enters a room for the first time. It searches and smells about, it is not quiet for a moment, it trusts nothing until it has examined and made acquaintance with everything. – Jean-Jacques Rousseau

• You must trust and believe in people or life becomes impossible. – Anton Chekhov

• Every kind of peaceful cooperation among men is primarily based on mutual trust and only secondarily on institutions such as courts of justice and police. – Albert Einstein

• Se non è vero, è ben trovato (Translation: “If it’s not true, it’s a good story.”) – Italian Proverb

• R2-D2, you know better than to trust a strange computer! – C-3PO, in The Empire Strikes Back

• Trust? You want me to trust you? Do me a favor, Ed, don’t use big words you don’t understand. – Erin Brockovich

:: :: :: :: :: :: :: :: :: :: ::