Firesheep: What’s the hype?
Recently, a new FireFox extension was released called FireSheep. If you haven’t heard about it yet, I am sure you will soon. If you are interested in it, a quick google search will pull up many details. There has been a lot of blogs and other articles written about this new tool, some good, some very inaccurate. So what is all the talk about this tool? Is it as bad as it appears?
What does it do?
Firesheep takes the work out of session hijacking of many popular social networking type sites (see Session Hijacking Below). When a user logs into Facebook or many other sites, they log in via a secure connection (https:). This is, of course, to protect your password from being sent in clear text across the network for an attacker to grab. Once you are logged in successfully, many sites will switch the user back over to an un-secure connection (http:). The idea here is to increase performance because there is no need to deal with the security (encryption).
Firesheep puts an easy to use interface onto a packet sniffer designed to look for specific traffic. This traffic is not Passwords, it is cookies. The tool looks for the session cookies, once the site drops back down to an un-secure channel. Once it finds the cookie it accesses the active session and pulls down an image (if available) and the user’s name from the site the cookie is for. These items are then displayed in a side bar for the user. When the user double-clicks an account, it navigates to that site as that user taking over their session.
It is important to note that this tool takes advantage of a websites inability to secure all of its traffic. If these sites implemented SSL on all pages, this would not even work.
What is the hype?
The hype is that the tool allows my mother to do something that she would normally have no idea how to accomplish. Users can session hijack with no knowledge of how that concept even works. The impact of this really depends on the site being hijacked. Some sites, like Amazon, may let you cross between secure and non-secure sessions, but to do any administrative functions for your account, you need a secure session id. This id is not available during the non-secure communications. Other sites might make you re-authenticate before doing things like changing your password, but might let you post items or send/read emails. The tool targets very well known, widely used sites. Sites like Google, Amazon, bit.ly, and Facebook are used by millions of users every day. As mentioned, some of these have a greater impact than others. Does this mean stop using the sites? No, although we need to push these operators to take security seriously and implement safeguards to protect our information.
Where does this work?
The most obvious place for this to work is in a location with public wi-fi available. When you connect to a public wi-fi hotspot, all the traffic you send can be sniffed by all other computers on that same hotspot. Depending on the type of hardware being used, this could also be done on wired connections as well, possibly at home or in the office.
What can I do to protect myself?
Be careful about what you are viewing when on public networks. Some experts have said to use a VPN service so all of your traffic is encrypted. There are a few choices available that are less than $10 a month. There are also other Firefox extensions that can force a secure connection on these sites. The problem with these extensions is that it may be possible that the site doesn’t support secure connections everywhere and it may not act properly. At the moment, I am not aware of any Internet Explorer extensions that can help protect against this.
Session Hijacking
The Web is stateless, meaning that every time you click a link or visit a different page on the website, the server doesn’t have any knowledge of previous visits. To get around this barrier, web developers use cookies to maintain state between page visits. One, or more, of these cookies will contain a unique session id that identifies your authenticated session. This is exactly why you don’t have to enter your password for every page you visit, or why your shopping cart items are still there between visits. These session ids are like a temporary password. If someone were to get their hands on your session id, during an active session, they could use it to access your session.