• Blogroll

  • DevelopSec

• Archives

  • March 2024
  • December 2023
  • January 2023
  • August 2022
  • February 2020
  • October 2019
  • May 2019
  • June 2018
  • November 2017
  • June 2017
  • February 2017
  • October 2016
  • September 2016
  • May 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • April 2015
  • October 2014
  • August 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • September 2012
  • August 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • September 2011
  • July 2011
  • June 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • April 2010
  • February 2010
  • January 2010
  • December 2009
  • October 2009
  • August 2009
  • April 2009
  • March 2009
  • January 2008
  • December 2007
  • October 2007

Firesheep: What’s the hype?

Recently, a new FireFox extension was released called FireSheep. If you haven’t heard about it yet, I am sure you will soon. If you are interested in it, a quick google search will pull up many details. There has been a lot of blogs and other articles written about this new tool, some good, some very inaccurate. So what is all the talk about this tool? Is it as bad as it appears?

What does it do?
Firesheep takes the work out of session hijacking of many popular social networking type sites (see Session Hijacking Below). When a user logs into Facebook or many other sites, they log in via a secure connection (https:). This is, of course, to protect your password from being sent in clear text across the network for an attacker to grab. Once you are logged in successfully, many sites will switch the user back over to an un-secure connection (http:). The idea here is to increase performance because there is no need to deal with the security (encryption).

Firesheep puts an easy to use interface onto a packet sniffer designed to look for specific traffic. This traffic is not Passwords, it is cookies. The tool looks for the session cookies, once the site drops back down to an un-secure channel. Once it finds the cookie it accesses the active session and pulls down an image (if available) and the user’s name from the site the cookie is for. These items are then displayed in a side bar for the user. When the user double-clicks an account, it navigates to that site as that user taking over their session.

It is important to note that this tool takes advantage of a websites inability to secure all of its traffic. If these sites implemented SSL on all pages, this would not even work.

What is the hype?
The hype is that the tool allows my mother to do something that she would normally have no idea how to accomplish. Users can session hijack with no knowledge of how that concept even works. The impact of this really depends on the site being hijacked. Some sites, like Amazon, may let you cross between secure and non-secure sessions, but to do any administrative functions for your account, you need a secure session id. This id is not available during the non-secure communications. Other sites might make you re-authenticate before doing things like changing your password, but might let you post items or send/read emails. The tool targets very well known, widely used sites. Sites like Google, Amazon, bit.ly, and Facebook are used by millions of users every day. As mentioned, some of these have a greater impact than others. Does this mean stop using the sites? No, although we need to push these operators to take security seriously and implement safeguards to protect our information.

Where does this work?
The most obvious place for this to work is in a location with public wi-fi available. When you connect to a public wi-fi hotspot, all the traffic you send can be sniffed by all other computers on that same hotspot. Depending on the type of hardware being used, this could also be done on wired connections as well, possibly at home or in the office.

What can I do to protect myself?
Be careful about what you are viewing when on public networks. Some experts have said to use a VPN service so all of your traffic is encrypted. There are a few choices available that are less than $10 a month. There are also other Firefox extensions that can force a secure connection on these sites. The problem with these extensions is that it may be possible that the site doesn’t support secure connections everywhere and it may not act properly. At the moment, I am not aware of any Internet Explorer extensions that can help protect against this.

Session Hijacking
The Web is stateless, meaning that every time you click a link or visit a different page on the website, the server doesn’t have any knowledge of previous visits. To get around this barrier, web developers use cookies to maintain state between page visits. One, or more, of these cookies will contain a unique session id that identifies your authenticated session. This is exactly why you don’t have to enter your password for every page you visit, or why your shopping cart items are still there between visits. These session ids are like a temporary password. If someone were to get their hands on your session id, during an active session, they could use it to access your session.

Comments

• Follow Us

  

  

  

  
  
  
  

• Recent Posts

  • Securing the Forms Authentication Cookie with Secure Flag
  • Does ASP:Textbox TextMode Securely Enforce Input Validation?
  • Disabling SpellCheck on Sensitive Fields
  • What is the difference between encryption and hashing?
  • XmlSecureResolver: XXE in .Net