[LINK] Firesheep

stephen at melbpc.org.au stephen at melbpc.org.au
Fri Feb 18 21:35:41 AEDT 2011



When logging into a website, you usually start by submitting your 
username and password. 

The webserver then checks to see if an account matching this information 
exists, and if so, replies back to you with a "cookie" which is used by 
your browser for all subsequent requests. 

It's extremely common for websites to protect your password by encrypting 
the initial login, but surprisingly uncommon for websites to encrypt 
everything else. 

This leaves the cookie (and the user) vulnerable. 

HTTP session hijacking (sometimes called "sidejacking") is when an 
attacker gets a hold of a user's cookie, allowing them to do anything the 
user can do on a particular website. 

On an open wireless network, cookies are basically shouted through the 
air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet 
very popular websites continue to fail at protecting their users. 

The only effective fix for this problem is full end-to-end encryption, 
known on the web as HTTPS or SSL. 

Facebook is constantly rolling out new "privacy" features in an endless 
attempt to quell the screams of unhappy users, but what's the point when 
someone can just take over an account entirely? 

Twitter forced all third party developers to use OAuth, then immediately 
released (and promoted) a new version of their insecure website. 

When it comes to user privacy, SSL is the elephant in the room.

Today I announced the release of Firesheep, a Firefox extension designed 
to demonstrate just how serious this problem is.

After installing the extension you'll see a new sidebar. Connect to any 
busy open wifi network and click the big "Start Capturing" button. Then 

As soon as anyone on the network visits an insecure website, known to 
Firesheep, their name will be displayed.

Double-click on someone, and you're instantly logged in as them.

Firesheep is free, open source, and is available now for Mac OS X and 
Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their 
services. They've been ignoring this responsibility for too long, and 
it's time for everyone to demand a more secure web. 

My hope is that Firesheep will help the users win. 

Eric Butler 


Firesheep: https://github.com/codebutler/firesheep#readme


Wikipedia says: http://en.wikipedia.org/wiki/Firesheep

Firesheep is an extension developed by Eric Butler for the Firefox web 

The extension uses a packet sniffer to intercept unencrypted cookies from 
certain websites (such as Facebook and Twitter) as the cookies are 
transmitted over (eg, WiFi) networks, exploiting session hijacking 

It shows the discovered identities on a sidebar displayed in the browser, 
and allows the user to instantly take on the log-in credentials of the 
user by double-clicking on the victim's name.

The extension was created as a demonstration of the security risk to 
users of web sites that only encrypt the login process and not the cookie 
created during the login process.

It has been warned that the use of the extension to capture login details 
without permission would violate wiretapping laws and/or computer 
security laws in some countries. 

Despite the security threat surrounding Firesheep, representatives for 
Mozilla Add-ons have stated that it would not use the browser's internal 
add-on blacklist to disable use of Firesheep, as the blacklist has only 
been used to disable spyware or add-ons which inadvertently create 
security vulnerabilities, as opposed to attack tools (which may 
legitimately be used to test the security of one's own systems).

Counter-measures: Multiple methods exist to counter Firesheep's 
activities, such as preventing packet sniffing by using an HTTPS 
connection; however, since many sites restrict the use of HTTPS to only 
web login, the end user would have to resort to a corporate Virtual 
Private Network or implement a personal VPN (for example via OpenVPN) to 
a home PC to encrypt absolutely all the data transmitted over the Wi-Fi 

Connecting to a wifi network with a password offers varying levels of 
security. Using a Wired Equivalent Privacy (WEP) password, the attacker 
running Firesheep must have the password, but once this has been achieved 
(a likely scenario if a coffee shop is asking all users for the same 
basic password) they are able to decrypt the cookies and continue their 
Firesheep attack. However, using Wi-Fi Protected Access (WPA) encryption 
offers individual user isolation, preventing the attacker from decrypting 
any cookies sent over the network even if they have logged into the 
network using the same password. An attacker would be able to manually 
retrieve and decrypt another user's data on a WPA-PSK connection, if the 
key is known.

Another Firefox extension known as BlackSheep, developed by Zscaler, was 
also created as a counter for Firesheep. BlackSheep works by sending fake 
session data for Firesheep to detect, and promptly warning the user if a 
computer running the extension is detected. The extension itself is 
partially based on FireSheep's code.

A program called Fireshepherd can be installed to run on your computer. 
It periodically sends out overwhelming amounts of data, aiming to 
overload and crash running instances of Firesheep on computers that are 
on the same network. Fireshepherd has been accused of not improving 
security and potentially putting unwanted load on Facebook.



More information about the Link mailing list