Unless you’ve been hiding under a rock for the past few days, you are probably well aware of the recent activity around a new Firefox extension developed by a pair of researchers that brings the issue of session hijacking front and center. The duo behind this extension, Eric Butler and Ian “craSH” Gallagher, developed the software in order to demonstrate the vulnerabilities inherent in many web sites that don’t fully implement encryption. The browser extension, dubbed “Firesheep“, essentially enables an attacker to grab other people’s credentials and use them to gain access to various web sites.
As Butler explains on his blog, “When logging into a Website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests”.
While it is very common for many websites to encrypt your initial logon and protect your password, that is typically where the protection stops. In other words, they’ll encrypt the initial login, but then leave the rest of the traffic unencrypted. Since the rest of the communication is unencrypted, the user’s cookie is left vulnerable. Through a technique known as HTTP session hijacking (also known as “sidejacking”), an attacker gains access to the user’s cookie and can then access the resources of that website while masquerading as that user.
What Firesheep does is essentially snoop the traffic on the network for these important cookies and allows an attacker to log into sites such as Twitter and Facebook with the simple click of a mouse. Once they have the cookie, they basically have full reign over the account and are pretty much free to do whatever they want.
Now there seems to be a great deal of misinformation spreading pretty virulently about this particular issue, so I’d like to take a moment to set the record straight so that everyone will understand the true nature of this vulnerability.
First off, this is not an issue in which only wireless networks are vulnerable. Surprisingly enough, there are some pretty respectable names in the industry propagating this misinformation – everybody from the infamous Bruce Schneier to Brian Krebs, and even Eric Butler himself. Perhaps the reasons for these misconceptions are because it is just so much easier to exploit this vulnerability on wireless networks or perhaps it’s because many people are simply not aware that switched networks can be compromised as well.
Whatever the reason may be, the fact of the matter is that this vulnerability can be exploited on both wired AND wireless networks. On wired networks it does take quite a bit of extra work, which might explain the widespread belief that this is something only prevalent on wireless networks. Wired networks can be subjugated through a technique known as ‘ARP Spoofing’ which can be done with a wide variety of tools such as Dsniff or Ettercap.
Second, this particular vulnerability doesn’t just affect OPEN wireless networks. In fact, any wireless network in which the wireless encryption key has been compromised can fall victim to this attack. If you think that WEP encryption offers any protection against this you would be wrong. Once an attacker has subjugated the WEP key, your HTTP sessions could still be compromised.
Finally, there seems to be an impression by a majority of people that this is some type of new exploit. In fact HTTP Session Hijacking is not a new attack vector and has been known to exist since 2004. The author’s have merely streamlined the process by incorporating it into a simple browser plug-in which makes it simple for anyone with even the most basic networking knowledge to accomplish. Without tools like this, an attacker would need to sniff the traffic, parse through it to grab the HTTP session keys, and understand how to bring those session keys into the web browser to complete the exploit.
So now that we’ve managed to clear the air and hopefully eliminate some of the false information that is circulating, what can you do to secure your traffic? The only truly effective fix for these problems are for web sites to implement full end-to-end encryption using HTTPS, but that doesn’t seem to be happening anytime soon. In the mean time, if you are a Firefox user, a fantastic plug-in called HTTPS Everywhere will rewrite all your requests to HTTPS, thereby encrypting your communications (Ahem… you are using Firefox aren’t you?). If for some reason you just can’t seem to get away from using Internet Explorer, you can still encrypt your communications using an application like TOR which encrypts the data between your computer and any one of a number of TOR exit nodes.
By the way, in case you are interested, Firesheep is named after the famous Wall of Sheep at Defcon, which displays selected details of unencrypted logins and other sessions over the event’s Wi-Fi network from people who, by attending Defcon, should know better than to ever send anything unencrypted over a public Wi-Fi network.