Firesheep and Sidejacking
Firesheep update 11-15-2010:
-GMAIL and Amazon have since fixed the security of their website and are no longer affected by this exploit.
-Hotmail has enabled users the option to turn on HTTPS for hotmail accounts. To enable this for your account click here.
What is sidejacking?
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
What is Firesheep?
A Firefox extension designed to demonstrate Sidejacking.
How can users protect themselves against Firesheep?
• Several plugins exist for Firefox that force all web connections to secure websites (HTTPS), if the website supports HTTPS. This will ensure that the connection “stays” secured, even after you log in. ITS recommends using Force TLS or HTTPS Everywhere with Firefox. These plugins will protect you from prying eyes while on Loyola’s network. For more information, go to Browser Safety: http://luc.edu/uiso/security_tools.shtml
• Use secure networking services over unsecured wireless connections. Utilizing POP and IMAP with you email client can leave you exposed. Make sure you are using their secure alternative: POPS and IMAPS. Downloading files via FTP is done in the clear. If your data is sensitive, make sure to use FTPS or SFTP. All of these protocols send sensitive authentication data (such as your username and password) in cleartext. If you utilize these services on an unsecure wireless connection they could be compromised.
• To use the secure alternative of IMAP (IMAPS) with Loyola’s network please visit http://www.luc.edu/its/email_imap.shtml.
• If you have access to the LUC VPN you can leverage the security provided by the encrypted network access to secure all Internet traffic from prying eyes. Any website, email server or FTP site you access via the VPN will be protected.
• Use a secured wireless network, such as a network encrypted with WPA or WPA2. All Internet traffic (such as web, email and FTP services) will be secured from compromise if you leverage wireless encryption.
• NOTE: Do not use WEP encryption with your wireless access points. WEP can be cracked in less than a minute leading to data compromise.
How it works ?
After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you're instantly logged in as them.
That's it. Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Frequently Asked Questions
- 1. Why is Firesheep a problem?
Certain websites, such as Facebook and Twitter, have opted to only encrypt the initial login page and revert you back to an unencrypted session (from HTTPS to HTTP). These websites use “cookies” to keep the state of your connection active. If these cookies are sent in the clear, over a wireless network, they can be grabbed by a malicious user and replayed back to the website to impersonate you. The malicious user does not need your username or password.
It is due to insecure practices by these popular websites that this attack, and other attacks like it, is possible.
- 2. How do I secure my browser?
1. If you have a Loyola VPN account initiate a VPN connection while you are on the wireless network. This will secure ALL network traffic from your computer over the whole wireless network.
a. If the user is a Faculty/Staff member then a VPN account can be created for them
b. If the user is a Student and does not have a pre-existing VPN account we will not be creating a new account.
VPN accounts are for Business/Academic use only, not Recreational.
2. While on an unsecured network, Safari and Internet Explorer are vulnerable to the firesheep exploit. You can use a plugin with Firefox to force your important websites to using HTTPS always. This solution is a ‘stop-gap’ solution that can force some web sites to use SSL when they normally wouldn’t. Not all websites will support this. The below plugins are for Firefox only. No other browser supports these solutions.
i. This comes with a predefined list of websites that will force the website encryption.
Please look at the last FAQ for the full default list.
By installing the plugin you are automatically safe on the supported websites.
ii. If you are an advanced user you can create your own Ruleset with HTTPS Everywhere to add additional sites outside of their default list.
For more information click here
b. Force TLS
i. You can create your own list of sites that you would like HTTPS encryption to be forced.
For example, Yahoo mail. When using Force TLS you need to create your own list.
1. Once on Facebook you must click the ‘home’ button after you log in.
2. More information can be found here
i. Under Advanced -> HTTPS you can configure your NoScript plugin to force secure HTTPS connections with a list that you provide.
3. Make sure to click log out when you are done with your authenticated web session. By logging out of your session you are thwarting a malicious user attempting to use your cookie to get access to your account.
4. When you are on an unsecured network do not access any confidential/private websites.
- 3. Where am I vulnerable?
If you are on any unsecured wireless network , and accessing a website that reverts back from HTTPS to HTTP, you are vulnerable to this attack. Loyola’s wireless network is unsecured, as well as many coffee shops, airports, and even your home network.
- 4. How can I protect myself at home?
Use WPA2 Pre-Shared Key (PSK) encryption on your wireless network. Not only will this keep malicious people out of your network, it will also ensure that no one can ‘snoop’ on your wireless conversation. The UISO will be providing you with specific details of how to configure the most popular wireless access points to leverage WPA2 Pre-Shared Key encryption.
- 5. What is Loyola doing?
In the short term Loyola is providing the user community with the above recommendations. In the mid-term Loyola is looking to implement a secured wireless network on Campus. Wireless security thwarts the attempt to listen to cleartext wireless traffic.
- 6. Can I use Shepherder?
No! SheepHerder fights the Firesheep plugin by executing a denial of service attack against the wireless network. This will affect the productivity of the wireless network at Loyola and is specifically prohibited by the Acceptable Usage Policies.
- 7. What are the known websites vulnerable to Firesheep?
Amazon, Basecamp, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo and Yelp. The plug-in can easily be modified to compromise additional websites that are not apart of the original list. ANY WEBSITE THAT REVERTS FROM HTTPS TO HTTP IS VULNERABLE.
- 8. What websites are included in HTTPS Everywhere's default list?
Amazon, DuckDuckGo, EFF, Facebook, GMX, Google Search, Google APIs, GoogleServices, Identica, Ixquick, Live, Mail.com, Meebo, Microsoft, Mozilla, NL Overheid, NYTimes, PayPal, Scroogle, Torproject, Twitter, WashingtonPost, Wikipedia, WordPress.com, GentooBugzilla, Noisebridge, Zoho
To update the list visit https://www.eff.org/https-everywhere/rulesets