Firesheep Highlights WiFi Insecurity

By: Absolute Team | 11/5/2010

A new Firefox extension, Firesheep, has captured the news lately. Firesheep is a simple way to exploit browser cookies to let anyone snoop on other people's password-"protected" sites. The extension was released as a demonstration of how dangerous it is to allow this form of authentication in the hopes that popular websites will instead opt for end-to-end encryption.

How it works:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy....

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. Double-click on someone, and you're instantly logged in as them.

Using public Wi-Fi is always risky, and this new extension just demonstrates that by making it even more simple for people to get at your personal information. This is not a new exploit or trick, just a way to draw attention to a large and as-yet overlooked issue.

How to protect yourself:

  1. Sign into websites using a secure address - https - you'll find websites such as Facebook have this option, so check your bookmarks to ensure you're using the https URL
  2. Use and configure the Force-TLS Firefox extension so that your browser automatically re-loads http sites as https
  3. Always log out of secure sites, particularly before joining any public wireless networks

Via Digital Life

Financial Services