Secure Your PC and Website From Firesheep Session Hijacking

A couple of weeks ago, a tricky new Firefox plug-in called Firesheep made hijacking someone's Web browsing session point-and-click simple. You should take extra precautions to ensure that nobody hacks into your online accounts when you surf on public Wi-Fi networks.

Let's examine the issue, and take a look at what you can do as both an end user and a Webmaster.

How Firesheep Works

The Firesheep plug-in listens on the network and looks for any traffic that contains a cookie, a small bit of information that a Website sends to a visitor once they have started a session (the session could begin after you have logged in, or in some cases as soon as you start browsing an online store). By eavesdropping on someone else's cookie, the Firesheep user can jump into that person's session without necessarily hacking into the other person's computer.

Firesheep comes with several templates for observing the cookies of major social networking and e-commerce sites, but it is configurable to intercept cookies from any Website that hands them out. So even if your business's Website isn't among the supported ones in Firesheep today, your Web users may still become victims of session hijacking.

Why Cookies?

Many people don't understand the need for cookies. An analogy can help. Let's say you call a company's tech support hotline. You typically wait several minutes until connecting to an agent. The representative asks some authentication questions, requesting items such as your product's serial number, the date of purchase, and a support contract number. After they have confirmed these details, they issue you an incident ID (or ticket number) for the call. When you call tech support again in the future, you can use this ID to skip the authentication steps and avoid repeating your information to the agent.

Once the support agent is convinced that you are a valid customer, you have logged on to the tech support system (albeit with a telephone instead of a keyboard), and the ticket number is merely a reference for future phone calls. In much the same way, when a Website issues a cookie, the file is usually a random collection of letters and numbers, and does not directly contain any sensitive information (such as your password).

HTTP, the protocol used on the World Wide Web, is a connectionless protocol. That means that you (or your Web browser) can ask a question and receive an answer--and that's it. The next time you ask a question, it is as if the Website had never heard from you before. Imagine how annoyed you would be if, after having your tech support call dropped, you called back and had to explain your issue all over again and prove to the agent that you were a valid customer.

Through the use of a cookie, a Website can ask you just once for your username and password, and then provide you with a ticket number that you can present multiple times without being prompted for your password. Without cookies, you'd have to log in every time you clicked a link on Amazon.com or any other shopping site.

Stealing Cookies

Now, continuing the analogy, let's assume that you are calling tech support on a speakerphone in a crowded coffee shop. Alice, sitting at the table next to you, writes down the ticket number that the agent provides you. You could hardly indict Alice as evil; she just listened as you conducted your call on speakerphone, while other people ignored your call. A few minutes after you hang up and leave the coffee shop, Alice calls tech support and provides the same ticket number. The support agent on the other end of the phone call will rightly believe that they are speaking with you. Even though Alice doesn't have your serial number or date of purchase, she can jump into the middle of your tech support call and cause havoc.

When you browse a Website and it provides a cookie to you without encryption (more on that later), the situation is similar. If someone else can listen in on the network you are using, they can easily obtain your session cookies. It's unfair to say that they're even hacking--they're just listening to something that you're broadcasting as loudly as if it were on a speakerphone.

Computers are instructed to ignore all network packets that aren't addressed to them, but that doesn't mean software can't alter that instruction and ask the computer to listen to all packets, regardless of addressee. If you are on a wireless network without encryption, your laptop is broadcasting all of your network traffic.

How to Protect Yourself

The same helpful tips from "How to Stay Safe on Public Wi-Fi" apply here as well. Use a VPN connection if you are on a public Wi-Fi hotspot; you can find free versions, as well as a do-it-yourself version, of a secure network tunnel. If that isn't possible, limit yourself to browsing that does not require you to log in. Assume that your laptop is connected to a Jumbotron display, and that everyone in the same Wi-Fi hotspot (the coffee shop, the hotel, the airport terminal) can see what you are doing.

If you still decide to go against all these security tips, at least insist that your e-commerce browsing occurs entirely over HTTPS. Yes, that S at the end is very important, as is a Web browser's padlock icon. This means that the page you are viewing was transmitted to you via encryption. Someone listening on the network (using Firesheep or any other sniffing tool) will know what site you are connecting to, but none of the information from that page will be readable.

You'll see a padlock icon in the address bar when visiting an HTTPS site.
Here's where things get tricky. Most Websites provide HTTPS security on sensitive pages where they ask for your password or credit-card information. Once you're logged in, they issue you a cookie. Since they have already processed the sensitive information, however, many sites will switch you back to regular HTTP without any encryption. And they will continue to send you the session cookie on every page request, meaning that even though they had previously transmitted it securely, they're now sending it in the open.

In early 2010, Google changed the Gmail Web-based e-mail service so that it was in HTTPS mode full-time. Previously, only the login page was over HTTPS, and all further page browsing happened over HTTP. This setup exposed the contents of users' e-mail to anyone who could listen on the network.

Even though a Website switches you back to HTTP, you can usually switch back to HTTPS manually. Try it: Set a bookmark for https://www.facebook.com or https://www.twitter.com, for instance, so that you always use those sites' encrypted versions. If you maintain a secure session, would-be attackers who are listening on the network (with or without Firesheep) won't be able to steal your cookie.

Next page: How to protect your Website

Subscribe to the Daily Downloads Newsletter

Comments