By Richi Jennings. October 26, 2010.
Wake up, webmasters: your authentication cookies are vulnerable to Firesheep. That is unless you TLS-encrypt everywhere, implementing HTTPS for every page. A new Firefox addon called Firesheep is demonstrating the mysterious problem of cookie-hijacking. It's allowing script kiddies to sidejack your Facebook and Twitter sessions and impersonate you. In IT Blogwatch, bloggers phear public Wi-Fi.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention It's Not A Bug...
Gregg Keizer reports:
The add-on ... was released Sunday by Eric Butler, a ... freelance Web application developer, at the ToorCon security conference ... in San Diego. Butler said he [wants] to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.
...Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open ... Wi-Fi network visits an insecure site. ... [It] illustrates the wide-ranging problem of unencrypted sites and public networks.
John Leyden explains and suggests:
Cookies sent over insecure connection can easily be captured ... to allow a mischief maker or hacker to log into the same website via ... HTTP session hijacking (AKA sidejacking). ... The extension allows [you to] ... log in to a compromised account simply by double-clicking.
...Until websites improve their security, a process that could take some time ... users would be well advised to use a secure VPN connection while surfing on an open WiFi network.
Eric Butler seems to announce, "cookies are served":
It's extremely common for websites to ... encrypt the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie ... vulnerable. ... Popular websites continue to fail at protecting their users. The only effective fix ... is full end-to-end encryption.
...Websites have a responsibility to protect the people who depend on their services. They've been ignoring this ... for too long, and it's time for everyone to demand a more secure web.
Kashmir Hill illustrates the point:
Among the websites Firesheep wont work on is Gmail, because Google decided to make https the default setting for emailers earlier this year.
Darlene Storm says any idiot can do it:
The Firesheep addon can allow even the truly clueless to become an Internet griefer. ... Although many websites give lip service about how important their users' privacy and security is to them, very few have their entire site encrypted. ... As soon as a user moves on to a regular HTTP page on the site, an attacker can sniff and capture the user's cookie.
...We log into Twitter or Facebook, or even Flickr, and then move on to surf other sites without first logging out. ... If any of those future sites have a Twitter or Facebook widget, or even a Flickr image embedded, ... then sidejacking can happen and leak the user's cookie.
Melissa Bell reached out to Facebook PR:
Facebook spokesman Andrew Noyes said ... Facebook has been testing a technology that will close out this loophole and they hope to provide it within the next few months. However, "As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks."
Mikko Hypponen says it's "pretty serious stuff":
Will Firesheep be misused? Absolutely.
Will it cause some of the above sites to go fully SSL? We hope so.
...What can users do right now? Force SSL on. ... Or, use a VPN.
Don't miss out on IT Blogwatch:
|Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: firstname.lastname@example.org.|
You can also read Richi's full profile and disclosure of his industry affiliations.