“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.
Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.
Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).
The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.
Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”
In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”
It appears, however, that this add-on will only capture cookies from other users on a wireless network in cases where the attacker has already compromised the security of the entire network itself. Still, a number of free, open source tools are available to accomplish this task and could be used in combination with Firesheep to collect a ton of user logins on a busy wireless network. For example, Ettercap is an extremely useful program that lets you trick other computers on the local network into thinking that your computer is the wired or wireless router, effectively routing all of the incoming and outgoing traffic on the local network through your computer. Ettercap is a standard component of many Live CD installations of Linux that allow users to boot into a fully usable Linux distribution from a CD or USB device.
I pinged Butler for an interview about his add-on, but have yet to hear back from him. If that changes, I’ll update this post.
I tested Firesheep on a regular wireless network without running Ettercap and, sure enough, the only time Firesheep recorded any logins was when I logged in from the same computer that was running Firesheep: It did not capture cookies when I logged in to the same accounts from other machines on my wireless network. I tested this using two separate, commonly-sold wireless routers — with and without WEP/WPA encryption enabled — with the same results.
Combine Firesheep with something like Ettercap, however, and you have a very powerful, point-and-click method for hijacking social networking and e-mail accounts belonging to other users on the local network. This is exactly what McAfee director of research Dave Marcus found and explained quite well in his take on this tool earlier this week. Marcus also found that the add-on doesn’t collect cookies from other computers on a local network with the help of tools like Ettercap.
“What I like about Firesheep is that it is a very graphical way of showing people a problem,” Marcus said. “That said, it doesn’t do anything new. People have been talking about session and cookie hijacking since at least 2003. [Butler] has just come out with a nifty extension for you to show the extent of this threat graphically and uniquely.”
In any case, Firesheep was meant to raise awareness about this problem, and it appears to have succeeded in doing that. So what can you do to protect yourself? There are at least two Firefox add-ons that can dramatically increase the security and privacy of your Web browsing while on public networks, and that directly address the weakness exploited by Firesheep. These add-ons force any Web site you specify to encrypt all traffic (that is, always use an https:// connection), not just logins.
The Electronic Frontier Foundation‘s add-on, Https-Everywhere, is nice because it comes with about 20 sites pre-selected, including Facebook and Twitter. But some users may find its instructions for adding other sites to be a bit complex.
Another plug-in that makes it easier to add new sites is Force-TLS, although it does not include any sites by default.
One final note: The truly scary aspect of these types of network-level attacks is that they work against all computer users, regardless of operating system type. As for the helper add-on, Firesheep is available for Windows and OS X systems, and the authors say they are working on a version for Linux.
Update, 4:06 p.m. ET: A couple of readers have pointed out a blog post from Robert Graham at ErrataSec, which notes that the ForceTLS add-on may not succeed in forcing https on all sites. He also offers some reasons why I may not have seen the Firesheep add-on working to capture cookies over the network. Graham writes: “FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).”