Firesheep is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. As cookies are transmitted over networks, packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim’s name.
Firesheep is so user-friendly that anyone using an unsecured Wi-Fi connection can hijack another user’s session. The default Firesheep database includes 26 popular Web service and social networking sites, including Amazon, Facebook, Google, Twitter, The New York Times and WordPress. The database can also be customized to include other websites.
The extension was created as a demonstration of the security risk of session hijacking vulnerabilities to users of web sites that only encrypt the login process and not the cookie(s) created during the login process. It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons have stated that it would not use the browser’s internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one’s own systems). Note that even if they did, it wouldn’t actually prevent anyone from using Firesheep, as Firefox contains a hidden setting to disable this blacklist.
Multiple methods exist to counter Firesheep’s local network sniffing, such as preventing sniffing by using a secure connection. This can be realized in several ways: for example by using HTTPS, or a virtual private network (VPN) connection, or using wireless security. These approaches may be employed individually or in any combination, and their availability in any given situation will vary, in part due to web site and local network characteristics and configuration.
HTTPS offers end-to-end security between the user agent and the web server. This works well with web sites that are offered uniformly over HTTPS. However, many web sites employ HTTPS only for accomplishing what is sometimes called “web login” (also often inaccurately referred to as “form-based authentication”), then revert the user’s session to insecure HTTP.
This can be addressed in two intersecting fashions:
First, the site can offer itself uniformly over HTTPS.
As an adjunct to this, the site can advertise the HTTP Strict Transport Security (HSTS) policy, which will be honored by user agents implementing HSTS.
Second, the user can employ a browser extension, such as HTTPS-Everywhere which can help ensure uniform HTTPS access to certain websites (the list is extensive), whether or not the site offers itself uniformly over HTTPS or employs HSTS. Also, in Mozilla Firefox 4 (or later) as well as Google Chrome (version 4 and later) the user may natively hand-configure the browser to treat the site as HTTPS-only.
Virtual private network
The end-user may also employ a corporate virtual private network or implement a personal VPN (for example via OpenVPN) to a home PC acting as a VPN server to encrypt absolutely all the data during transmission over the public Wi-Fi link.
However, one must then trust the VPN’s operators not to capture the session cookies themselves. That is particularly a concern with the Tor network, for which anyone can set up an exit node and monitor traffic going to non-HTTPS websites.
Wireless network security
Local Wi-Fi networks may be configured with varying levels of security enabled. Using a Wired Equivalent Privacy (WEP) password, the attacker running Firesheep must have the password, but once this has been achieved (a likely scenario if a coffee shop is asking all users for the same basic password) they are able to decrypt the cookies and continue their attack. However, using Wi-Fi Protected Access (WPA or WPA2) encryption offers individual user isolation, preventing the attacker using firesheep from decrypting cookies sent over the network even if the firesheep user has logged into the network using the same password. An attacker would be able to manually retrieve and decrypt another user’s data on a WPA-PSK connection, if the key is known and the attacker was present at the time of the handshake, or if they send a spoofed de-authenticate packet to the router, causing the user to re-authenticate and allow the attacker to capture the handshake. This attack would not work on WPA-Enterprise networks as there is no single password (the ‘Pre Shared Key’ in PSK).
How to protect against Firesheep attacks
–Experts suggest defensive measures to ward off Firefox add-on’s hijacking of Facebook, Twitter sessions via Wi-Fi
Security experts today suggested ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users’ access to Facebook, Twitter and other popular services.
Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site.
A simple double-click gives a hacker instant access to logged-on sites ranging from Twitter and Facebook to bit.ly and Flickr.
Since researcher Eric Butler released Firesheep on Sunday, the add-on has been downloaded nearly 220,000 times.
“I was in a Peet’s Coffee today, and someone was using Firesheep,” said Andrew Storms, director of security operations at San Francisco-based nCircle Security. “There were only 10 people in there, and one was using it!”
But users aren’t defenseless, Storms and several other experts maintained.
One way they can protect themselves against rogue Firesheep users, experts said on Tuesday, is to avoid public Wi-Fi networks that aren’t encrypted and available only with a password.
However, Ian Gallagher, a senior security engineer with Security Innovation, argued that tosses out the baby with the bathwater. Gallagher is one of the two researchers who debuted Firesheep last weekend at a San Diego conference.
“While open Wi-Fi is the prime proving ground for Firesheep, it’s not the problem,” Gallagher said in a blog post earlier on Tuesday. “This isn’t a vulnerability in Wi-Fi, it’s the lack of security from the sites you’re using.”
Free, open Wi-Fi is not only taken for granted by many, but it’s not the problem. There are plenty of low-risk activities one can do on the Internet at a public hotspot, including reading news or looking up the address of a nearby eatery.
So if Wi-Fi stays, what’s a user to do?
The best defense, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos, is to use a VPN (virtual private network) when connecting to public Wi-Fi networks at an airport or coffee shop, for example.
While many business workers use a VPN to connect to their office network while they’re on the road, consumers typically lack that secure “tunnel” to the Internet.
“But there are some VPN services that you can subscribe to for $5 to $10 month that will prevent someone running Firesheep from ‘sidejacking’ your sessions,” Wisniewski said.
A VPN encrypts all traffic between a computer — a laptop at the airport gate, for instance — and the Internet in general, including the sites vulnerable to Firesheep hijacking. “It’s as good a solution as there is,” Wisniewski said, “and no different, really, than using encrypted Wi-Fi.”
One provider, Strong VPN, prices its service starting at $7 per month or $55 per year.
Gallagher, however, warned that a VPN isn’t a total solution. “That’s just pushing the problem to that VPN or SSH endpoint,” he said. “Your traffic will then leave that server just as it would when it was leaving your laptop, so anyone running Firesheep or other tools could access your data in the same way.”
“A blind suggestion of ‘use a VPN’ doesn’t really solve the problem and may just provide a false sense of security,” he said.
Strong VPN disagreed. “Our servers are in a secure datacenter, so no one’s going to be able to ‘sniff’ the traffic coming in or going out,” a company spokesman countered. “All the traffic from, for example, your laptop in San Francisco, is encrypted when it goes to one of our U.S. servers.”
Storms echoed Strong VPN’s assertion. “I can see [Gallagher’s point], that a VPN doesn’t solve the root problem, which is on the service end,” he said. “But although it’s true that the traffic would be clear text when it leaves the VPN server for the site, it’s very unlikely that someone would snoop that traffic.”
Sean Sullivan, a security advisor with F-Secure, recommended Comodo’s TrustConnect as “a VPN in all but name only.” Comodo, a rival of F-Secure, sells the service for $7 per month or $50 annually.
If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.
One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google‘s search engine.
The other choice, Force-TLS, serves the same purpose as the EFF’s extension, but lets users specify which sites on which to enforce encryption.
However, other browsers, such as Microsoft‘s Internet Explorer and Google’s Chrome, lack similar add-ons, leaving their users out in the cold.
“I expect that [Firesheep] will spur the EFF or others, maybe in the open source community, to some additional development [of such add-ons], maybe Chrome ports of those extensions,” Sullivan said.
That could take months. In the meantime, Sullivan had another idea. “A MiFi device can encrypt [traffic], so with one you’re always carrying your own Wi-Fi hotspot with you,” he said.
MiFi isn’t cheap, however. Verizon, for example, gives away the hardware but charges between $40 and $60 per month for the access to its 3G network.
Ultimately, moves users make to plug the holes Firesheep exposes are stop-gaps. The elephant in the room, said Butler and Gallagher as they defended the release of the add-on, is the lack of full encryption. And only the sites and services can fix that.
“The real story here is not the success of Firesheep but the fact that something like it is even possible,” Butler wrote in his blog on Tuesday. “Going forward, the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.”
But for the moment, even security professionals are worried. “I’m at the airport right now,” Wisniewski told Computerworld. “And I’m wondering if someone is using Firesheep here. Maybe I should do a little ‘shoulder browsing’ to see if anyone has it running.”
Here’s Firesheep in action, as illustrated by Eric Butler’s screenshots :
1. Firesheep appears as a sidebar. The attacker just has to connect through an unsecure Wi-Fi network and click “Start Capturing.”
2. Firesheep will monitor the network traffic and, when it detects a user connected to a website in the Firesheep database, it will grab cookies and display a list of potential targets.
3. When the list appears, all the attacker has to do is double-click a name to log into the website as that user.
Firesheep works because of lax security in the way user sessions are authenticated on many websites. When the user logs in, the server checks for the user name and password and, when they are found, responds with a cookie that is used to authenticate subsequent communications. Websites commonly encrypt the initial communication but not subsequent ones. If the website is in the Firesheep database, Firesheep uses the session cookie to allow the attacker to do anything on the website that the valid user can — including making purchases, posting updates, chatting or sending email.
According to Butler, his reason for developing Firesheep was to draw attention to the risks of session hijacking and the importance of adequate security to prevent it:
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.”
Because unsecured Wi-Fi networks abound in coffee shops and other public places, it would be unrealistic to expect people to stop connecting through them. However, to prevent session hijacking, public Wi-Fi users should avoid logging into websites.