Firesheep
Encyclopedia
Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies
from certain websites (such as Facebook
and Twitter
) as the cookies are transmitted over networks, exploiting session hijacking
vulnerabilities. It shows the discovered identities on a sidebar
displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.
The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie(s)
created during the login process. It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons
have stated that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware
or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems
).
Later a similar tool called Faceniff was released for Android mobile phones.
connection, or using Wireless Security
. These approaches may be employed individually or in any combination, and their availability in any given situation will vary, in part due to web site and local network characteristics and configuration. BlackSheep is a Firefox plugin designed to combat Firesheep. BlackSheep drops ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.
This can be addressed in two intersecting fashions:
or implement a personal VPN (for example via OpenVPN
) to a home PC acting as a VPN server to encrypt absolutely all the data during transmission over the public Wi-Fi link.
However, one must then trust the VPN's operators not to capture the session cookies themselves. That is particularly a concern with the Tor
network, for which anyone can set up an exit node and monitor traffic going to non-HTTPS websites.
may be configured with varying levels of security enabled. Using a Wired Equivalent Privacy
(WEP) password, the attacker running Firesheep must have the password, but once this has been achieved (a likely scenario if a coffee shop is asking all users for the same basic password) they are able to decrypt the cookies and continue their attack. However, using Wi-Fi Protected Access
(WPA) encryption offers individual user isolation, preventing the attacker from decrypting any cookies sent over the network even if they have logged into the network using the same password. An attacker would be able to manually retrieve and decrypt another user's data on a WPA-PSK connection, if the key is known.
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
from certain websites (such as Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
and Twitter
Twitter
Twitter is an online social networking and microblogging service that enables its users to send and read text-based posts of up to 140 characters, informally known as "tweets".Twitter was created in March 2006 by Jack Dorsey and launched that July...
) as the cookies are transmitted over networks, exploiting session hijacking
Session hijacking
In computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a...
vulnerabilities. It shows the discovered identities on a sidebar
Sidebar (computing)
The sidebar is a term that is used for a GUI element that displays various forms of information to the side of an application or desktop user interface.-Widgets in sidebars:...
displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.
The extension was created as a demonstration of the security risk to users of web sites that only encrypt the login process and not the cookie(s)
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
created during the login process. It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons
Mozilla Add-ons
Mozilla Add-ons is the official Mozilla Foundation website to act as a repository for add-ons for Mozilla software, including Mozilla Firefox, Mozilla Thunderbird, SeaMonkey, and Mozilla Sunbird. These add-ons include extensions, themes, dictionaries, search bar "search engines," and plugins...
have stated that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
).
Later a similar tool called Faceniff was released for Android mobile phones.
Countermeasures
Multiple methods exist to counter Firesheep's local network sniffing, such as preventing sniffing by using a secure connection. This can be realized in several ways: for example by using HTTPS, or a Virtual Private Network (VPN)Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
connection, or using Wireless Security
Wireless security
Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues...
. These approaches may be employed individually or in any combination, and their availability in any given situation will vary, in part due to web site and local network characteristics and configuration. BlackSheep is a Firefox plugin designed to combat Firesheep. BlackSheep drops ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.
HTTPS
HTTPS offers end-to-end security between the user agent and the web server. This works well with web sites that are offered uniformly over HTTPS. However, many web sites employ HTTPS only for accomplishing what is sometimes called "web login" (also often inaccurately referred to as "form-based authentication"), then revert the user's session back to insecure HTTP.This can be addressed in two intersecting fashions:
- First, the site can offer itself uniformly over HTTPS.
- As an adjunct to this, the site can advertise the HTTP Strict Transport Security (HSTS) policy, which will be honored by user agents implementing HSTS.
- Second, the user can employ a browser extension, such as HTTPS-Everywhere which can help ensure uniform HTTPS access to certain websites (the list is extensive), whether or not the site offers itself uniformly over HTTPS or employs HSTS. Also, in Mozilla Firefox 4 (or later) as well as Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
(version 4 and later) the user may natively hand-configure the browser to treat the site as HTTPS-only.
Virtual private network
The end user may also employ a corporate Virtual Private NetworkVirtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
or implement a personal VPN (for example via OpenVPN
OpenVPN
OpenVPN is a free and open source software application that implements virtual private network techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for...
) to a home PC acting as a VPN server to encrypt absolutely all the data during transmission over the public Wi-Fi link.
However, one must then trust the VPN's operators not to capture the session cookies themselves. That is particularly a concern with the Tor
Tor (anonymity network)
Tor is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis...
network, for which anyone can set up an exit node and monitor traffic going to non-HTTPS websites.
Wireless network security
Local Wi-Fi networksWi-Fi
Wi-Fi or Wifi, is a mechanism for wirelessly connecting electronic devices. A device enabled with Wi-Fi, such as a personal computer, video game console, smartphone, or digital audio player, can connect to the Internet via a wireless network access point. An access point has a range of about 20...
may be configured with varying levels of security enabled. Using a Wired Equivalent Privacy
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
(WEP) password, the attacker running Firesheep must have the password, but once this has been achieved (a likely scenario if a coffee shop is asking all users for the same basic password) they are able to decrypt the cookies and continue their attack. However, using Wi-Fi Protected Access
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
(WPA) encryption offers individual user isolation, preventing the attacker from decrypting any cookies sent over the network even if they have logged into the network using the same password. An attacker would be able to manually retrieve and decrypt another user's data on a WPA-PSK connection, if the key is known.
See also
- Session hijackingSession hijackingIn computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a...
- Cookie hijacking
- HTTPSHttpsHypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
- Transport Layer SecurityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
- HTTP Strict Transport Security