Recently, the NY Times published the article New Hacking Tools Pose Bigger Threats to Wi-Fi Users . This article discussed the dangers of a relatively new tool called Firesheep, which allows a third-party to “hijack” active connections to password protected websites. The software, created by Eric Butler, can be downloaded for free. The software is easy to use, as it is an add-on for Mozilla Firefox.
Normally, when we log into a website, we are first directed to a login page protected with SSL. (This appears to the user as “https”, and it encrypts data sent over the network.) When a user successfully logs in, their web browser will get a session cookie, which acts like a digital pass. This session cookie allows a user to access protected webpages without having to continually enter their password. A typical session cookie is composed of a sequence of characters and may look like this:
Keep in mind that anyone presenting a valid session cookie can access protected webpages until the session cookie becomes invalid through a logout. If the session cookie is sent without encryption, it could be read by a third-party using an application such as Firesheep. That stolen session cookie could be used to access protected webpages. Note that while the session cookie might be stolen, the user’s password has not been compromised, since the session id provides no information about the user’s password.
When we log into a website that is secure, we expect that the entire session will be encrypted to protect our information as it is traveling the network. However, in many cases, only the login page is protected, not the accesses to the website after login. For example, when logging into Google, the password entered during the login is protected with encryption, preventing a third-party from stealing the password. Once the user is logged in, a session cookie is set. When the user then accesses an unencrypted Google page, the cookie is still sent, but now in the clear.
The Firesheep application is preconfigured to capture active session information for 26 websites. Below are the ten most interesting of them.
- Windows Live,
- NY Times,
Each one of the above websites transmits the session cookie unencrypted, meaning that a third-party could steal the cookie using Firesheep. If someone can copy your session cookie, they could access your protected webpages. For example, in the case of Facebook, they could access your messages and even post status updates.
The risk of having your session cookie stolen is high on an open (unencrypted) Wi-Fi networks, such as those found at airports, coffee shops and hotels as the communications on these networks can be monitored by a third-party. These Wi-Fi networks often require a user to log in, but this log in does not prevent a third-party from watching all of the network traffic going. And, generally, Wi-Fi networks that require a user to login in via a webpage are generally open wireless networks. The risk of session cookie compromise is lower, but still exists with WEP protected Wi-Fi networks. Wired networks and WPA protected Wi-Fi networks offer the best protection against this type of attack as these networks make it difficult for a third-party to intercept your traffic.
What can a user do? There are only a couple of tips:
#1 – Always be sure to log out from a website when you are done. For example, when you are doing on Facebook, by sure to log out. The logout cancels the session cookie.
#2 – Be aware when using an open Wi-Fi network that your session cookie could be stolen by a third-party. So, be more diligent about logging out when using an open Wi-Fi connection.
Unfortunately, there is not much more that users can do at this time. Application developers will need to upgrade their applications to only transmit session cookies when using “https” and never when using “http”.