The internet has been alive with talk about Firesheep a Firefox plug-in that allows you to capture session cookies from sites like Facebook, Amazon, Twitter, Dropbox, Flickr, tumblr, wordpress, Yahoo, Google, and more. The method has been around for a while, but there simply hasn't been a piece of software widely available and as easy to use, that can accomplish the task, with little to no knowledge of how it works.
Most websites will encrypt the login portion of the site, but once logged in sends the session cookies over in plane text. The session cookie is what tells the website you are logged in. So Firesheep simply takes the cookie and allows you to use the website as if you are logged in as the other user. Websites could protect themselves from this by simply encrypting everything sent on the site but many simply don't and this why the creator of Firesheep has released this software. It brings attention to the problem and forces websites to encrypt their data and protect their users.
For now there are several ways you can protect yourself. The easiest in my opinion is to use Hotspot shield. It's a little application that you install that basically connects you to a proxy server that encrypts all your data for you. The only down side to this application is that it places a small banner at the top of every page for advertisements, but hey it's free and it works. I tested it with Firesheep running and it does indeed prevent the cookie from being stolen.
Another simple solution is to use HTTPS everywhere extension for Firefox. The extension which only works for a couple sites forcing them to encrypt the data sent over the network and preventing applications like Firesheep from intercepting them. It works for popular sites such as Google, Facebook, and Twitter. So as far as those websites and a hand full of others are concerned you are covered. If you are the geeky type you can write your own rules which can allow the plugin to work for any HTTPS enabled site.
The more complete way of protecting yourself without ads is to simply use a SSH Proxy server to encrypt your data. Everything is sent to you from the proxy encrypted so nothing will be captured from programs like Firesheep. You can also use a VPN to encrypt your traffic with applications like Hamachi.
Another interesting plugin that popped up this morning was one called FireShepherd. It basically exploits a weakness of Firesheep by flooding it with nonsense cookies causing it to crash. This could of course be patched by the developer or users of the plugin, but the developer of FireShepherd has said he will continue to find ways of defending against this plugin.
Update October 29, 2010
I just wanted to make sure that my readers don't get the wrong impression. FireSheep is most definitely illegal to use in the US and the UK. If you use it on a public Wi-Fi it's the same as placing wiretap, which can only be done by the authorities and only with a warrant for information. So even though it's really easy and cool it's not a good idea to go around using it. Just thought I would reiterate that for you guys out there.
from BlogVersity
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.