FireSheep is a Firefox extension that takes advantage of something called session-hijacking. Normally when you go to a website that requires you to log in (e.g. Facebook.com) you are served up to an HTTPS website. (Although, Facebook does not default to HTTPS, you have to manually enter it in.) This is an SSL connection that encrypts all of the network traffic from your computer to the Facebook servers. This is how you want all of your traffic to be sent. Then when you log in with your password, the password is encrypted so that anyone who may be listening in, would only get unreadable data. What happens is that after the server (Facebook.com) has verified your password, it sends you what is called a session cookie. This session cookie is sent to your computer after you have verified the password. So instead of having to enter in your password every time you want to do something, it just looks and sees that you have the session cookie that you got from verifying the password, and it lets you continue. Now, you have to pass this session cookie to Facebook every so often, just so that it knows that you are allowed to do all the things that you are doing. This sounds great, because who wants to have to enter in your password every time you want to friend someone? Or make a status update? No one.The reality is, this is a serious security vulnerability. Because only Facebook's login page is sent over SSL. So your password is sent encrypted, but the rest of the time you are browsing, you are not. So when Facebook asks for that session cookie, someone can very easily "hijack" your cookie. This is what FireSheep does. It waits for a session cookie to be sent over the network, and takes it. Once someone has a session cookie, the website can no longer discern you from them. Because the only way you could have gotten the session cookie is from verifying the password. Right?
There are several things that you can do to prevent this from happening.
- The first and easiest way is to never use "open" or unencrypted wireless internet. The way that the encryption protocols work, they are auto-isolating. Which basically means, that even though you could have 20 people on one wireless router or access point, they are all basically on their own "line", they are separate from each other. It makes no difference what the password is, just that it is encrypted somehow. If you were just going to have the wireless open for everyone, just put a piece of paper on the wall that tells the password.
- Use SSL whenever possible! When you go to twitter.com or facebook.com (Or a growing number of websites) always tell it HTTPS:// (e.g. https://www.twitter.com or https://www.facecbook.com)
- Use an end to end encryption technique such as OpenVPN or tunnel your traffic through an SSH tunnel.
- If you are unable to do any of these things, do not use website that require you to log in while using an unencrypted wireless signal. If you do, you are rolling the dice. As of this posting, FireSheep has been downloaded 770,000 times.
I will post a tutorial on how to use OpenVPN or SSH tunneling shortly.
Tark
