By Daniel Peck, Research Scientist
Web site session theft isn’t a new topic. It is an attack that’s been around for long enough that the general public should be more exposed to it and the conditions that cause it to be corrected, or so the creators of a new tool believe. This tool, named Firesheep, is a plugin for the Firefox Web browser (that’s the “fire” part of the name). It is a wrapper for packet capturing libraries on Windows and OS X that does the “heavy lifting” part of session hijacking for the user and provides the user with a simple and easy to use interface (that’s the “sheep” part of the name, a nod to the infamous Wall of Sheep at Defcon), allowing an already easy attack to become as trivial as operating a Web browser.
The only way to make these attacks go away for good is for application level encryption (SSL) to be ubiquitous. While it is certainly more common than just a few years ago, most sites are either still missing the feature or they are implementing it incorrectly. Most login pages are protected by SSL, but all too often the secure connection is then abandoned by the site and the user is dropped back to an insecure connection that exposes the cookie or session ID that uniquely identifies the user allowing tools like Firesheep to impersonate the account.
A large amount of the communication between individuals today is through social networking sites, where rapid growth is first priority and security is an after thought, but most don’t implement any sort of encryption at all. One coder (or perhaps privacy activist depending on your perspective) has raised the bar in this area with his tool, idiocy. This tool watches for users visiting Twitter insecurely, hijacks the active session, and posts a Tweet to the hijacked account warning that it is vulnerable.
Keep an eye on the sites you use and make sure everything that is important to you is encrypted. Let the sites you depend on know that SSL support matters to you. And possibly look at adding plugins to your browser that enforce using HTTPS when possible. Stay aware, and stay safe out there.