SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    FireSheep brings session highjacking to the masses

    Quite recently a new Firefox plugin - FireSheep was released - http://codebutler.com/firesheep
    Essentially it does "session highjacking for dummies", meaning that now every average Joe can install this plugin, connect to unsecured WiFi or non-switched network (think free wifi at coffee shops or school/university campus) to steal other peoples sessions to Facebook/Twitter/any other session that is unprotected.

    While session highjacking is nothing new, what is important - is that this tool allows people with almost no knowledge and expertise on technical details (i.e. your little sister/brother your jealous boyfriend/girlfriend your classmate etc) to perform this attack. You would not want to overreact, though - it is not "the end of the web as we know it"

    As Chris Wysopal put it: "#firesheep is to cleartext web sessions as chainsaws are to trees. Everyone gets to be a lumberjack."

    What to do as a user: To avoid using unsecured networks altogether; to use SSL whenever possible; to use plugins that force SSL - HTTPS Everywhere

    What to do as a developer: Ensure that session ID is well protected - Use SSL to protect session cookies. No other viable alternative comes to my mind. Maybe you can suggest something. Binding session to clients IP address (using $_SERVER['remote_address']) et al) would be ineffective since this attack is performed from the same subnet (and since we are talking about wifi - both the attacker and victim would be behind the same NAT router).

    More resources:
    Presentation from author - http://codebutler.github.com/firesheep/tc12/#1
    http://www.h-online.com/security/new...s-1124596.html
    http://blogs.pcmag.com/securitywatch...our_http_s.php
    http://www.f-secure.com/weblog/archives/00002055.html

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •