Fox in Firesheep's clothing


0ver the past few months, we've suddenly had our eyes opened to a significant web vulnerability that's present on many large websites including Facebook and Amazon. This vulnerability has always been there, but a guy called Eric Butler has now written a Firefox extension called Firesheep to highlight just how scary it is — with only a single click of the mouse you can impersonate someone on many of the websites they use, as soon as they've accessed them. The main problem is that websites use cookies to identify logged-in users and these, like any keys, can be copied and faked. That's nothing new, and it's pretty much the only sensible way of working for websites that require a login (yes, you can append strings to the calling IJRL, but that just isn't convenient for general practice).

The problem arises if a website doesn't employ SSL to communicate between server and client, so that anyone else on the same wireless network can intercept the traffic and read the data contained in a cookie to impersonate the logged-in user. Depending on which website they're connected to, this could mean being able to perform transactions as that user, as well as reading their messages or changing their password, locking them out of their account. The first thing to clear up is that if a website does use SSL — that is, if the connection appears in the address bar as https:// rather than — then you're quite safe. SSL encrypts all traffic between server and browser, so that even if the data is intercepted it would have to be decrypted, which takes far too long to be practicable.

So connecting to your bank account while sitting in a coffee shop using its free Wi-Fi is fine (or perhaps it's better to say, you're not vulnerable to this particular mode of attack). The problem is that many sites don't use SSL, or use it only on the login page (not the rest of the site), and all unprotected pages are potentially vulnerable. It's worth taking a second here to clarify why a site might use SSL only for its login page, but not the rest of the site. For a long time, all sensible sites have used SSL whenever a user logs in to encrypt the user's username and password and to prevent anyone who's sniffing for packets from grabbing those credentials. The problem is that this is often the only page that's encrypted, so that data passes across the network in clear text and can easily be intercepted. The unprotected data includes a cookie that validates the user to the server. The attack, known as "session hijacking", involves analyzing a captured cookie, working out how the user is authenticated to the server, and then using this information to impersonate that user — essentially by sending a slightly modified version of the cookie back to the server. The server then unwittingly believes that the hijacker is the authenticated user and will happily send them the user's data.

The first time you use Firesheep it's scary to see how easy it is to perform such malicious acts. Downloading and installing it takes just a few seconds. Next, restart Firefox and go to View I Sidebar I Firesheep, where a sidebar will appear. At the bottom of this, select Preferences and tell the program from which network interface you want to collect data. This, typically, will be your wireless interface. Then just click Start Capturing and wait for people's data to appear. Whenever someone on the same network connects to a site that Firesheep knows about, an icon will appear, usually giving their name as well as the name of the site. Double-click on that and a new browser window will appear, with you logged in to the same site as that user...

You can try this out on your home network (so long as it isn't WPA-encrypted), or else wander down to the local coffee shop with your laptop and try it there (although, needless to say, you shouldn't actually hijack anyone's session). Once you've seen just how easy it is to do and how vulnerable most people are, you'll never want to use a public Wi-Fi connection again. But sometimes you don't have any option, so what precautions can you take to protect yourself?

Encrypting your web traffic
To protect yourself against session hijacking and similar attacks, the best thing to do is employ a virtual private network, or VPN. Put simply, here's how it works. You tell your browser to visit a website. That request is encrypted and sent in encoded form to a server somewhere on the internet. That server decrypts the message and sends it on to the actual requested website. The site returns a page to the intermediate server which encrypts it and passes it back to your browser, where it's decrypted and displayed. All of this happens transparently to you, so it looks as if you're visiting that site directly. The beauty of it is that all data stays encrypted until it's well away from that vulnerable Wi-Fi link, the only non-encrypted traffic being between your VPN server and the target website itself. Of course, there are downsides to using a VPN, chief of which is that it introduces somewhat greater latency (the time between request and response) since the traffic has further to travel and encrypting and decrypting takes time too. However, most people will happily cope with a fraction of a second longer before each web page appears in exchange for dramatically improved security. Another downside is that your VPN server becomes a single point of failure — if it goes down, you won't be able to visit any websites until you disable the VPN. Of course, you could set up multiple redundant VPN servers, or else use a cloud service such as Amazon's EC2 (Elastic Compute Cloud), so you can rapidly spin up another VPN server if one goes down.

Source of Information : PC Pro -April 2011


Subscribe to Developer Techno ?
Enter your email address:

Delivered by FeedBurner