Easy Attack Tool Demonstrates What We Already Knew

We all know that if you don’t see the lock indicator and the colored favicon in our browsers, than our connections to the web sites we surf are not secure. Intellectually we get that means any information we exchange, like passwords and personal data, can potentially be eavesdropped. I suspect many of us lack a visceral intuition for what this really means.  What may be even less clear is that some of the mechanical guts of web sites we take for granted may be more vulnerable to being taken over by an attacker because of this same default of unencrypted communication.

Eric Butler has made a splash with his present at Toorcon 21 over the weekend of Firesheep, a proof of concept attack tool in the form of a browser add on.Most of what Firesheep does is not new, it primarily demonstrated the lack of security inherent in the way most of us use the web in a graphically compelling manner.  It not only captures unencrypted data it allows its user to hijack a login with a mere double click.

Take a look at his blog post for screen shots.  I am not sure, ethically, it is a good idea to install the open source add on and try it yourself.  Knowing how easy this exploit is to use should drive the point home strongly enough.  Even if Butler’s work gets taken down, as may be likely as the storm it unleashes winds its way around the web, bear in mind that criminal attackers aren’t relying on security researchers to show them how to effect these hijacks.  The point here isn’t that Butler is make an attack possible, but showing us in no uncertain terms what some real attacker somewhere is undoubtedly already doing.  Butler’s presentation was aimed at the site operators who should know better, who should be requiring SSL encryption or deploying other equally effective means to prevent session hijacking.

If you Firesheep concerns you, as it should, enough to finally take some active steps to protect yourself, you can install the HTTPS Everywhere add on about which I blogged some time ago. HTTPS Everywhere forces your connections to use SSL encryption everywhere possible. It is a collaboration between EFF and the Tor Project, two organizations very much dedicated to protecting our right to privacy online.  Using SSL for all communications with the sites Firesheep targets and encrypting the cookies they so promiscuously share should reduce, if not eliminate, the risk of session hijacking.

If anyone knows of equivalent add ons for other browsers, feel free to recommend them in the comments.

Firesheep, {codebutler} via Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *