How to stay safe against session hijacking

Over the past few months, we’ve suddenly had our eyes opened to a significant web vulnerability that’s present on many large websites including Facebook and Amazon.

This vulnerability has always been there, but a guy called Eric Butler has written a Firefox extension called Firesheep to highlight just how scary it is – with only a single click of the mouse you can impersonate someone on many of the websites they use, as soon as they’ve accessed them.

The first thing to clear up is that if a website does use SSL, then you’re quite safe

The main problem is that websites use cookies to identify logged-in users and these, like any keys, can be copied and faked.

That’s nothing new, and it’s pretty much the only sensible way of working for websites that require a login (yes, you can append strings to the calling URL, but that just isn’t convenient for general practice).

Using SSL

The problem arises if a website doesn’t employ SSL to communicate between server and client, so that anyone else on the same wireless network can intercept the traffic and read the data contained in a cookie to impersonate the logged-in user.

Depending on which website they’re connected to, this could mean being able to perform transactions as that user, as well as reading their messages or changing their password, locking them out of their account.

The first thing to clear up is that if a website does use SSL – that is, if the connection appears in the address bar as https://sitename.com rather than http://sitename.com – then you’re quite safe.

SSL encrypts all traffic between server and browser, so that even if the data is intercepted it would have to be decrypted, which takes far too long to be practicable.

So connecting to your bank account while sitting in a coffee shop using its free Wi-Fi is fine (or perhaps it’s better to say, you’re not vulnerable to this particular mode of attack).

The problem is that many sites don’t use SSL, or use it only on the login page (not the rest of the site), and all unprotected pages are potentially vulnerable.

It’s worth taking a second here to clarify why a site might use SSL only for its login page, but not the rest of the site. For a long time, all sensible sites have used SSL whenever a user logs in to encrypt the user’s username and password and to prevent anyone who’s sniffing for packets from grabbing those credentials.

The problem is that this is often the only page that’s encrypted, so that data passes across the network in clear text and can easily be intercepted. The unprotected data includes a cookie that validates the user to the server.

The attack, known as “session hijacking”, involves analysing a captured cookie, working out how the user is authenticated to the server, and then using this information to impersonate that user – essentially by sending a slightly modified version of the cookie back to the server.
The server then unwittingly believes that the hijacker is the authenticated user and will happily send them the user’s data.

Firesheep in a few seconds

The first time you use Firesheep it’s scary to see how easy it is to perform such malicious acts.

Downloading and installing it takes just a few seconds. Next, restart Firefox and go to View | Sidebar | Firesheep, where a sidebar will appear. At the bottom of this, select Preferences and tell the program from which network interface you want to collect data.

This, typically, will be your wireless interface. Then just click Start Capturing and wait for people’s data to appear. Whenever someone on the same network connects to a site that Firesheep knows about, an icon will appear, usually giving their name as well as the name of the site. Double-click on that and a new browser window will appear, with you logged in to the same site as that user…

You can try this out on your home network (so long as it isn’t WPA-encrypted), or else wander down to the local coffee shop with your laptop and try it there (although, needless to say, you shouldn’t actually hijack anyone’s session).