Firefox Extension Makes Social-Network ID Spoofing Trivial 185
Orome1 writes "A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point. 'When it comes to user privacy, SSL is the elephant in the room,' said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can 'sniff out' the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user."
Illegal? (Score:5, Informative)
I don't dispute author's work or goals (I've been using SSH tunneling on public WiFi for years to prevent just this) but he should have mentioned that clicking on information you gathered (and logging in as another user without their concent) is very likely against federal laws in US (and likely most other locations). Just gathering this information can likely be argued to be illegal as well (wiretapping?)
So be careful where you click..
A better explaination (Score:5, Informative)
here: http://codebutler.com/firesheep [codebutler.com]
They apparently call it "sidejacking", i.e. sniffing other users cookies from a wifi, and using it. Not new, but made userfriendly.
Re:Illegal? (Score:1, Informative)
http://uncyclopedia.wikia.com/wiki/Do_NOT_click_any_links! [wikia.com]
Re:What permissions do you need ? (Score:2, Informative)
Re:Am I the only one who finds it amusing... (Score:4, Informative)
Re:Another point is not "missing the point" (Score:1, Informative)
It also misses the point that Facebook is about *SHARING* data. The idea is you are sharing things with people. If you want to keep things private ... Facebook is not the place to do it.
If I do not want people to know something. It is simple I do not put it on the internet.
Facebook has created this idea of privacy itself that it will never match. They did it accidentally by putting a login on the front page in the first place. People have an expectation of privacy when you have to log in. Facebook was just using it so you can post as yourself. Not as a privacy feature.
Also people have a gut reaction of 'lets just ssl everything'. That is not practical. As ssl breaks caching of many things. By default ssl is not cached both on the browser and at many proxy servers (this is a good thing in many cases). But in this case that picture of you wolfing down hotdogs somewhere probably will never change. Yet it will not be cached if you pipe it over ssl. Not everyone has DSL or higher. There are people who are stuck on dialup and it will not get any better any time soon for them.
Re:and this is news ? (Score:1, Informative)
"not hard". Well maybe not for your blog with 2 users per week. But for facebooks loadsize it's not a matter of signing up with digicert and enabling SSL.
Facebook's issue isn't buying & installing a certificate, it's that they have so much web traffic that the CPU load of encrypting all that traffic (or buying dedicated encryption acceleration hardware) is significant.
Re:What permissions do you need ? (Score:4, Informative)
What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
None, no, and most emphatically yes.
Re:and this is news ? (Score:3, Informative)
While I'm inclined to agree that any remotely commercial website should offer and default to encrypted transfers, it also serves you right if you use a service that doesn't encrypt everything. Using a service that doesn't at least offer you the option of encryption is akin to driving a car that you know has defective brakes (ha, car analogy!). If shit goes badly and you knew better, you've no one to blame but yourself. If you didn't know better, it's your own fault for not educating yourself about such basic things and I shall mock you.
Unless you're a cookie baking grandmother willing to bribe me with baked goods. Principles be damned when there are fresh, warm cookies involved.
Re:A better explaination (Score:4, Informative)
here: http://codebutler.com/firesheep [codebutler.com].
Steve Manuel of TechCrunch claims that the Force-TLS 2.0 [mozilla.org] Firefox extension can defeat Firesheep. (You have to configure it manually for each site you want to protect, though, so it's somewhat of a PITA.)
Another option is the HTTPS Everywhere [eff.org] Firefox extension from EFF and the Tor Project. Although HTTPS Everywhere has a predefined ruleset that includes some of the most popular Web sites, you'll still have to write your own ruleset [eff.org] for any site not on their default list.
Re:How does it work? (Score:4, Informative)
It can capture the wifi since anyone can capture them if you are within range of the transmissions. You if you are not monitoring when the signals go out you cannot capture them.
Re:https everywhere (Score:3, Informative)
Re:No HTTPS encryption (Score:5, Informative)
> Kudos to FaceBook and most other networks for NOT using encryption for anything but the log in [--DrYak]
> I still have to manually change http to https in the URL every time they decide to sign me off. [--cindyann]
Install the HTTPS-Everywhere FF Plugin. It will SSL-encrypt Facebook and a host of other domains. Only draw-back: Chat doesn't work via SSL atm.
https://www.eff.org/https-everywhere [eff.org]
And while you're at it, also install the BetterPrivacy Add-on:
https://addons.mozilla.org/en-US/firefox/addon/6623/ [mozilla.org]
which will get rid of the LSO cookie Facebook sets each time you use it. Best used in conjunction with AskforSanitize.
Re:Why no encryption? (Score:5, Informative)
When Google switched Gmail over to HTTPS all the time for everything, they found it accounted for 1% of CPU load:
http://unblog.pidster.com/imperialviolet-overclocking-ssl?c=1 [pidster.com]
So Facebook probably wouldn't need to do much more than get their software set right.
Re:No HTTPS encryption (Score:4, Informative)
Facebook does submit your information over HTTPS; they just load the page over HTTP by default. Passive sniffing won't work on it. Here, take a look at the following code from http://www.facebook.com/ [facebook.com]:
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
The problem with this approach is, while it saves server resources, an attacker could trivially perform a man-in-the-middle attack on an average person connecting to http://www.facebook.com/ [facebook.com] rewriting the above code to HTTP or running a squid proxy or something, and they would never notice because their browser says "http" like always.
That said, if you're worried about it you could always install HTTPS Everywhere [eff.org] and it will make Facebook always load using SSL.
Use md5 (or something) over the wire (Score:3, Informative)
Leaving aside md5 cracks (use another algo if you want):
md5 the password with Javascript on the client end before sending it. Then un-md5 it with PHP on the server.
Plenty of security-conscious CMS's have been doing this before Mark Z even thought of an electronic facebook.
Re:Use md5 (or something) over the wire (Score:2, Informative)
Re:and this is news ? (Score:5, Informative)
Follow the link you attached. Log into Facebook. Click the Facebook icon on that page to return to your home page, or click on a link to a fan page you have, or click on a link to a friend's page. You just went from SSL to HTTP. They make it hard to STAY on SSL, even if you go through the work of going there manually.
Re:What permissions do you need ? (Score:4, Informative)
What permissions do you need for this? Do you have to be the owner of the network in order to sniff things out in this manner? Or is it possible for me to steal accounts off a public network?
You need to be administrator to place your network card into promiscious mode [wikipedia.org] or rfmon for wireless.
So in a public wifi network you're screwed. In a public ethernet network it depends if it's a switched or hubbed network. But even in a switched network you could be vulnerable to this via ARP poisoning.
The takeaway is what we've known for decades, if you want private communications use encryption.
Re:Use md5 (or something) over the wire (Score:5, Informative)
Hash = 1-way crypto
The only way to "un-md5" anything is to crack it. Also, I'm not sure you actually put any real thought into this.
Since it's best practice to store only password hashes (and not the passwords themselves) in your database (or whatever), your process is apparently:
Re:Use md5 (or something) over the wire (Score:2, Informative)
You are missing the point.
The problem is not reading the password as plaintext from the cookie (now that would be monumentally stupid design) but that since the cookie equals valid session authentication copying the cookie equals session hijacking (or sidejacking since the original cookie is still there on the original users machine).
Re:No HTTPS encryption (Score:3, Informative)
http://m.facebook.com/ [facebook.com] ...not saying the mobile browsers can't have the security, just that "hope" isn't required to render Facebook without js.
And apparently such access is quite popular - there were some news from FB itself about explosive growth; also according to stats of Opera Mini [opera.com] (the #1 mobile web browser worldwide by site hits, despite many of its users being evidently rather frugal with numbers of sites visited / data transferred), Facebook is quite often near the top of popularity.
Re:and this is news ? (Score:2, Informative)
Re:Promiscuous mode on any adapter? (Score:1, Informative)
Its pretty well documented which cards support promiscuous mode these days. You are correct that most drivers dont support it however. I have an ALFA
http://www.aircrack-ng.org/doku.php?id=faq&DokuWiki=8a7d493ef4d8a6ce9779a7c8b2f0259a#what_is_the_best_wireless_card_to_buy