Bringing in the Sheep: the FireSheep firestorm

Michael Torrie torriem at gmail.com
Thu Nov 4 14:04:03 MDT 2010


On 11/04/2010 01:24 PM, Lonnie Olson wrote:
> Firesheep doesn't hijack credentials.  Only the session.  It exploits
> a common hole in most websites that use SSL for login, but go in the
> clear for everything else.
> 
> Firesheep makes it super trivial to find a session running in the
> clear, grab their session cookie(s), and give you full access to their
> account for the duration of the session.

So this is basically an old-style attack, such as was common before the
days of internet switches.  This is made even easier by the fact that
most wirelss routers are not only shared broadcast medium (like a hub)
but also natted through a common IP address, making firesheep's use of
the session indistinguishable from the victim's.  And of course you have
to use a non-encrypted wireless connection, as WPA connections don't
allow clients to see eachother's traffic.

I suppose some of this could be mitigated by smarter session-cookie
checking on the servers.  There are things in http requests that can be
somewhat uniquely identifying.  If the cookie doesn't contain a matching
hash of a hash of the unique request things then the request could be
denied.  And of course SSL-only sessions works too, which is what google
has moved to, now that their relative cost of computing power has dropped.


More information about the PLUG mailing list