FireSheep: Grey Hat Security?

A scary new Firefox extension known as Firesheep came onto the scene recently. For years it has been possible for nefarious users to “sniff” unencrypted network packets for session cookies, allowing them to, with a bit of work, hijack your session with a website. This would enable them full access to, say, your email or Facebook account until you log out and destroy the session. This is probably the biggest security risk on a public WiFi hotspot, though until now it was fairly unlikely that you would happen to be on the same network as a nefarious user with the technical chops to pull it off. Until now.

Firesheep is a proof of concept that attempts to demonstrate just how big of a problem popular websites’ lack of HTTPS support is…by making “sidejacking” point-and-click simple. Anyone can install the extension, press a button to automatically scan for active sessions of popular websites being transmitted over the network, and then click on an entry to log in to the user’s account on the website.

What started out as a fairly innocent project demonstrate to websites like Facebook that they should be implementing SSL encryption has become a major security risk. Firesheep has sort of…went viral. A frightening number of people have downloaded the extension.

While developer Eric Butler’s intentions may have been honorable, his extension has had one very negative effect: it has made sidejacking much, much more prevalent. A year ago, I could be fairly sure that nobody on the local McDonalds’ WiFi hotspot would be trying to hijack my Twitter session. After all, I live in a fairly rural state with a low density of exceptionally computer-literate people. Now, some kid could be playing around with Firesheep.

This reminds me of the “grey hat” security researchers. They usually don’t have malicious intentions, but their methods can sometimes cause more harm than good. That seems to be Firesheep in a nutshell. Butler’s follow-up blog posts even read like those of a grey hat hacker.

I think Firesheep is the worst kind of way to promote security. It has done far more harm than good. Sidejacking was a fringe thing that you didn’t really have to worry about, except for higher-risk things like banking or checking your email. Now anyone can install a GUI tool and do it without even knowing how it works. This is going beyond enabling script kiddies. It puts cracker tools in the hands of the masses, therefore making sidejacking an actual risk.

  • Mike

    And as a direct result of it becoming easier websites will in time start to force SSL connections solving the problem won’t they?

    • Matt

      Except for smaller websites. Startup companies operating out of a garage don’t need another thing to pay for. Bloggers, like me, can’t afford to pay $230/year for an SSL certificate to protect our admin panels. Et cetera.

      It wouldn’t be as big of a deal if you didn’t have to pay a third-party for a certificate. But you do, and it’s not cheap.

  • Mike

    Rapid ssl starts at $79 so there are cheaper options and I really don’t think $230 is too much for a startup to risk if they have faith in what they’re doing.

    If you needed to admin your blog you could use your hosts certificate and add an exception for the name not matching?

    Theres no excuses for companies who are expected to be trusted to not provide adequate security for the protection of users sensitive data.

    • Matt

      That doesn’t change the fact that sidejacking wasn’t something that happened to most people. Because it required technical skills and motivation. Building software that puts it in the hands of kids who think it’s “funny” is irresponsible and unnecessary.

      I live in an area that isn’t exactly known for its average citizens’ computer skills, which meant that I would never have had to worry about this sort of thing, aside from not logging on to important things on more dubious access points. Now I’ll have to watch what I do at the local library or McDonalds.

      I’m not saying SSL isn’t a good idea for larger sites. (Especially high-risk sites like banks or PayPal, which I wouldn’t use if they didn’t have HTTPS…) It just shouldn’t be necessary for everything. There’s not much reason for somebody to hijack a Twitter account, except “for the hell of it.” That wouldn’t have happened before Firesheep.

    • Matt

      Oh, and thanks for the Rapid SSL tip. I’ll have to remember them.

  • Mike

    I don’t agree with your assertion that SSL shouldn’t be necessary for everything. If somebody performing a MITM can insert scripting on any page of any website, that gives them a platform to initiate CSRF and XSS attacks against other sites. Even sites which might themselves be protected by SSL.

    If the web were 100% encrypted, it would be safer to use, your privacy would be more secure from attackers, nosey network admins, ISPs and governments. It would also help with network neutrality.

    • Matt

      In a perfect world, yes. But you wouldn’t need to pay for SSL certificates, then. I agree that it’s better to have SSL, but it’s not necessary feasible for every site at this point.