Thursday, October 28, 2010

Firesheep Makes Sidejacking Easy

Firesheep Makes Sidejacking Easy

The Firesheep Firefox extension is the perfect demonstration of how unsecured connections on open Wi-Fi networks can be sidejacked: Sidejacking dates back to 2007, coined by Robert Graham, who pulled together a variety of known and new vulnerabilities and packaged them into an automated session snatcher. Sidejacking describes the extraction of a session cookie from another user on the same network to hijack the live session that user has established with a Web site, such as Facebook or Twitter.

While a login to a site may be conducted via a secure session, many sites then drop you back into an unprotected connection in which a token stored as a browser cookie ensures the continuity of your actions from page to page. That token is vulnerable.

Firesheep turns sidejacking into a click-and-install demonstration with 26 built-in site profiles to snarf. I explain Firesheep, sidejacking, and how to defend against it—using notions of security I've written about on this site for years—in an article at BoingBoing.



Decaf on the Starbucks Digital Network