Wifi Sidejacking: Are You Vulnerable?
A Firefox add-on named Firesheep ignited a firestorm of controversy when it was released in October 2010. Firesheep demonstrated a hacking technique known as sidejacking, or wifi session hijacking. Sidejacking is not a form of malware, so your anti-virus software can't protect you. But if you're aware of the problem, and you know what extra steps you should take when using wifi, you needn't worry. Read on and learn how to protect yourself from sidejacking when using a wifi connection... |
What is Sidejacking?
Firesheep demonstrates how easy it is to "sidejack" a fellow Web surfer's identity over an unsecured WiFi network. Sidejacking is slang for "session hijacking," a technique that lets one user literally steal the current Web session of another. That means, for example, that you could be surfing your Facebook page when, suddenly, someone else is changing your status, posting messages on your friends' pages, and simply impersonating you right under your nose! The same goes for Twitter, other social media sites, and even web-based email.
Your password has not been stolen; passwords are encrypted when you enter them on login pages. But nothing else is encrypted on most Web sites, and that's why sidejacking is so easy. After your password is authenticated, a Web site sends a cookie or session key to your browser that keeps you logged in for the current session - that is, until you log off. That session key is not encrypted, in most cases, and by "borrowing" it, another user can "be you" for that session. This is sidejacking.
Firesheep snoops on unencrypted WiFi sessions, eavesdropping on others connected to the same wifi access point. It can enable you to sidejack someone's session. One Starbuck's patron (just for laughs) noted what another patron just bought on Amazon.com and posted a message about it to the victim's Facebook page. It's that easy, and that scary.
I should note that if you're using a wifi connection that's secured with WPA2 encryption and a password, this is pretty much a moot point. The WPA2 protocol scrambles ALL the data on your wireless connection, making it practically impossible for snoopers to interfere. Also, the snooper is cut off as soon as you log out of your session.
Who Is to Blame For Sidejacking?
Don't blame the people that created Firesheep. They didn't make it possible, they just made it easier. And there are other wifi hacking tools that have been around for years. The truth is that website operators have long known how to protect all users from sidejacking. But this new attention focused on sidejacking may just may embarrass them into protecting their customers as they should have done long ago.
The solution is to encrypt all of every Web session, not just its log-in process. The means to encrypt a session is built into all modern browsers and web servers. It's called the Secure Sockets Layer (SSL) protocol. It's easy to tell if you are protected by SSL -- in the address bar of your browser, you will see "HTTPS" (instead of just "HTTP") when the connection is secured with SSL.
Most ecommerce sites, including banks and Paypal, enable SSL for all sessions. But that leaves a lot of reputational damage that can be done on social media sites and via email. Go check your webmail now and see if SSL is enabled. It isn't? Then every time you check webmail from a WiFi hot spot, you run a real risk that the guy sitting next to you can also read it - and possibly send mail in your name.
GMail was the first major email provider to enable SSL on all users' sessions. Google software engineer Adam Langsley noted that Google needed no additional hardware or software, and that SSL encryption adds less than one per cent to Google's computational load. So it really isn't costly to implement SSL.
Hotmail got the memo and added a feature to enable secure HTTPS sessions. But it's not easy to find. I poked around in the Profile > Privacy settings and couldn't find it on my account. But you can go to https://account.live.com/ManageSSL and enable this feature after logging in to Hotmail. Yahoo is still exposed, as far as I can tell. You can login securely, but the connection reverts to unsecured as soon as you're in. So is Facebook, unless you change this obscure Secure Browsing setting in your Facebook account.
Protection From Sidejacking - What YOU Can Do
So far we've dealt with the responsibility that website operators have in offering secure services. Here's what you can do on your end to protect against sidejacking:
First, verify that your WiFi connection is encrypted with WPA2 or stronger encryption. If the wifi router belongs to you, see Securing Your Router for help on that. If you're using a public wifi connection, you may not have much choice. But you can always ask the library or coffee shop owner to secure their router with WPA2 and a password, so their patrons can surf safely.
Avoid logging into non-secured sites from public WiFi networks. If the login page's URL (web address) does not begin with HTTPS, and there's no option to login with a secured page, your password is at risk of being compromised. Also, pay attention to the URL after you login. If it flips back to HTTP, your session may be exposed.
If you MUST login to a non-secured site on a wifi connection, use a VPN (virtual private network), which creates a secure "tunnel" back to your home or office computer. That's really not as geeky as it sounds. See my companion articles Virtual Private Networks and Free Alternatives to GoToMyPC for help with using a VPN.
One other note: Technically, this is not just a wifi issue. Sidejacking can happen on ANY local network, wireless or wired. This could include the office, hotel rooms and other places where you plug in an Ethernet cable to get online. Bottom line, if a website requires a password, or you might be sharing personal info, make sure you have a secure HTTPS connection.
There are some Firefox addons that will try to force websites to always serve pages with HTTPS encryption. HTTPS Everywhere is one example, but these tools have limitations, so read the fine print before you use them.
Do you have something to say about sidejacking or wifi security? Post your comment or question below...
|
|
This article was posted by Bob Rankin on 5 Apr 2012
For Fun: Buy Bob a Snickers. |
Prev Article: A Closer Look At Cookies |
The Top Twenty |
Next Article: The Missing Link in Computer Security |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Wifi Sidejacking: Are You Vulnerable? (Posted: 5 Apr 2012)
Source: https://askbobrankin.com/wifi_sidejacking_are_you_vulnerable.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Wifi Sidejacking: Are You Vulnerable?"
Posted by:
Richard Robertson
05 Apr 2012
Unfortunately, the EFF and other organizations promote open hot spots (and with good reason). The "need a password" scenario becomes a major FAIL in this instance. The better solution is still SSL, but the inertia over its adoption has been hindering this. Thanks for bringing the subject up though. This really is a difficult issue at the moment and constructive solutions are still hard to come by.
Posted by:
Chirodoc
05 Apr 2012
Eye-opening piece. Thanks, Bob. Does this affect vulnerability smartphones and tablets or just laptop computers?
EDITOR'S NOTE: The situation would be the same for smartphones, tablets, and any device that uses an unsecured wireless connection. If you're using a cellular (3G or 4G) connection, you needn't worry because that's not wifi.
Posted by:
Dwight
05 Apr 2012
http://askbobrankin.com -- How come your site is not Secure?
EDITOR'S NOTE: Because there's no need for it. You don't need to login, and there's nothing private on the site.
Posted by:
Cobey Kaufman
05 Apr 2012
Bob,
This article did not surprise me but did make me reflect on something that has given me pause for concern. As you can see by my email address who my service provider is. I have noticed that using their website and selecting Sign-in does NOT initiate an HTTPS link. It merely opens a dialog box on the existing site. I found a link to force the log-on to an HTTPS page. However, after the login the site opens to an HTTP page and accessing my on-line email page is also on an HTTP site. I have not yet contacted my provider to question this but plan to do so. I conduct no personal activity when accessing these locations but still am concerned.
EDITOR'S NOTE: You should be! Verizon should be on the leading edge of security, not leaving you exposed.
Posted by:
Abid Mujtaba
06 Apr 2012
In the sentence "It's easy to tell if you are protected by SSL -- in the address bar of your browser, you will see 'HTTPS' instead of just 'HTTP' when the connection is secured with SSL."
of your article, surely there is the word 'not' missing before the word 'secured'.
EDITOR'S NOTE: No words missing. If you see HTTPS, it is secure.
Posted by:
giovanni
06 Apr 2012
thanks bob.
Posted by:
Richard Robertson
10 Apr 2012
Some browsers do not display the "HTTP/HTTPS" or any other transport protocol in the address bar. Chrome is one of these. They use a picture to indicate the nature of the connection. There have been some complaints about this as it expects the user to know what the symbols mean.
EDITOR'S NOTE: I use Chrome, and the HTTPS (with padlock icon) does show when the connection is secure. Otherwise, it's just a little globe icon.
Posted by:
gunther
08 Aug 2012
for the sake of completeness : check AyCarrumba (http://www.megapanzer.com). does ARP MITM, DNS poisoning, SSL stripping, intercepting authentication data.
Posted by:
sara
20 Jan 2013
it is fact that Sidejacking is dangerous for computer