Wifi Sidejacking: Are You Vulnerable?
A Firefox add-on named Firesheep ignited a firestorm of controversy when it was released in October 2010. Firesheep demonstrated a hacking technique known as sidejacking, or wifi session hijacking. Sidejacking is not a form of malware, so your anti-virus software can't protect you. But if you're aware of the problem, and you know what extra steps you should take when using wifi, you needn't worry. Read on and learn how to protect yourself from sidejacking when using a wifi connection...
What is Sidejacking?
Firesheep demonstrates how easy it is to "sidejack" a fellow Web surfer's identity over an unsecured WiFi network. Sidejacking is slang for "session hijacking," a technique that lets one user literally steal the current Web session of another. That means, for example, that you could be surfing your Facebook page when, suddenly, someone else is changing your status, posting messages on your friends' pages, and simply impersonating you right under your nose! The same goes for Twitter, other social media sites, and even web-based email.
Your password has not been stolen; passwords are encrypted when you enter them on login pages. But nothing else is encrypted on most Web sites, and that's why sidejacking is so easy. After your password is authenticated, a Web site sends a cookie or session key to your browser that keeps you logged in for the current session - that is, until you log off. That session key is not encrypted, in most cases, and by "borrowing" it, another user can "be you" for that session. This is sidejacking.
Firesheep snoops on unencrypted WiFi sessions, eavesdropping on others connected to the same wifi access point. It can enable you to sidejack someone's session. One Starbuck's patron (just for laughs) noted what another patron just bought on Amazon.com and posted a message about it to the victim's Facebook page. It's that easy, and that scary.
I should note that if you're using a wifi connection that's secured with WPA2 encryption and a password, this is pretty much a moot point. The WPA2 protocol scrambles ALL the data on your wireless connection, making it practically impossible for snoopers to interfere. Also, the snooper is cut off as soon as you log out of your session.
Who Is to Blame For Sidejacking?
Don't blame the people that created Firesheep. They didn't make it possible, they just made it easier. And there are other wifi hacking tools that have been around for years. The truth is that website operators have long known how to protect all users from sidejacking. But this new attention focused on sidejacking may just may embarrass them into protecting their customers as they should have done long ago.
The solution is to encrypt all of every Web session, not just its log-in process. The means to encrypt a session is built into all modern browsers and web servers. It's called the Secure Sockets Layer (SSL) protocol. It's easy to tell if you are protected by SSL -- in the address bar of your browser, you will see "HTTPS" (instead of just "HTTP") when the connection is secured with SSL.
Most ecommerce sites, including banks and Paypal, enable SSL for all sessions. But that leaves a lot of reputational damage that can be done on social media sites and via email. Go check your webmail now and see if SSL is enabled. It isn't? Then every time you check webmail from a WiFi hot spot, you run a real risk that the guy sitting next to you can also read it - and possibly send mail in your name.
GMail was the first major email provider to enable SSL on all users' sessions. Google software engineer Adam Langsley noted that Google needed no additional hardware or software, and that SSL encryption adds less than one per cent to Google's computational load. So it really isn't costly to implement SSL.
Hotmail got the memo and added a feature to enable secure HTTPS sessions. But it's not easy to find. I poked around in the Profile > Privacy settings and couldn't find it on my account. But you can go to https://account.live.com/ManageSSL and enable this feature after logging in to Hotmail. Yahoo is still exposed, as far as I can tell. You can login securely, but the connection reverts to unsecured as soon as you're in. So is Facebook, unless you change this obscure Secure Browsing setting in your Facebook account.
Protection From Sidejacking - What YOU Can Do
So far we've dealt with the responsibility that website operators have in offering secure services. Here's what you can do on your end to protect against sidejacking:
First, verify that your WiFi connection is encrypted with WPA2 or stronger encryption. If the wifi router belongs to you, see Securing Your Router for help on that. If you're using a public wifi connection, you may not have much choice. But you can always ask the library or coffee shop owner to secure their router with WPA2 and a password, so their patrons can surf safely.
Avoid logging into non-secured sites from public WiFi networks. If the login page's URL (web address) does not begin with HTTPS, and there's no option to login with a secured page, your password is at risk of being compromised. Also, pay attention to the URL after you login. If it flips back to HTTP, your session may be exposed.
If you MUST login to a non-secured site on a wifi connection, use a VPN (virtual private network), which creates a secure "tunnel" back to your home or office computer. That's really not as geeky as it sounds. See my companion articles Virtual Private Networks and Free Alternatives to GoToMyPC for help with using a VPN.
One other note: Technically, this is not just a wifi issue. Sidejacking can happen on ANY local network, wireless or wired. This could include the office, hotel rooms and other places where you plug in an Ethernet cable to get online. Bottom line, if a website requires a password, or you might be sharing personal info, make sure you have a secure HTTPS connection.
There are some Firefox addons that will try to force websites to always serve pages with HTTPS encryption. HTTPS Everywhere is one example, but these tools have limitations, so read the fine print before you use them.
Do you have something to say about sidejacking or wifi security? Post your comment or question below...
Posted by Bob Rankin on 5 Apr 2012
For Fun: Buy Bob a Snickers.
Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!
Geekly Update - 04 April 2012
The Top Twenty
The Missing Link in Computer Security
Link to this article from your site or blog. Just copy and paste from this box:
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Wifi Sidejacking: Are You Vulnerable? (Posted: 5 Apr 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved