New Firefox Add-On Detects Firesheep, Protects You on Open Networks !
If you’re concerned about using open Wi-Fi networks because of Firesheep, the highly popular new hacking tool, you should check out BlackSheep, a Firefox add-on that makes surfing on open networks safe once again.
Firesheep came onto the scene not too long ago. It’s a bit of code that allows just about anyone to access your web accounts via session hijacking. Basically, anyone browsing on a non-password-protected Internet connection, such as a Starbucks network or even an airplane, has been at risk for having their accounts accessed by a total stranger.
One way around this issue is using a VPN every time you log on via an open network. But let’s face it: For the average Internet user, this kind of work-around is a hassle, and most people care more about convenience than security.
For that reason, we’re particularly happy to see that cloud security firm Zscaler has released a simple Firefox add-on that will warn you if someone on your network is using Firesheep. That way, you can feel safe to browse the web on any network and only take extra precautions when they’re needed.
Here’s how BlackSheep works: Firesheep’s packet sniffing can’t be detected, but what can be detected is Firesheep’s requests to websites like Facebook using your cookies. BlackSheep detects this type of activity by making requests to random sites known to FireSheep every five minutes (you can adjust the timing) with fake values.
If anyone else on the network starts using those same fake values to make requests, then BlackSheep knows someone on the network is using Firesheep, and you get a warning in your current browser tab.
BlackSheep was based on Firesheep’s code to ensure its effectiveness. In a word, for every hack, there is an equal and opposite counter-hack.
Firesheep accesses your Facebook, Foursquare, Twitter and other logins through cookies — Blacksheep subverts this by tricking Firesheep with a fake login cookie and alerting the user when Firesheep is detected, displaying the IP address of the person using it (see below), and warning the user to log off.
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
Source
No comments:
Post a Comment