The Internet is full of what Bruce Schneier, a prominent security expert, calls “security theater,” a showy demonstration of security where little or no actual security exists, meant to inspire false confidence in users. Websites such as Facebook that only protect the log in step with SSL (the “lock” in your browser) are security theater. An attacker can steal access to your Facebook account immediately after login, when you begin to browse the website.

This is not a new security hole: it has been around since the beginning of the web. Most websites do not protect against it because doing so is expensive and attacks were previously not frequent enough to warrant mitigation. I believe that’s because of the relative scarcity of attackers capable of hijacking a session. That scarcity changed last week, when Eric Butler released a tool called Firesheep. Suddenly, anyone with Mozilla Firefox and a plugin is able to execute a successful hijacking attack.

This is a good thing, and I will explain why. To get there, we’ll need a model for understanding the communication between your web browser and a website: conversations in a room.

Conversations in a Room

Your computer and websites like Facebook have conversations when you browse web pages. The browser makes a request for information and the website replies with a response. Imagine your network (at home, work, or a coffee shop) as a room with people in it instead of computers—and these people are having conversations which you can hear if you’re so inclined. Imagine also that the websites these people are conversing with are in the room as well, Facebook, Twitter, and so forth.

A normal web request and response, without SSL, is like a normal conversation: anyone in the room can eavesdrop easily. Using SSL is different; it creates a private communications channel using encryption. In our room analogy, it’s like walking over to someone and whispering in their ear, then receiving a reply whispered back. It’s not possible to eavesdrop.

Example: Hijacking a Facebook Account

Now, let’s examine the conversation when I log into Facebook using our model.

Viewing the Login Page

Me: Pssst… Facebook, I’d like to log in.
Facebook: Sure; I’ll need your e-mail address and password. Here’s the login page.

I’ve used italics to show that Facebook and I are whispering to each other in a private conversation, secured by SSL. So far, so good—no one can eavesdrop.

Facebook login with SSL lock symbol

We’ve been taught as users to look for the lock icon. Don’t get me wrong, the lock is a good thing: it means that the web page was requested and delivered over a secure connection, protected from eavesdropping, using a technology called SSL. Facebook’s login page is protected with SSL, as shown above (note the little green lock in the address bar). The problem is that SSL is not used for all conversations between web browsers and Facebook, as we’ll see below.

Logging In

I submit the login form to Facebook:

Me: Facebook, my e-mail is matt@… and my password is […].
Facebook: That’s swell, you’re now logged in.
Facebook: Use this special phrase for other requests so I know it’s you: SessionID.
Facebook: Now, you can ask me for your news page—and you don’t need to whisper!

Hey, Facebook told me I don’t need to whisper! I request my news page just as Facebook asked me to:

Me (out loud): Hey Facebook, show my news page. My special phrase is SessionID.
Facebook: Here’s your news page!

A Facebook news feed, unsecured (no SSL lock icon)

Now, let’s examine what happened.

  1. First, I proved who I am to Facebook using my login information. 
  2. Facebook then gave me a special phrase, a session ID, so I do not have to keep transmitting my e-mail and password.
  3. Facebook told me to request the news page without using SSL.
  4. I requested my news page, including my phrase, but I stopped whispering (using SSL)!

Websites have no short-term memory (because HTTP is not a stateful protocol). Requests that require you to be logged in must either be made with an e-mail and password or a session ID. It’s this session ID that can be stolen when the conversation is not whispered.

The Hijack

Eve (crypto examples commonly use Eve when eavesdropping is concerned) overheard my conversation with Facebook when I stopped whispering and spoke out loud (HTTP without SSL). Eve wrote down SessionID; now she approaches Facebook:

Eve: Facebook, please set “I’m a doofus” as my status. My special phrase is SessionID.
Facebook: Done and done.

Eve grins and waits for me to discover that I am a self-proclaimed doofus, because my Facebook session was been hijacked. 

What Eve’s browser might look like

So What is Firesheep?

Firesheep is an advanced recording and playback device for conversations between browsers and websites. Since Facebook holds conversations in public (not over SSL), it’s easy to listen for and intercept session IDs. Firesheep then allows you to play them back to Facebook in one click, hijacking a website session. It means you don’t need to know how to listen on a network (commonly called “packet sniffing”) to eavesdrop on these conversations; it does it for you. You merely click “Start Capturing” and wait while Firesheep listens for and remembers session IDs for popular websites like Facebook, Twitter, Flickr, and many more.

Firesheep after capturing a Facebook session

As pictured above, I need only click on the Facebook icon and I’m logged in as the user shown. That’s all.

Firesheep is Good

Now that you understand what the tool does and the vulnerability it exploits, why is it good? As I mentioned earlier, full session security is expensive. SSL encrypted connections are more costly to manage and scale for large websites. Until now, few people knew how to listen and intercept session IDs for websites like Facebook, so it didn’t make sense to spend the money in order to secure them. Firesheep changes that: it is a wake-up call to users and website operators alike. Now that hijacking is trivial, users should demand better security from the websites they patronize.

Please do your part: pay attention to the conversations you have using your web browser. What websites that you visit let you log in and browse without providing full SSL encryption? You should see the lock on every page for a website you care about. Contact the webmasters for websites that are vulnerable; let them know your concerns. Now that you know, help educate others—users and website operators alike—for a safer Internet.

Consider a donation to the Electronic Frontier Foundation (EFF); they have an article on Firesheep as well.

Staying Safe

Using strong encryption with SSL is the best way to protect yourself from Firesheep and other session hijacking attacks. TechCrunch has a good round-up on Firefox extensions to force the use of SSL, Force-TLS and HTTPS Everywhere. Both extensions need to be configured to recognize specific websites, so they are not silver bullets. 

There are other sophisticated techniques (such as using a VPN or SSH tunnel) touted as solutions: however, these merely change the room a conversation is held in. They do not change the fact that your web browser and Facebook are talking publicly in some room where eavesdropping is possible.

Also, keep in mind that Facebook is everywhere: “Like” buttons dot the web. If you are logged in to Facebook (or allow it to remember your login) your Facebook session can be hijacked by visiting a partner website (even Tech Crunch).

It’s not just Public Wifi

Firesheep was designed to prove a point about website security, not public wifi. Different types of networks—wired LAN, WPA2-encrypted wifi—are just rooms with different acoustics. There are still ways to eavesdrop and hijack website sessions. The difficulty of compromising a website account is higher than over public wifi, but there are techniques to do so.

In fact, I tested this theory by breaking into my wife’s Google and Facebook accounts at home (with her permission, mind!). I was able to execute a so-called man-in-the-middle (MITM) attack using a technique called ARP poisoning. My home wireless network is secured with the latest WPA2 encryption. It was easy.

Avoiding public wifi will not keep you safe.

See the response from Firesheep’s author for more information. David Marcus over at McAfee Labs also wrote an article describing how ARP poisoning can be combined with Firesheep, allowing for attacks on secured wifi or wired networks.

A Parting Thought

When you have a conversation on the Internet, you’re never alone in the “room.” Pay attention to whether or not you’re whispering.