Paid Advertising
web application security lab


7 posts left…

I go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hacking tools to exploit it.

One of the more interesting analysis pages I’ve seen was one which had a scorecard. At first blush it’s fairly obvious but one thing stuck out at me regarding the last part of the scorecard, where they assigned scores to each of the various protocols like POP3 fails but POP3 over SSL/TLS gets an A. The interesting thing is that there isn’t an equivalent score for HTTP vs HTTPS. This all goes back to the 24 vulnerabilities Josh and I talked about in the browser implementation of SSL/TLS in the browser.

Just because something is speaking HTTPS some of the time doesn’t even mean that session alone is secure in a multi-tabbed environment, or with certain plugins, or certain settings or with certain settings within cookies, etc… It’s just not that straight forward. Wouldn’t it be nice if we had something that did act in a safe and sane way that allowed you to contact a site securely? Maybe something that was a secured transport layer (no, not TLS, I mean something actually secure). ;) Maybe it’s something we can add on top of SSL/TLS over DNSSEC while we’re in the browser security world are still in the mood to shake things up.

7 Responses to “FireSheep”

  1. Angel One Says:

    It’s all about making something theoretical into something practical that you can see and feel. People don’t get very scared over “theoretical threats”. That’s why when the media tries to scare you they always start with a narrative about an individual that they hope you can relate to. That’s also why people frequently ignore pen test reports unless the tester can go the extra step and really demonstrate in clear and obvious terms not what COULD be done, but rather what HAS been done. (You’ve never seen an IT team scramble as fast as when you physically deliver them their customer’s PII stolen from their systems).

  2. mike Says:

    I totally agree, firesheep is nothing new. You can set the “secure cookie” flag (terrible name). But it tells the browser to always transmit the cookie over https.

  3. Mistaken Says:

    I tried firesheep a few weeks ago and I couldn’t get it to work. My wifi network is unsecure but maybe there is some other layer of encryption on my router (netgear). I had one computer on firefox listening and I used another computer to browse twitter and facebook in both Safari and IE. I couldn’t snag anything. I’m sure I could test a few other scenarios with my machines but if I couldn’t easily grab something on my own network, then I don’t think I would go to the local starbucks to try anything. Seems like the tool has potential though if it works. Angel One is correct, people don’t pay attention until the carpet is pulled out from under them.

  4. Johan Says:

    The best reason I find firesheep funny is that it only works with unsecure networks, so now people are finding out that an unsecured network is, in fact, not secure. Mindblowing, right?

    Of course there are other concerns, but like said before, nothing new.

  5. austin Says:

    johan: that just reminds me of this whole thing with the google streetcars collecting wifi data, the media seems to completely miss the point here. they talk about how it could contain a password or a bit of an email, they miss the fact that THAT information was being sent unsecured over wifi and anyone with an antenna can just drive by and scoop it up. and not even a mention of what a person who was actually TRYING to steal your data could do. no they bypass the obvious lesson of why you shouldnt use unsecured wifi and instead decide to attack google.

  6. Wornstrom Says:

    Firesheep is interesting not for what it does, but for how easy it makes the task. Now that the process of stealing session cookies has been simplified to a one-click addon that any idiot can use, people realize that this vulnerability exists and just how severe it is.

  7. Paul Says:

    Hi sorry if this is a dumb question but I am from a generation that grew up without computers so my recent self schooling has some gaps that are quite basic. Anyway I recently downloaded Firefox and then Firesheep but cannot work out how to open Firesheep… any clues please. Thanks Paul