Firesheep: Difference between revisions

Firesheep
Developer(s)	Eric Butler
Stable release	0.1-1
Repository	github.com/codebutler/firesheep ;
Operating system	Microsoft Windows and Mac OS X (highly unstable on Linux)
Available in	English
Type	Add-on (Mozilla)
Website	codebutler.com/firesheep

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 17:42, 9 December 2020

Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. When it detected a session cookie, the tool used this cookie to obtain the identity belonging to that session. The collected identities (victims) are displayed in a side bar in Firefox. By clicking on a victim's name, the victim's session is taken over by the attacker.^[2]

The extension was released October 2010 as a demonstration of the security risk of session hijacking vulnerabilities to users of web sites that only encrypt the login process and not the cookie(s) created during the login process.^[3] It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons stated initially that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems).^[4] Since then, Firesheep has been removed from the Firefox addon store.

A similar tool called Faceniff was released for Android mobile phones.^[5]

References

^ Butler, Eric. "Firesheep – codebutler". Retrieved December 20, 2010.
^ Steve Gibson, Gibson Research Corporation. "Security Now! Transcript of Episode No. 272". Grc.com. Retrieved November 2, 2010.
^ "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots". Lifehacker. Retrieved October 28, 2010.
^ Keizer, Gregg. "Mozilla: No 'kill switch' for Firesheep add-on". Computer World. Retrieved October 29, 2010.
^ "Sniff and intercept web session profiles on Android". Help Net Security. Retrieved June 2, 2011.

External links

[1] Butler, Eric. "Firesheep – codebutler". Retrieved December 20, 2010.

[securitynow-2] Steve Gibson, Gibson Research Corporation. "Security Now! Transcript of Episode No. 272". Grc.com. Retrieved November 2, 2010.

[lifehacker-fs-3] "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots". Lifehacker. Retrieved October 28, 2010.

[cw-firesheep-4] Keizer, Gregg. "Mozilla: No 'kill switch' for Firesheep add-on". Computer World. Retrieved October 29, 2010.

[hns-faceniff-5] "Sniff and intercept web session profiles on Android". Help Net Security. Retrieved June 2, 2011.

[1]

[2]

[3]

[4]

[5]

@@ Line 11: / Line 11: @@
 | website                = {{URL|https://codebutler.com/firesheep}}
 }}
-{{Update|date=August 2018|reason=Extension seems unavailable now, many websites now completely encrypted (partially because of Firesheep). Maybe change the article to use past tense}}
 '''Firesheep''' was an [[Add-on (Mozilla)#Extensions|extension]] for the [[Firefox]] web browser that used a [[Packet analyzer|packet sniffer]] to intercept unencrypted [[HTTP cookie|session cookies]] from websites such as Facebook and Twitter. The plugin eavesdropped on [[Wi-Fi]] communications, listening for session cookies. When it detected a session cookie, the tool used this cookie to obtain the identity belonging to that session. The collected identities (victims) are displayed in a side bar in Firefox. By clicking on a victim's name, the victim's session is taken over by the attacker.<ref name="securitynow">{{cite web|author=Steve Gibson, Gibson Research Corporation |url=http://www.grc.com/sn/sn-272.htm |title=Security Now! Transcript of Episode No. 272 |publisher=Grc.com |accessdate=November 2, 2010}}</ref>
@@ Line 20: / Line 18: @@
 A similar tool called Faceniff was released for Android mobile phones.<ref name="hns-faceniff">{{cite web|title=Sniff and intercept web session profiles on Android|url=http://www.net-security.org/secworld.php?id=11107|publisher=Help Net Security|accessdate=June 2, 2011}}</ref>
-== Countermeasures ==
-Multiple methods exist to counter Firesheep's [[local network]] sniffing, such as preventing sniffing by using a secure connection. This can be realized in several ways: for example by using [[HTTP Secure|HTTPS]],<ref name="UseHTTPSAlways">{{cite web |url = https://www.eff.org/deeplinks/2010/10/message-firesheep-baaaad-websites-implement |author = Seth Schoen |title = The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!" |date = October 29, 2010 |accessdate =March 8, 2011
-}}</ref> or a [[Virtual private network|virtual private network (VPN)]] connection, or using [[wireless security]]. These approaches may be employed individually or in any combination, and their availability in any given situation will vary, in part due to web site and local network characteristics and configuration.
-=== HTTPS ===
-[[HTTP Secure|HTTPS]] offers [[End-to-end connectivity|end-to-end]] security between the user agent and the web server. This works well with [[web site]]s that are offered uniformly over HTTPS. However, at the time of Firesheep's publication, many web sites employed HTTPS only during the login process, then reverted the user's session to unsecure HTTP.
-This can be addressed in two intersecting fashions:
-* First, the site can offer itself uniformly over HTTPS.<ref name="UseHTTPSAlways"/><ref name="UniformHTTPS">{{cite web |url = https://www.eff.org/pages/how-deploy-https-correctly |author = Chris Palmer |title = How to Deploy HTTPS Correctly |date = November 15, 2010 |accessdate =March 8, 2011}}</ref>
-** As an adjunct to this, the site can advertise the [[HTTP Strict Transport Security]] (HSTS) policy, which will be honored by user agents implementing HSTS.<ref name="FSheepHSTS">{{cite web |url = http://identitymeme.org/archives/2010/10/29/firesheep-and-hsts-http-strict-transport-security/ |author = Jeff Hodges |title = Firesheep and HSTS (HTTP Strict Transport Security) |date = October 31, 2010 |accessdate =March 8, 2011}}</ref>
-* Second, the user can employ a browser extension, such as [[HTTPS Everywhere]]<ref>[https://www.eff.org/https-everywhere HTTPS-Everywhere]</ref> which can help ensure uniform HTTPS access to certain websites (the list is extensive), whether or not the site offers itself uniformly over HTTPS by default or employs HSTS. Also, in [[Firefox 4|Mozilla Firefox 4]] (or later) as well as [[Google Chrome]] (version 4 and later) the user may natively hand-configure the browser to treat the site as HTTPS-only.<ref name="FSheepHSTS"/>
-=== Virtual private network ===
-The end-user may also employ a [[virtual private network]] to encrypt all the traffic transmitted by their computer over the public Wi-Fi link. Users can obtain a VPN through several approaches: their employer may provide one to access their corporate network, they may host a VPN (for example, [[OpenVPN]]) on a personal server, or they may purchase VPN services from a provider (see [[Comparison of virtual private network services]]).
-However, one must then trust the VPN's operators not to capture the session cookies themselves. That is particularly a concern with the [[Tor (anonymity network)|Tor]] network, for which anyone can set up an exit node and monitor traffic going to non-HTTPS websites.
-=== Wireless network security ===
-Local [[Wi-Fi|Wi-Fi networks]] may be configured with varying levels of security enabled. Using a [[Wired Equivalent Privacy]] (WEP) password, the attacker running Firesheep must have the password, but once this has been achieved (a likely scenario if a coffee shop is asking all users for the same basic password) they are able to decrypt the cookies and continue their attack. In addition, the WEP protocol has been proven to have severe flaws which allow attackers to decrypt WEP traffic very quickly, even without the password.<ref>Breaking 104 bit WEP in less than 60 seconds[https://eprint.iacr.org/2007/120.pdf]</ref><ref>WEP Is Dead, Haven't You Heard?[https://www.tomshardware.com/reviews/wireless-security-hack,2981-4.html]</ref> However, using [[Wi-Fi Protected Access]] (WPA or WPA2) encryption offers individual user isolation, preventing the attacker from using Firesheep from decrypting cookies sent over the network even if the Firesheep user has logged into the network using the same password.<ref name="securitynow" /> An attacker would be able to manually retrieve and decrypt another user's data on a WPA-PSK connection, if the key is known and the attacker was present at the time of the handshake, or if they send a spoofed de-authenticate packet to the router, causing the user to re-authenticate and allow the attacker to capture the handshake. This attack would not work on WPA-Enterprise networks as there is no single password (the 'Pre Shared Key' in PSK).<ref>Answer to 'Can other people on an encrypted Wi-Fi AP see what you're doing?'[http://superuser.com/a/156969]</ref>
-On a WPA / WPA2 or Ethernet network, an attacker on the same network could still access session cookies of an unencrypted HTTP connection with a [[man-in-the-middle attack]] like [[ARP spoofing]].
 ==See also==