An open source extension for Firefox was recently announced at the ToorCon hacking conference in San Diego. The tool provides the ability to intercept traffic when connecting via unsecured/public (also known as coffee house) wireless hotspots.
The tool known as FireSheep (http://codebutler.github.com/firesheep/ ) allows the wireless user to intercept data from these unsecured network connections. Articles explaining the operation of the tool can be viewed at the following URLs –
http://threatpost.com/en_us/blogs/plugin-firesheep-lays-open-web-20-insecurity-102510
http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=227900742
http://codebutler.com/firesheep
The articles are generally referring to Facebook, Twitter, Flickr, iGoogle social networking sites and Hotmail, YahooMail cloud e-mail sites, but the risks definitely exist for other sites as well. In short, while it is common that the initial login page of most BUSINESS websites use an SSL (denoted by the S on the httpS address line) encrypted connection, due to processing overhead on the web server, as yet, it is not common practice for these social networking sites. This allows the data to be transferred in clear text (including the password). While the largest risks exist during the login phase, for any website, it is possible that an initial login page use SSL encryption but that the subsequent pages still use unencrypted protocols for requests and the results, and that will likely always be the case on these high volume social networking and cloud e-mail sites.
The tool is designed to identify what page loads are taking place in clear text and using the tool, someone on the same wireless network is able to intercept, identify the ‘cookie’ that is issued by the web server (unencrypted), and then assume your session.
The best solutions are as follows:
Use a unique password for all websites sites especially social networking sites (or anysite that does not start with httpS) . And it is advised that practice be used for all web access.
If you don’t have the ability to connect to a secure (one where the key is provided by the business), I would suggest drastically limiting what sites you connect to from one of these public hotspots. Reading news and other surfing is fine as you are providing no personal data. Reading e-mail is probably safe, but I would not just open all work related content because you don’t know what some else might have included (like a credit card number or SSN). Personal banking and credit card accounts should NEVER be accessed from a public unsecured wireless hotspot. I suggest just waiting until you get back home or work if you need to purchase something – or call the company on the phone for the purchase.
If you manage a web server make all requests that follow authentication also require the use of SSL encryption. The State’s Department of Information Resources (DIR) will not consider a website as being ‘secure’ if the initial web page requires SSL but the subsequent pages are not also SSL encrypted. The overhead associated with these transactions is generally not significant and hardware vendors have done much over the last few years in handing the additional CPU resources these transactions impose.
If there are any questions related to this topic or computer security overall please don’t hesitate to send e-mail securityhelp@ag.tamu.edu