Proactive IT Security
 

Firesheep - an eye-opener or a tool for criminals

2010-11-04 [Malware discussion, Mobile and wireless technologies, Privacy issues]

Introduction

A little more than one week ago a new extension to the Firefox web browser was published. The extension - named Firesheep - was developed by Eric Butler - and the developer wrote on his blog that his intention was to draw attention to the fact that

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

And it got attention for sure!
During the first 24 hours Firesheep was downloaded more than 100 000 times, and it got massive media coverage from all over the world.

Functionality

Firesheep does not perform any particularly fancy operations. What it does though, is to provide a smooth user interface that enables everyone to perform operations that previously required some special skills.

By connecting to an unsecured wireless network, anyone may intercept the unencrypted communication to and from other computers connected to the same network.

Firesheep operates on the presupposition that even though some web sites require encrypted web communication (using the https protocol) for logging in, the subsequent communication between the client web browser and the web server is not encrypted (the http protocol), and cookies are sent as clear text. By intercepting a cookie, it is possible to impersonate another user for example by posting messages on his Facebook wall and/or tweeting as his user.

Again, this is nothing new for those with knowledge about how the web's communication protocols function. But Firesheep makes the issue so amazingly obvious.

Someone who has installed the Firesheep extension may view other people who have accessed social network sites as the screenshot below illustrates:

Double-click on a name, and the Firesheep user is logged in as the other person, and may perform the same actions as the legitimate user. This includes posting messages, which may be potentially harmful, as well as reading private information.

How and why?

As we mentioned above there are two reasons why this is possible:

  1. Open WiFi networks are not secure and unencrypted communication and may be intercepted.
  2. Even thought the login to a web site (a social network site for example) may be end-to-end encrypted, the subsequent communication once logged in is not.

The Firesheep author stresses in a blog item that it is not open WiFI networks as such that he wants to draw attention to. He stresses - correctly - that there are perfectly legitimate reasons why such networks are beneficial for many purposes:

Abundant, free, open wifi is great to have, it can be very useful. Low-risk activities like reading the news, looking up a nearby business or finding a bus route can be done without being logged in to such sites and risking loss of any important sessions, for example.

The Firesheep author claims that his reason for creating the program was to draw the attention to those who operate certain the web sites, and encourage (force?) them to implement better security:

The only correct solution to this problem is true end-to-end security. On the web, this is called HTTPS or SSL/TLS. When SSL is used properly, all traffic is encrypted (unreadable by attackers) and integrity checked (can’t be modified by attackers) from your web browser all the way to the website’s datacenter (either their actual web servers, or specialized network equipment such as SSL accelerators/load balancers).

Good or bad?

When someone creates software that may be utilized for malicious purposes, the vendors of security programs (like Norman) must decide whether to treat the software as malware or not. These considerations also apply for Firesheep, and the vendors of antimalware products have (so far) chosen different strategies.

When this article is written, Virustotal's statistics show that two antimalware products define Firesheep as malicious, while the rest (41) do not report that Firesheep is malware. Norman currently does not detect Firesheep as malware.

The correct classification is not obvious in this case. Although the author himself claims that Firesheep was created purely with the intent to draw attention to what he feels in negligent behavior regarding security from web sites responsibles, it remains a fact that it is difficult to see any use of Firesheep beyond in-house in research lab that is not bordering (at least) on suspect.
The source code for Firesheep is also publicly available on the Internet, which may be credited both points of view, we suppose.

Legal or illegal (to use)

In the wake of Firesheep discussions regarding whether Firesheep is legal or illegal to use have surfaced in different media. No strong conclusion has been reached that we are aware of, and it will probably vary depending on the different legislations. 

What seems pretty obvious is that there are different ways to use Firesheep that may influcence "the verdict":

  • Mere installation of the Firefox extension
  • Testing in research labs
  • Testing in one's own WiFi network
  • Testing in any unsecured network to view logged-in users
  • Logging in as another user by hijacking his session (and doing nothing)
  • Logging in as another user by hijacking his session and reading his private information
  • Impersonating another user on the social networks and/or other web sites.

 What is certain is that Eric Butler's Firesheep drew attention to some of the security issues involved with unsecure communication used on certain web sites. That at least is good!

References (open separate browser windows)

The two Firesheep screenshots are from the first reference above.