There have been a lot of talk recently about website security since the Firesheep plugin for Firefox was released earlier this month. I think it is excellent that people and mainstream media are becoming aware of these problems, but let’s face it, they have been around forever in the web world.
So what is happening here? I believe that Firesheep receives lots of attention because of the way it makes accessing other people’s cookies extremely user-friendly. Instead of relying on tcpdump, Wireshark or any other type of network sniffing tool, you get this complete package with a sniffer, a filter to find the cookies, and a way to set the sniffed cookie in the browser directly without having to lift a finger. All you need to do is activate the plugin and wait for people to access Facebook over a network.
A cookie is basically a small file containing parameters and values which websites can set to track you when you are accessing their website. This is how Facebook for example knows that you have logged in when you are browsing around on the site. If you disable cookies, you will be requested to log in wherever you try to access a private part of the site. To get a user’s cookie, or any type of information, you can sniff their traffic on the network. You will be able to see everything that is sent and received by that computer. This is how you can easily steal someone’s cookie information.
There are however ways to protect yourself against these types of attacks. The first and most important way is to make sure that you are browsing using https instead of https. What that “s” is telling your browser is to set up an SSL/TLS connection to the server before sending any information. Since SSL is used to encrypt data, everything that is sent or received from that particular server will be secured and it will not be possible to sniff that data and get the cookies.
That is a slight modification of the truth however, since there are ways to get the data anyway. But if you make sure that you do not accept any certificates signed by an unknown authority (your browser will warn you), you will be fairly safe in this regard. Since many sites, such as Facebook, uses SSL only for the login phase, you cannot sniff the password, but only steal already set-up cookies. This basically means that you can do anything to that account except changing the password.
Since lots of websites do not provide a secure alternative, what can be done to make it reasonably secure? The easiest way is to set up a VPN connection to a server somewhere, which will at least prevent people from sniffing your data on wifi hotspots. How to do that is however out of scope for this article.