Wednesday, 8. December 2010
Firesheep is a Firefox addin that makes sidejacking a session easy as clicking a button. Sidejacking, or session hijacking is essentially sniffing someone’s session cookies from a connection and replaying them. This allows you to access their authenticated sessions, as if you were that individual.
There are two “mitigation” programs that are being touted around the internet:
We tested each program this past evening at a Black Lodge Research (www.blacklodgeresearch.org).
This program in essence, floods a network with nonsense packets designed to crash firesheep.
The packets hit the wire with the following headers:
request+=”GET /packetSniffingKillsKittens HTTP/1.1\r\n”;
request+=”Cookie: lsd=spsse; c_user=666660000; sct=01010101; sid=0; xs=3randomhashyes666666666;
Firesheep had no issue with functioning while fireshepard did it’s worst. It did begin to fill firesheep’s buffer, but the sheep never crashed. Firesheep could avoid this mitigation attempt by filtering out c_user=666660000 .
Blacksheep seems to work off a similar idea, but takes it a step further. It will drop fake credentials onto the network, and attempt to check for someone trying to use those credentials to log in. It is an interesting concept, but seems to us that you would have to sniff packets to see if others were trying to log in with the fake credentials. In other words, to defend your login, you need to sniff traffic.
We implemented Blacksheep, and it was quite easy to differentiate between real and fake credentials on the wireless.
Both mitigation strategies provide no further protection from firesheep. Why were they released? Simple:
“They released them to be first to release a mitigation. It doesn’t have to be great when you are first. Much like virginity.”
We explored real mitigation strategies:
1. Utilize SSL. HTTPs everywhere is a nice plugin for Firefox that will help enforce that: https://www.eff.org/https-everywhere/
2. Utilize VPN tunnels/SSH proxies to securely tunnel the traffic out of the wifi.
As you can see, mitigation really depends on wrapping the cookies in some form of encryption. This seemed to be the best mitigation strategy we could devise.