Today the blogosphere has been going wild about a new FireFox extension that makes it easy to capture login credentials and hack into systems on an open network. Eric Butler, a freelance web application and software developer from Seattle, WA, created Firesheep to showcase this vulnerability in websites. I am not sure if Eric is doing a great service by highlighting a vulnerability or just being reckless and giving people an easy way to hack. According to Security Week, this is something that people have been able to do for awhile, but this makes it easier.
According to Eric, it’s very common for websites to encrypt a username and password during the login process, but uncommon to encrypt communication after that. After you login, most websites send a cookie to your computer so that your browser can interact with the website without having to constantly login to every page. The cookie is broadcast through the air on open Wi-Fi hotspots, so there is a chance that anyone could grab it and access your information. This process is known as HTTP session hijacking or sidejacking.
The only effective solution is to use HTTPS or SSL to encrypt the entire connection. SSL is used for transactions on the web and for many other sites that require logins. You can tell if your browser session is using SSL by the HTTPS at the beginning of the URL. Most browsers also show a little lock in the URL or elsewhere on the page.
A few weeks ago I wrote about another FireFox extension called HTTPS Everywhere. This forces your connection to some popular sites, like Facebook, to use SSL. TechCrunch also talks about another FireFox extension called Force-TLS that performs the same function. Both of these are ways to force an encrypted connection to a website, hence any communication between you and the website is not open to hacking.
So why doesn’t everyone use SSL for communications on the web? For most websites it really doesn’t matter. If you go to a website to read the news, check out a company’s latest products or research buying a new car, you are not in any danger. If you aren’t logging into any of these sites, no username or password information is passing between your browser and the website.
If you log into Gmail, check your bank balance or purchase something from Amazon, you log into the site and pass your login credentials over the network. Any website that passes login credentials should default to using SSL. Sites like Gmail, Facebook and The NY Times have SSL enabled pages, but don’t default to them. They should default to this more secure form of communication.
Of course the issue with SSL is not as simple as just putting HTTPS into your browser. The website must get a client authentication certificate from a Certificate Authority (CA) and implement it. Years ago this was a big deal and could be a bit expensive, but today it’s almost trivial. For example, you can go to GoDaddy.com and purchase a certificate for less than $50 per year – as I am writing this GoDaddy has a $12.99 special. Installing them is fairly simple too.
This whole situation is another wakeup call to fairly simple techniques to help protect your information. If you use FireFox, get one of the extensions to force your connection to use SSL. If you use another browser, check to make sure that any site you log into shows HTTPS in the URL before and after you enter your login credentials.
Photo credit ryochiji