It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the ether, especially with the rise of “Web 2.0” and rich social networking applications and other Web based sharing tools.
But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.
Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.
The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sessions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.
The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.
Concerns about the ability to scale session encryption to the level needed to support traffic on massive social networks like Facebook is a likely obstacle, but both Gallagher and Butler argued that security and scalability can both be achieved. Search giant Google implemented SSL for its Gmail Web based e-mail service without any noticeable change in service and without having to deploy massive new infrastructure to support it, the two noted. Other Web mail and software as a service vendors should do the same.