No one wants another person to take over their account and impersonate them -- or worse. HTTP session hijacking is nowhere close to a new vulnerability, but with the introduction of the Firefox addon, Firesheep, people who have never hacked, are trying the free and easy-to-use tool. After installation, a person can connect to an open Wi-Fi network, see which users on that network are on insecure social sites, and then double-click on that user to capture their cookie and be logged in as them. Four days and nearly 400,000 downloads later, it's time to see insecure websites get serious about protecting their users' privacy and security with full end-to-end encryption.
On the second day after Firesheep was released, Firesheep was the second suggestion on Bing when you typed "fire". With Bing on the brain, I went to bing.com and tried to add S to HTTP. The below screenshot is what happens -- an invalid security certificate pops up.
After poking around on Twitter, I saw that other people had tried it as well.
When I asked Microsoft if it intended to encrypt its connection so that HTTPS worked with Bing, a spokesperson said, "The security and privacy of our customers is very important to us at Bing. We are looking at SSL and other technologies for future releases of Bing."
Windows Live, live.com, is also listed among the sites that can be sniffed and hijacked with Firesheep. Errata Security's Robert Graham blogged, "The presentation on FireSheep has the really cool graphic above, showing an elephant in the room. That's what sidejacking is: how long will providers like HotMail (MSN Live) and Yahoo continue not to provide encryption for their e-mail products. Seriously, if you still use the free versions of HotMail or Yahoo Mail, you are an idiot."
"Going forward the metric of Firesheep's success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all," blogged Eric Butler one of Firesheep's creators.
Software security consultant Ian Gallagher co-authored the blog post as well as co-presented Firesheep at ToorCon. Gallagher lists some levels of failure that make it is so difficult for users to stay safe. There might be a complete absence of SSL/HTTPS, or it might be that some hosts charge for full-session SSL. "A basic expectation of privacy should not be a premium feature," he wrote. Most big sites do encrypt for the intial login, but after a user enters their username and password, the rest of the site is in HTTP and not HTTPS. "These sites fail to protect you because after you've authenticated, you're issued a cookie that identifies you throughout your browsing session, but if you think about it that's just as good as your username/password for 99% of the time," Gallagher explained. Then there are other sites that support full encryption but fail in to implement it securely.
You can't simply avoid visiting the sites that are being attacked here. There's an enormous amount of mixed content on the web today, such as the Facebook "Like" button, Digg's "Digg It" button, twitter widgets, and even embedded images that are hosted on Flickr or other photo sharing sites. Every time you access any web page that includes any of this content, your browser also sends any authentication cookies you have with the request to pull down the widget. TechCrunch is a great example of this, every article has lots of little widgets to share it on numerous social sites.
Even if you're proactive and think to log yourself out of a website, this rarely does anything but delete the cookies from your web browser - meaning any stolen copies of them are still going to work for accessing the website. Twitter, Amazon, Foursquare, Github, Flickr, Yahoo, Windows Live (Hotmail) and many others do not properly delete your session from their severs when you use their "Logout" features. Facebook, while having other problems, does appear to properly delete sessions on their servers when you "Logout".
I highly advise reading all of Gallagher's suggestions for how users might protect themselves as well as how website operators can fix the problem. He ends the post with these words of wisdom. "Many companies make a business, not technical, decision to not implement security due to either perceived or actual costs. It is our opinion that turning a blind eye to customer privacy and security is never good for business, and we hope the people making these decisions will begin to agree."
Dear Microsoft, you are a global software giant. I know there are some great privacy and security minded folks who work for you. Could you please hurry end-to-end encryption for Live and Bing so users will see that the security and privacy of your customers are very important to you?
Like this? Check out these other posts:
- All of today's Microsoft news and blogs
- Microsoft Proposes Each PC Needs A Health Certificate or No Net Access Allowed
- EFF Warns of Untrustworthy SSL, Undetectable Surveillance
- Microsoft's Davis on Privacy: Your Digital Life Data is Bankable Currency
- ACLU Report: Spying on Free Speech Nearly At Cold War Level
- Full-Body X-Ray Scanners Driving Down A Street Near You?
- Facial recognition: Identifying faces in a crowd in real-time
- Microsoft's Live@edu email not encrypted on cloud servers
- Cyber-Warfare: U.S. Military Hackers and Spies Prepare to Knock the World Offline
- Kinect Long Term Privacy Issues Daunting?
Follow me on Twitter @PrivacyFanatic