Firesheep is a Firefox plug-in that makes it easy to run sidejacking attacks against websites that do not use SSL/TLS consistently or correctly to prevent session cookies from being captured and reused. Sidejacking is not a new attack – related tools like Ferret and Hamster have been around for years. But Firesheep reduces sidejacking to "point-and-click" simplicity on any network where other web user's session cookies can be captured.
Wi-Fi hotspots are a particularly attractive target for sidejackers, because few hotspots encrypt Wi-Fi data frames, making them easy to capture. Hotspot users can protect themselves by using a properly-configured mobile VPN to encrypt their own data (including HTTP packets containing session cookies). However, many hotspot users don't use VPNs, especially when visiting websites for personal reasons.
Unfortunately, those are precisely the kind of vulnerable websites built into Firesheep – examples include Twitter, Facebook, Yahoo, and Amazon. Hotspot users who think they're safe when using these websites because their login is protected by SSL have a false sense of security. A sidejacker can use Firesheep to capture the session cookie that represents an SSL-authenticated session and use it to access the website just like the real user, for as long as that session persists.
So, are you safe from sidejackers if you avoid Wi-Fi hotspots? No. You are safe if you take responsibility for encrypting your own data (as when using a VPN) to make sure that you never send session cookies without encryption. So long as you send session cookies without encryption, there are many other network scenarios in which you are still vulnerable to sidejackers.
For example, Wi-Fi data sent over your home network might be encrypted using WEP – but if someone cracks your WEP key, they can still grab your cookies. Wi-Fi data sent over a small business network might be encrypted with WPA-PSK or WPA2-PSK – but other authorized users who have the same pre-shared key could decrypt your data to grab your cookies. Ethernet data sent over a small hotel or business center network that still uses hubs can easily be captured by other users. Ethernet data sent over switched LANs can be captured if steps are not taken to prevent ARP spoofing, a common way to redirect traffic through a man-in-the-middle attack.
The bottom line: Wi-Fi hotspots pose greater risk because data capture is so easy there, but sidejacking is a network-independent attack against HTTP that can be performed in a wide variety of wired and wireless networks. If you don't know how a network is secured or whether a website is vulnerable, just assume that you need to protect yourself.
This was first published in December 2010