-
8/2/2019 Fire Sheep
1/4
Why Firesheep works and how to counter it
Dag Erik VikanNorwegian University of Science and
Technology,
Department of Computer and Information
Sciencehttp://dvikan.no
May 26, 2011
1 Introduction
Firesheep is an extension for the Firefox web browser, created
by Eric Butler,a freelance web application and software developer.
Essentially, Firesheepis a packet sniffer which grabs unencrypted
cookies over a wireless network.Firesheep also allows the user of
Firesheep to take over someones session.Although packet sniffing is
not something new, Butler wanted to demon-strate the security risk
to users of websites, which only encrypt the loginprocess, and not
the whole session. This may seem like a good solution ofprotecting
the users login credentials and preserving server resources,
but
due to the nature of HTTP and the Internet, the user is not safe
at all.This essay will try to give the reader an understanding of
why Firesheep
works, and how packet sniffing can be countered. To limit the
scope of thistext, only the protection of the HTTP cookie will be
discussed.
As you will see, Firesheep does not exploit any code or take
advantage ofpoor implementations, but works because of how the way
Internet is built.
2 Problem discussion
Popular websites like Facebook and Twitter allows for users to
login, andread and share data. Because HTTP is stateless [1], the
server cannot tellthe difference among HTTP requests. That is, a
server cannot know if twosuccessive requests are the same user. The
HTTP cookie was introduced tosolve this problem. To understand how
Firesheep can take over someonessession, a short introduction to
session management is needed.
2.1 Session management with cookies
It would be extremely impractical if users had to enter their
username andpassword each time they wanted to request a resource on
a website. TheHTTP cookie made it possible for HTTP servers to
maintain state.
1
http://dvikan.no/http://dvikan.no/
-
8/2/2019 Fire Sheep
2/4
Session management is the process of keeping track of a user
across ses-
sions of interaction with a computer system. The server
generates a sessionidentifier(SID) and gives it to the user. On
each subsequent request from theclient, the SID is appended along
with the request. In HTTP, the sessionhandling is typically done in
the HTTP headers, and the client sends theSID along in the cookie
header.
A typical SID exchange in HTTP:
GET /index.html HTTP/1.1
Host: www.example.org
HTTP/1.1 200 OKContent-type: text/html
Set-Cookie: name=value; Expires=Wed, 09 Jun 2021 10:18:14
GMT
(content of page)
The server keeps track of the SIDs on the filesystem with
associated userdata, and responds with the appropriate interface
for anyone who presentsthat SID. The SID is like a key or a proof,
that you are indeed in possessionof the password for that user,
because only someone with a correct user/passcombination could have
gotten that SID. In PHP for example, the session
identifier is called PHPSESSID and is 128 or 160 bits long(MD5
or SHA-1respectively), which makes it infeasable to guess it. An
example:
PHPSESSID=64cd786173875c162d3b84cdf5bbac9d
After the client has been provided with a SID, the client
provides theSID on each subsequent request.
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: PHPSESSID=64cd786173875c162d3b84cdf5bbac9d;
This is how a web application keeps you logged in. The SID is
thetemporary key which gives access to your profile. Try inserting
the SIDcookie in another browser than your default one, and hit
refresh; you willsee that you become logged in.
2.2 Why Firesheep works
As Butler has shown with Firesheep, it is insufficient to only
encrypt thelogin request because the unencrypted SID will be
exposed on subsequentclient requests. Not only will Firesheep be
able to grab cookies, but any other
2
-
8/2/2019 Fire Sheep
3/4
packet sniffer would do the job. This is how the Internet works;
at default,
nothing is encrypted and everything is in plaintext. This is
particularly badnews for wireless networks(e.g. open WIFI
hotspots). But in principle, wirednetworks are just as vulnerable
to packet sniffing as wireless are, though itrequires physical
access to a node.
2.3 Encryption comes to the rescue
To remedy the problem of plaintext cookies on the loose,
encryption is thesolution [2]. What we want is confidentiality(only
sender and receiver cansee content). Interestingly, it is possible
to provide encryption in any ofthe top four layers of the Internet
protocol stack. It is generally easier to
deploy new Internet services at higher levels of the protocol
stack. Manyapplication developers do this, instead of waiting for
security to be broadlydeployed at the network layer.
Secure Sockets Layer(SSL), is a very popular protocol which
providesend-to-end encryption [3]. From a developers perspective,
SSL lies at thetransport layer, encapsulating application layer
protocols such as HTTP,FTP and SMTP.
SSL is supported by all major web browsers, and is used by all
Internetcommerce sites.
3 Conclusion
As Firesheep has shown, the Internet is a very open place.
Everyone canconnect to it, and enjoy many of its services. But your
privacy may beinvaded if not security features are deployed. Many
years of research andhard work have resulted in a set of security
protocols, which today, securessensitive data all around the
world.
SSL would render Firesheep and any other packet sniffer useless,
becausethey would only see garbled ciphertext.
Butlers Firefox extension Firesheep, has made many ordinary
users alertof the dangers of travelling through wireless
unencrypted networks. The roadahead must be to further encourage
big sites like Facebook and Twitter to
turn on SSL by default, so that our privacy will not be
invaded.
References
[1] Mike Andrews, James A. Whittaker, How to break web
software,Addison-Wesley, 2006
[2] William Stallings, Cryptography and Network Security
Principles andPractices, Prentice Hall, fourth edition, 2005
3
-
8/2/2019 Fire Sheep
4/4
[3] James F. Kurose, Keith W. Ross, Computer Networking: A
top-down
approach, Addison-Wesley, fifth edition, 2010
4
