Foreign Policy Blogs

The Firesheep Are Coming! Quick, to the SSL Tunnels!

Amazing how demonstrations of appalling, imminent disaster tend to clarify the thinking.

Artist's depiction of a firesheep based on multiple witness statements.

Artist's depiction of a firesheep based on multiple witness statements.

Eric Butler has developed a brilliant piece of software called Firesheep that makes web site identity hijacking easy and fun for all. (Ed: First the iCow, now the Firesheep? CD: Agreed, it would behoof them to switch it up a bit.)

The concern is easily explained. When you log into many sites (Yes, Mr. Zuckerberg, I’m looking at you) your login information is communicated encrypted. This is an improvement from no encryption at all, since people can’t get your password.

The problem is that the web is stateless. The computers that happily dish up your Twitter feed, Facebook status updates, or whatever other sites you’re looking at does not know anything about you between times you communicate. As in, each image on each page you load.

The end result is rather like Memento. The server can’t remember who your friends are or what photo album you were viewing or which page of tweets you were on; it only knows what you’ve asked for. So it keeps a little reminder in the form of a cookie.

(As an aside, “cookie” has to be the worst name ever. Well, almost. Really it’s a ticket that tells the server that you’ve paid, who you are, and what you are here to see.)

So you prove who you are, you get an ticket, you see stuff, you keep handing the absent-minded clerk the ticket to remind him what you were looking for, you go about your business.

But nothing after the password bit is encrypted. So if I’m a baaaa-d boy I can grab your ticket, make a copy of it, and hand it to the server myself; the amnesiac isn’t gonna know the difference.*

So if I want I can get into your Facebook account, change your profile, mess with stuff, masquerade as you, hassle your parents, break up with your girlfriend, etc. All kinds of stuff you’ll feel sheepish about.

But first you need to grab the ticket. This is a lot easier on wireless networks, where every bit of content is by definition broadcast into the ether. So if you’re not politely ignoring it, you grab the cookies, then hustle off to steal the login. Like lambs to the slaughter.

OK, maybe that explanation wasn’t so simple after all.

Anyway, Firesheep makes this trivial. It’s a Firefox extension, so you can just drag it into your browser and away you go. It’ll sniff your network, vacuum up connection cookies, and the let you go have your fun.

The answer really is simple: encrypt everything. If your cookies are locked in an iron-bound tunnel, then no one can steal your tickets and therefore your identity.

This concept has been around forever and been exploitable by bad guys just as long, but now that there’s a clear, simple demonstration of it I imagine it will get fixed rather faster.

All you Web 2.0 entrepreneurs too cheap to just encrypt all your traffic, I’m ashamed of ewe.

By the way, wasn’t someone just saying something about darknets?

* Really we have to make this metaphor more complex, because they can tell where you’re coming from too.