Stealing from the cookie jar

Science & Technology/Student Living by

Your online accounts are vulnerable. From Amazon to Yahoo!, your personal information on many of your favourite sites, if used on a public network, can easily be stolen. Thanks to a Firefox plug-in called Firesheep, released last week by hacker Eric Butler, this risk is higher than ever. By installing the plug-in and connecting to a public network, amateur hackers can gain access to dozens of accounts in seconds.

Firesheep steals your identity by stealing cookies (no, not from the cookie jar). Cookies have been used for the last 15 years, and they allow site administrators to remember who certain users are. When you log in to a site like Facebook, your username and password are passed through an encryption algorithm before being sent to the site. This way, even if your information were intercepted, it would be useless. After logging in, however, all of your communication with the site is unencrypted. WEP or WPA encrypt communication, but on a public network, this client-router safeguard is absent.

Imagine your network is a giant room, with one person responsible for handling all communication out of the room. That person is the router. Each computer, or client, would be a person in the room. Over an ethernet connection, each person has a telephone to communicate with the router, so nobody can hear their conversations. With a wireless connection, however, all of the clients must shout their information at the router. In this case, everyone can hear everyone else’s communications. On an encrpyted network, each person uses a secret code to do their transmission, so while a message can be understood by the client and the router, nobody else understands what they’re saying. However, on a public network, this information is not encrpyted. This means everyone in the room can hear what everyone else is saying. All they have to do is listen.

While your computer typically ignores messages not addressed specifically to it, Firesheep uses a library called WinPCap, which listens to all messages that your computer can see on a public network. Firesheep can’t be used to steal your username and password, but when you request a page which requires cookies, your machine sends the cookie to the router in an unecnrypted format. Firesheep, when listening to transmissions, can steal this cookie and remember it. Then, the Firesheep user can simply request the page using your cookie, which will fool the site into thinking that  he or she is you. The amateur hacker can then muck around with your account all they like.

The writer, Butler, said that he didn’t intend for this plug-in to be used in a malicious manner, despite the possibility. Rather, he created it to demonstrate the issues with un-encrypted cookie transmission to these site administrators. Point taken, Butler.

The solution to this problem isn’t to stop using these sites on an unencrypted network. In fact, any site with a social network plug-in, like a tweet or a “like” button, involves this cookie information. While the onus is on site administrators to use SSL encryption protocols to encrypt all sensitive information, you can take security measures yourself until they do. Firefox users can install the HTTPS-everywhere plug-in, which forces Firefox to use the stronger HTTPS encryption whenever possible. Force-TLS uses a similar method of forcing HTTPS encryption. Logging in to a Virtual Private Network can also be used to secure communication with the web.

Firesheep points out a gaping hole in web security. While site administrators might think they’re keeping users safe by encrypting login, they’re fooling themselves if they’re using unencrypted HTTP connections after that point. As Butler pointed out, it’s actually quite easy to steal cookies that these sites use and pose as another user. We can only hope that popular websites fix this issue soon. Until then, it would be foolish to use any non-HTTPS site on an unencrypted network.