While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, most then revert to passing unencrypted information during the rest of the session, a weakness that security analysts have warned of for years, particularly for users of public open Wi-Fi networks.
Firesheep identifies that unencrypted traffic and allows an interloper to “hijack” the session, or log into a Web site as the victim, with just a couple of clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool.
Zscaler’s The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users make a more informed security decision about their behavior while on an open Wi-Fi network, for example.
Once Firesheep has intercepted someone’s session credentials for a Web site, it makes a request to that site using the same cookie values. Blacksheep plays on this by making HTTP requests every five minutes to those sites monitored by Firesheep — but using fake cookie values. If Blacksheep then detects Firesheep making a request to the site using the same fake cookie values, it can raise a warning, Zscaler said.
Security analysts have recommended that Web sites encrypt all traffic, but many sites have been unwilling to do it because of the extra processing power needed to maintain encryption. However, there has been progress: In January, Google turned on HTTPS encryption for all users of its Gmail service, where previously it had only been an option.
Other defenses against Firesheep include simply not using open Wi-Fi networks. If that’s not an option, the Electronic Frontier Foundation built a Firefox add-on called “HTTPS Everywhere,” which will automatically trigger an encrypted session with those Web sites capable of providing one. A VPN connection can also thwart attacks.
Keep fighting back