Wednesday, October 27, 2010

Re: FireSheep

A new sidejacking tool, "FireSheep", has been released. Unlike my "Hamster" tool which worked as a proxy server, FireSheep works as a browser plug-in. Unlike Silica from ImunitySec, it's free. Here are my experiences with it.


First of all, the plug-in "Force-TLS" does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I'm not sure what Force-TLS does, but it doesn't force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL "http://twitter.com" still appeared in the address bar.

Second, FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody's traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).

Third, whereas things like Hamster and Silica show you every possible website to hijack, FireSheep only shows you a list of well-known sites. This is better in some respects, they've scripted the interaction with each website to do things like pull images from the websites. It's worse in other respects, because you have to manually add other sites.


The presentation on FireSheep has the really cool graphic above, showing an elephant in the room. That's what sidejacking is: how long will providers like HotMail (MSN Live) and Yahoo continue not to provide encryption for their e-mail products. Seriously, if you still use the free versions of HotMail or Yahoo Mail, you are an idiot.

Likewise, how long will Twitter and Facebook go without making encryption mandatory for their services?

As a qualifier, I'd like to distance myself from other security professionals who claim that SSL is essentially "free". I know that it isn't. I know it does raise the cost of delivering services. I understand it is buggier than we like to admit, such as working through satellite Internet providers. Yet, even these costs are far below the benefits of SSL encryption of connections.

Finally, I think this will be the display for next year's "Wall of Sheep" at DefCon. Whereas in the past they showed passwords, this next year I think they will show people's pictures from their Facbook/Twitter accounts that are hijackable.



Update: Force-TLS vs. Twitter



I'm trying this on one machine, the Firefox 3.6 instance has FireSheep installed, the Firefox 3.5 instance has Force-TLS installed. Both have their cookies nuked before starting.

Below is the picture showing the Firefox/3.5-ForceTLS settings. As you can see, it's configured for everything Twitter.


Here is a picture of the Firefox/3.6-Firesheep instance.


The first time I did this when writing the blog post, I saw "http://twitter.com" in the browser with ForceTLS installed. I also saw the FireSheep browser display my name immediately when I logged in.

The second time when I took screenshots, I did not see that behavior. Instead, "https://twitter.com" is displayed in the ForceTLS browser, and it wasn't until about a minute later that I saw my name appear in the FireSheep browser.

The obvious implication here is that ForceTLS isn't stopping XmlHttp requests from being unencrypted. I used Wireshark to capture what what was going on, and indeed found such a transaction (although it's JSON rather than XML):


This appears to be a bug in Twitter, left behind by developers.

So, what these results tell us is that ForceTLS does not stop XmlHttp requests, and that there will be a chronic issue of bugs in websites that leave these things around.

3 comments:

Ben said...

My understanding is that Force-TLS is making use of the HTTP Strict-Transport-Security header, which is relatively new. As such, it doesn't surprise me that it's not implemented properly. Mozilla has a write-up on it today:
http://blog.mozilla.com/security/2010/10/27/cooling-down-the-firesheep/

cityZombie said...

Visit my blog to get custom handlers for firesheep.

Yuhong Bao said...

I just run Wireshark and collected a packet capture again today, and looks like Twitter has recently fixed this.