?

Log in

No account? Create an account
A Simple Overview of Web Security, session IDs, and Firesheep - Søren Ragsdale [entries|archive|friends|userinfo]
Søren Ragsdale

[ website | Søren Ragsdale ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

A Simple Overview of Web Security, session IDs, and Firesheep [Dec. 22nd, 2010|06:30 pm]
Søren Ragsdale
[Tags|, , , ]

Let's say your computer is logged onto Facebook. On the other end, the Facebook web server is worrying about who you are, and whether you're allowed to see what you're asking to see. If it thinks you're you, it'll let you see your friends' pictures.

After you successfully log in, websites give your browser a session ID. A ticket that proves you logged in. You don't need to enter your name and password every time you load a page because the session ID proves that you already did. When you "sign out" the browser destroys the session ID and you can't load private pages until you sign in again and a new one is created.

Session IDs can be stolen by anyone who shares your network. If you're blogging from an airport, hotel, or coffee shop your fellow patrons can find your session ID, present it to the web server, and impersonate you. They can see private LJ posts, place bids on eBay, and make comments under your name in Facebook. I've done this for legitimate reasons - copied my browser's session ID to wget so that I could save copies of online documentation. Someone who runs a packet analyzer can copy your session ID and do worse. Firesheep is particularly easy to use. With one click, someone can steal your session ID and start browsing as you.

Websites can prevent this with encrypted HTTPS connections. But some websites don't, because the encryption required for HTTPS uses more resources. Others leak session IDs by mistake. Even if everything else is secure, one "http://" on one page can be enough to leak your session ID to someone who shouldn't have it.

The HTTPS everywhere plugin won't protect you everywhere but it will force PayPal, Facebook, and a few other websites to use HTTPS when they'd rather not.

A Virtual Private Network (VPN) is a more robust option. It puts all your traffic safely inside an encrypted pipe where it can't be seen. If your employer hasn't set one up there are commercial options. I tried StrongVPN which works pretty well, costs $7/month or $55/yr. (As an added bonus they'll let you pick your IP address - handy for watching Netflix/Hulu or BBC while overseas.)

If you're really daring you can set up your own VPN. These instructions describe how to set up an OpenVPN relay on Amazon EC2. I've actually done this, and it works pretty well. I'm attending 27c3 next week, where it seems like a good idea to be careful about such things. (I'm also trying to get L2TP/IPSec working, but no luck yet. Pointers welcome.)
linkReply