Topic: Firefox Plugin Thread

[micah]

Firesheep.  It was in the news this weekend. I finally tried it last night.  Sh!t it is scary.  It allows anyone (not just black-hat hackers, but ANYONE) to packet sniff the network and hijack any session cookie and includes pre-written log-in scripts for tons of popular sites, including facebook, twitter and amazon.

You install it, and it starts listing all the available cookies.  In the case of facebook users, i noticed it includes their user name AND avatar.  You double click the one you want and *boom* you're logged in to whatever site it is AS that person.

What a freaking security wake up call.  I mean, I'm going to start thinking twice about using open wi-fi networks and help my parents and mother-in-law lock down their home routers (which are currently open).

Of course, most of the major sites have begun taking some counter measures.  After I tried to log into my own facebook account (i'm not an ass so I didn't try to log into anyone else's) - facebook locked me out.  Not my account itself (I could still log in from another computer or even using Safari) but they blocked my specific instance of firefox from accessing any account - I tried from both work and at home.   

[Dumah]

>>Firesheep.

It's a tough exploit to counter server-wise. I wrote a site recently that needed decent security and didn't have a very mature web framework (python-twisted). What I ended up doing was to keep refreshing the session key and renewing the cookie after a few minutes and to take as much browser info as possible at login from the request, hash it and save it to the session. Then I'd recheck that data as part of my authorisation system whenever an authorised resource was requested. Not perfect but it was the best I could come up with.

Anyone else have any ideas on this stuff and how to combat it server-side?

[micah]

>>Firesheep.
Anyone else have any ideas on this stuff and how to combat it server-side?

I was kind of thinking along those lines.
at initial log in, set a session var like:

$_SESSION['browser_hash'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

then, whenever a page loads and I check the session for authentication, add:

if($_SESSION['browser_hash'] != md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']) ){
 exit("some sort of error message or maybe ask the user to re-confirm their password");
}

Not a perfect solution of course because the side-jacker could theoretically have the same user_agent string (or spoof yours if they new it) and, if they're already on your network, they probably have your IP too.   But it would be a deterent.  If you needed anything more secure, you should be using SSL anyway.

[Dumah]

>>Not a perfect solution of course because the side-jacker could theoretically have the same user_agent string (or spoof yours if they new it) and, if they're already on your network, they probably have your IP too.   But it would be a deterent. 

True, its not ideal...but most version changes of browsers have different user_agent settings so it is a little help

>>If you needed anything more secure, you should be using SSL anyway.

It is on SSL now so its hidden from wireless snoopers anyway. I kept the hash as a little extra cover if the cookie was accessed from PC's disk via a rootkit or something - probably not likely and the timing control would keep the attack window small, but as long as the extra processing isn't getting in the way I'll keep it going.

[Mike]

Do something like: https://panopticlick.eff.org/

[Mike]

I'm also looking into the user of localstore but unfortunately that is client-side so some things need to be changed.

I want to use HTTPS more but there are so many pitfalls it isn't even funny.

[Steve]

Is there an extension to apply spell check automatically? I know it flags them as i type, but can they be corrected as i type? Like on a blackberry or iphone. I would want it to ignore things it cant correct, like iPhone