
Firesheep: Easy HTTP session hijacking from within Firefox - cdine
http://codebutler.com/firesheep
======
gaoshan
For anyone who has SSH access to a server (but not VPN) and is wondering what
to do when you need some security in a pinch, here is a quick fix...

Open an ssh connection to a server you have access to using something like the
following:

ssh -ND 8887 -p 22 rufus@12.120.186.8

where 8887 is the port on your laptop that you will tunnel through, -p 22 is
the port the ssh server is on (22 is the default but I use a different port so
I am used to specifying this) and the rest is your username and the address of
the server

Set your network to point to the proxy. On a Mac that would be…

... Open Network Preferences…

... Click Advanced…

... Click Proxies…

... Check the SOCKS Proxy box then in the SOCKS Proxy Server field enter
localhost and the port you used (8887)

... OK and Apply and you are done!

Now you can surf safely.

~~~
alanstorm
Also, remember that some programs don't respect the system's proxy settings
and instead use their own. Firefox is one of those, you can find its proxy
settings in "Advanced -> Network -> Settings"

~~~
seanalltogether
Also unfortunately I think Flash and Silverlight media streaming don't respect
proxies, leaving me unable to stream Hulu and Netflix when I'm in the UK.

~~~
enneff
They _should_, and do for me typically using Chrome.

------
ramanujan
There are probably going to be a lot of people negatively affected by this for
quite some time to come. One thing to point out is that there are grades of
things. There is "public", and then there is "top hit on Google". Similarly,
there is "insecure" and then there is "simple doubleclick tool to facilitate
identity theft".

How many millions of dollars and man hours is it going to take to lock down
every access point? How many new servers are going to be needed now that https
is used for everything and requests can't be cached?

America was a better place when people could keep their doors unlocked, and
when someone's first response to a break-in was to blame the _criminal_. By
contrast it's fashionable among a certain set (no doubt including the author
of this mess, Mr. Butler himself) to hold that the real culprits are the door
manufacturers. What said facile analysis excludes, of course is that there is
_always_ a greater level of security possible. The level we currently employ
reflects our tradeoffs between the available threats and the cost/convenience
loss of bolting our doors and putting finials on our gates.

Butler has simply raised the threat level for everyone. He did not invent a
new lock or close a hole. He's now forcing lots of people to live up to _his_
level of security. Congratulations to the new Jason Fortuny.

~~~
jfager
Butler has not raised the threat level on anything. This has been a widely
known issue since _forever_. A friend of mine wrote a sniffer that could do
this back in college, and he was one of the last to the party. Want something
else to kvetch about? His tool could impersonate the router and act as a
proxy, including serving up ssl-encrypted pages to users who didn't realize
they shouldn't accept certs from unknown signers - again, that was _years_
ago, and even then it was nothing new or unique at all.

When a tool like this rises to even a minimum level of public consciousness,
you're better off thinking "people have probably been doing this for close to
a decade" than "this asshole just ruined the internet by pointing out an
obvious flaw that someone will now be able to exploit".

And yes, at some point, a door manufacturer that knows how easily their doors
will open and how frequently people will just walk through does take on some
responsibility to add a lock (and the homeowner to use it). It's going to cost
more in servers? Okay, so what? It costs more to install seatbelts, are you
upset at Ralph Nader, too?

[Edited to bring it down a notch]

~~~
ramanujan
> Butler has not raised the threat level on anything.

Flat out false. Ever heard the term "crime of opportunity"?

What's your over/under on the number of identity thefts facilitated by Eric
Butler's little gift? Let's make this empirical.

~~~
jfager
Anyone who wanted to hijack http sessions was five minutes of Googling and
installing away from being able to do so before "Eric Butler's little gift"
anyways. Are you claiming that the marginal impact of packaging it up into a
firefox extension is so great as to make it a threat of a wholly different
kind?

~~~
ramanujan
That is exactly what I'm claiming. That's also why this article has 200+
comments and was on the top of Hacker News all day!

You vastly underestimate the barrier that "five minutes of Googling" presents.
I assure you, the overwhelming majority of aspiring script kiddies would never
be able to figure it out. It took an expert to package an exploit in a nice
GUI (and write cookie parsing code for every major social site under the sun).

~~~
jfager
As long as only the minimally motivated can exploit it, it's not really a
problem, gotcha.

How about instead of shooting the messenger, you take some of that righteous
anger and point it at the companies with millions/billions to spend who have
simply ignored a longstanding known issue?

~~~
ramanujan
How about you recognize that there are a lot of innocent people who will be
hurt by this stunt? There are hundreds of thousands of companies and millions
of people who are targets for this, and most don't have a spare million lying
around.

Hospitals, nonprofit groups, anyone running a website has to drop everything
to lock it all down now. The effect is a lot like loosing a new virus (and
might ultimately be treated that way).

> As long as only the _highly_ motivated can exploit it, it's not really a
> problem, gotcha.

^ This modified statement is correct. All I'm saying that making something
easy to use and publicizing it widely is going to result in a lot more people
using it.

[Edits - hey jfager, I don't know you from adam and don't particularly enjoy
flamewars. I agree that in the long run this should be fixed, ideally in such
a way that 99.99% of people can blissfully go about their day. I just wish
that the energy to secure stuff had taken the form of (say) a post on "here's
how Google converted Gmail to https" rather than Firesheep. Hope we can find
some common ground and you can see my POV.]

~~~
jfager
The intersection of 'evil enough to do something truly malicious', 'read a
tech blog in the right 24-hour period', 'didn't already know the problem
existed', and 'in enough cafes to pair with enough potential victims' is too
low to cause "millions" more to be impacted by this, I promise.

Your implicit definition of 'highly motivated' (someone willing to put in 5
minutes of Googling) makes me sad.

I'm agitated because you're trying to hang someone for doing A Good Thing:
putting real pressure on the bigs to finally actually fix a well-known,
longstanding problem.

[Response to your edit: Facebook, Twitter, and other big sites know about the
problem. How would explaining to them how Google secured Gmail change
anything? They know how Google secured Gmail, and they know how to secure
their own services. They just simply aren't, because it saves them money and
their customers aren't demanding it. But the only reason their customers
aren't demanding it is because the vast majority of their customers don't know
the threat exists. This tool makes the threat clear as day to the most
unsophisticated layperson, which makes it real, effective pressure, far more
than yet another blog post asking nicely for SSL by default].

~~~
bonaldi
It might make you sad, but it's spot on. People were sharing MP3 files on
usenet pretty easily, back in the day. It would have taken 5 minutes or less
to work out how -- even easier than grabbing cookies.

It wasn't until Napster made that 0 minutes of googling that MP3 filesharing
really took off.

For something like this to end up on millions of desktops, you have to be able
to explain it to a half-stoned frat at a party. "Five minutes of googling and
then some nerdery"? No chance. "Install this, go to the quad and you can sign
into the facebook of any other person there?" Yup, that's going to spread like
wildfire.

~~~
daten
The responsibility is with every admin that setup an insecure access point,
not with every security researcher to stay quiet about widely known and widely
exploited vulnerabilities.

This isn't new. Point and click tools for doing this existed 10 years ago.
Making a firefox plugin just pushed it back to the top of the headlines. This
is actually a good thing because if word spreads more people will be aware of
the already existing risk and will be more security conscious.

Does this mean everyone should stop logging into their personal accounts over
unsecure wifi at school or starbucks? ABSOLUTELY.

Hopefully this new attention on an old hole will motivate more admins to fix
their networks and more users to realize how vulnerable they are.

------
carbon8
This is kind of a big deal. Not a whole lot of people are aware of this
vulnerability and among those who are it's likely only a small subset that
knew how to exploit it until now. I suspect all of the coffee shops in the
college town where I live will have people using this starting tomorrow.

I've personally been working from cafes and tunneling everything through SSH
for years, but in my experience almost no one else does this.

~~~
petercooper
_I've personally been working from cafes and tunneling everything through SSH
for years_

To where? I suspect it's to a server, VPS, or similar, and the connection is
unencrypted from there to its endpoint. This being the case, could someone
with a server on the same subnet be running a browser remotely (or even just
tcpdump) and doing a similar thing with your logins?

 _(This is just some thinking out loud and I may be totally wrong - correct me
;-))_

~~~
azim
Virtually no modern wired networks use hubs anymore, they're for the most part
switched. Unlike wireless networks where packets are broadcast freely in to
the air, the switch checks the destination address and sends the packets only
to the endpoint. There are some attacks like arp-spoofing and flooding which
can defeat this, but they don't work well against modern enterprise-grade
switches like you would find in a data center.

~~~
petercooper
Have a bazillion karma points. I didn't realize that switching resolved that
whole problem. This is why I continue to bring up stupid hypothetical
situations on HN from time to time ;-)

~~~
iuguy
Switching doesn't resolve the problem completely. There are a range of
complicated attacks that could be done, but can be detected in various ways in
a well run NOC.

~~~
petercooper
But we're talking a lot more complicated and deliberate than running tcpdump
or this Firefox plugin, right?

~~~
iuguy
I guess if you really wanted to you could run a GUI tool like Cain
(<http://oxid.it/>), but most people doing this type of thing would use
something like Scapy or at worst, Yersinia.

So I'd agree, more complex definitely, significantly not as much perhaps (it
depends on the type of attack as tool), as for deliberation I'd say about the
same as the firefox plugin.

If you do run tcpdump you do pick up broadcasts and such, one of our VPS
instances actually sees a load of DNS traffic for our subnet, which we think
is the other VPS instances.

------
kogir
This is one of many reasons Loopt has used SSL for all[1] traffic from the
very beginning. At least WiFi has fairly limited range. Cell networks[2] (and
satellite internet[3]) can be sniffed miles away.

In addition to making session hijacking harder, using SSL keeps crappy proxies
from caching private data. Remember when some AT&T users were getting logged
in as other users on Facebook's mobile site? The cause was a mis-configured
caching proxy.

Raising awareness of issues like this gets them fixed. Until a service's users
demand SSL, it won't be offered. Unless the service is Loopt :) It's not a
noticeable computational burden, but it does increase latency and cost money
(for certs).

    
    
      1. Not images
      2. Older GSM crypto can be hacked in real time with rainbow tables now
      3. Usually not encrypted at all

~~~
cdine
Indeed, Loopt appears to be one of the few high-profile sites to have done
this right. SSL for everything, and cookies that are relevant to login
sessions are marked secure. This is what we need everywhere!

~~~
brlewis
I'm proud of <http://ourdoings.com/> having done this since 2004.

------
Groxx
_Nice_. A solid demonstration to show next time your webmaster doesn't want to
set up SSL everywhere.

That said, the current cartel-like setup of certificate authorities
(protection money and everything!) makes SSL annoying and expensive if you
want the browser to not have a fit. Especially for small-scale projects. But
there's really no excuse for larger sites.

~~~
StavrosK
You can get SSL certificates for free for one domain, and they work with all
browsers (except Opera, IIRC). Also, you can use Perspectives for Firefox,
which I think is much better than the current system.

~~~
ryan-allen
I've had a bit of a look on Google, but I'm not 100% sure which provider you
mean? Where can you get free SSL certificates that don't upset browsers?

~~~
StavrosK
Ah, I can't remember the name now... Rapidssl? That's probably it. Check
historio.us, the ssl cert there is a free one (which is, sadly, why subdomains
don't validate).

EDIT: I searched and it's actually <http://cert.startcom.org/>.

~~~
qeorge
_Check historio.us, the ssl cert there is a free one (which is, sadly, why
subdomains don't validate)._

AFAIK this is common to all certs (free or otherwise). You need a separate one
for each subdomain (including www).

~~~
StavrosK
No, there are also wildcard certificates that match all subdomains, but are
rather more expensive.

~~~
carey
Wildcard certificates are available for USD $49.90 from StartSSL
(<http://www.startssl.com/?app=40>), which is rather more expensive than free,
but shouldn’t be a hardship.

~~~
irons
The only downside to wildcard certs through StartSSL is that getting one
requires high-resolution proof of personal identity, to be kept on file
outside local jurisdiction (the company's based in Israel) until the cert's
final renewal or revocation, plus seven years.

I admire their model of only charging for operations which require human
intervention, like identity validation, but handing over that degree of
documentation for that amount of time requires a lot of trust, not just of the
company as it currently exists, but as it will exist in the far future.

If there was a way to validate organizations which wasn't layered on top of an
earlier validation of an individual, or if their decentralized web-of-trust
was usable for class 2/wildcard certs, I'd be a big fan.

As it is, there's no reason not to use Start for class 1, single-domain certs,
for which the validation is automated and reasonable.

------
chaosmachine
_"Double-click on someone, and you're instantly logged in as them."_

Ouch. I think it's time to set up that VPN I've been putting off...

~~~
GVRV
Am I the only one who thinks this is spoon feeding the script kiddies to cause
mayhem?

~~~
mike-cardwell
Even the dumbest script kiddies have been doing this for years anyway. There
are plenty of existing tools. This one just lowers the bar so your mum can
perform the attack too.

It almost makes me angry that websites like Facebook and Twitter don't force
all traffic over https. They've got the money and the expertise. They just
don't care if your account gets sniffed and taken over at a web cafe.

~~~
uxp
Exactly. I'm not a blackhat and my only "hacking" consists of forcing myself
into my own systems which I've stupidly locked myself out of, yet I've managed
to do much that this plugin can do.

The most un-ethical thing I have done was to take one of the OLPC XO laptops
and convert it into a MITM machine, rebroadcasting the SSID it connects to
while routing and logging all traffic anyone who connects to it generates. It
took a weekend to setup using pre-existing tools and scripts and can be
deployed anywhere I want within 2 minutes and run for up to 6 hours hidden in
the bottom of my backpack. It was a fun experiment, and surely made me more
aware of just how vulnerable I was outside of my home network.

Another point of interest, this weekend I hacked on a Minecraft bot for the
Alpha version. In order to understand and dissect the connection protocol I
needed to recreate, I used wireshark to dump and parse how the client
authenticates and connects to the server. Even that transmits your username
and password in plaintext.

~~~
a_m_kelly
re: the OLPC, what were you running on it? I have one in my closet and I've
been meaning to put something that isn't the stock software on there for a
long time.

------
patio11
Thanks for posting this. It convinced me to upgrade SSL support from
"something that would be nice to implement if I was bored someday" (BCC is not
exactly security critical -- except, on reflection, the admin pages) to "drop
everything and get it done."

~~~
euroclydon
You're saying that the BCC server doesn't have even a self-signed SSL cert
installed? Or something else?

~~~
patio11
I had a SSL certificate for a while, but actually using it throughout the site
without showing users Big Scary Error Messages is not quite trivial. The
activation energy for digging through several hours of edge cases was
lacking... until today. ("Whoops, while you don't know you're doing it, you
pull an unnecessary CSS file into the cached CSS for the registration page
which references a background image on an absolute <http://> URL. Your
registration page now throws an error on IE. You lose." "You have
approximately 150 images on the site linked as handcoded img tags rather than
through Rails' image_tag helper, because when you were a Rails newbie you did
not know that existed. You now get to rewrite all of them so that they can use
SSL asset caching magic." etc, etc)

~~~
euroclydon
I've seen some sites which figure out a way to force the user in and out of
SSL for certain URLs. You might be able to implement a fix which forces SSL
for the admin section and non-SSL for everything else.

~~~
patio11
That doesn't help, because my all-powerful admin session is as secure as the
least secure page I access (or _can be made to access_ ) while on a
compromised network.

~~~
euroclydon
Doh. Of course. It's all on the same domain. Do you think, that if designing a
new application, it would make sense to make a separate admin sub-domain
(assuming no wildcard cookies)?

Does the solution entail purchasing legit ssl certs for your static content
domains?

------
leftnode
I thought the title of this submission was slightly misleading. This is not a
security vulnerability from within Firefox, it's a Firefox plugin to reveal
security vulnerabilities in a wide range of websites.

~~~
wwortiz
To be fair that is exactly what I got out of the title and not that it was
using Firefox vulnerabilities.

------
eapen
Sites that are tracked:

amazon basecamp bitly cisco cnet dropbox enom evernote facebook flickr
foursquare github google gowalla hackernews harvest live nytimes pivotal
sandiego_toorcon slicemanager tumblr twitter wordpress yahoo yelp

------
muloka
Thanks to the EFF and the Tor Project we need not worry as much thanks to
their HTTPS Everywhere project, a plugin for Firefox:
<http://www.eff.org/https-everywhere/>

Any questions:

<http://www.eff.org/https-everywhere/faq>

~~~
EricButler
Logging into insecure sites over Tor is probably not a good idea. It's always
good to assume that people running exit nodes are not the most trustworthy.

HTTPS Everywhere is good but only works on known sites (and known domains for
those sites).

------
kijinbear
Be careful when trying this out. You could be breaking a law or two...

~~~
jorgem
Also don't web-mail your friends to tell them about the new accounts you just
broke into :) At least not on that open wireless connection.

~~~
chrisbroadfoot
Good thing GMail has SSL enabled by default ;)

~~~
cdine
Yup, they're one of our examples of a "good" setup. However, Google leaks
iGoogle and some other things (Latitude, address book, reader, ...)

~~~
itsnotvalid
However they don't share the same session cookie for different service as far
as I know (which they negotiate that through TLS protected link) Likewise they
have also made several other services TLS only (e.g. calendar, docs)

------
uptown
The explanation I've always heard for not using HTTPS 100% of the time is that
it puts an substantial load on the server, and for many sites it's overkill.
Setting aside the subjective topic of "overkill" ... how much more CPU-
intensive is it to serve pages over HTTPS compared to HTTP?

~~~
pauldino
There was a great write-up of a talk on SSL/TLS performance at Google linked
here a few months back (<http://unblog.pidster.com/imperialviolet-
overclocking-ssl>, HN discussion at
<http://news.ycombinator.com/item?id=1485425>)

Quoting from that, "On our production frontend machines, SSL/TLS accounts for
less than 1% of the CPU load, less than 10KB of memory per connection and less
than 2% of network overhead."

~~~
ifesdjeen
OK, that's most likely too late to contribute to the stated article, but there
was a talk by Michael Klishsin about a year ago, here're his slides:
<http://bit.ly/90qORL> (ssl, performance, certificates, lots of stuff)

------
thought_alarm
Does this kind of wi-fi sniffing work with WEP or WPA encrypted networks? What
about 802.1x?

~~~
pmorici
Yes, assuming you know the password to connect to the network. Otherwise no.

~~~
InclinedPlane
This is incorrect. Traffic on an access point using WPA2 + AES is not
sniffable without significant cryptanalysis or use of exploits.

~~~
pieter
It's fairly easy to do if you are logged in on the network already. For
example, for the iPhone you can use something like pirni to spoof the mac
address of the router. That way you'll receive all data on the network, and
can send it on the router yourself. In the meantime, you can dump all cookies
that are passed on. I think the tool even allows you to list all twitter and
google cookies, and set them in Safari.

~~~
InclinedPlane
Pirni uses a vulnerability of a common WPA2 configuration to execute a MITM
attack using ARP spoofing. There are ways to prevent this exploit as well.

------
atomical
Is there another application besides the FF extension to dump the packets and
process them? How does this work?

EDIT: Sorry, I asking specifically how this FF extension works.

~~~
audidude
libpcap
[http://github.com/codebutler/firesheep/blob/master/backend/s...](http://github.com/codebutler/firesheep/blob/master/backend/src/http_sniffer.cpp)

~~~
spicyj
(atomical: You seem not to have realized what this answer was saying. The
extension uses libpcap, as evidenced by the linked source code.)

~~~
atomical
Ah right, sorry.

------
jmreid
Makes a strong case for everyone to start tunneling their traffic back to a
trusted network.

I've been trying out sshutttle
<[http://github.com/apenwarr/sshuttle>](http://github.com/apenwarr/sshuttle>).
It only tunnels TCP traffic, so you still have DNS and UDP traffic on the
local network.

------
mike_esspe
Always use encryption, while using open wifi. I use openvpn (
<http://openvpn.net/> ) for this.

------
ddrager
I think this should be a call to arms to network, web and system admins
everywhere. This is a problem that everyone knows about but nobody wants to do
anything about since it requires additional setup. Usually the barrier is a
technical issue that the end user can't figure out. However since submitting
forms via SSL is something the developer can do without impacting the end user
at all, this is a simple fix for just about any website. You need a static IP
and an SSL certificate, and they are both cheap.

Running out of IPv4 space is an issue in this regard, but hopefully with more
people wanting SSL it will push providers to IPv6 quicker. Nicely done
EricButler!

------
jdunck
Title is a bit misleading. This is a front-end to libpcap, and can be used for
hijacking any token-based-auth, not just HTTP.

It just happens that they released w/ support for social networks as a
demonstration.

------
mcmc
It seems fine to just enable SSL everywhere. But indulge me for a second in
thinking of alternate solutions.

Instead of sending a cookie, send a piece of javascript code (as part of the
SSL-cloaked login handshake) that generates a new cookie for each request, and
consider each new cookie in this sequence a "one time use" token. You can turn
off SSL for subsequent requests and just use one of these new cookies each
time to verify identity because an attacker won't have your cookie generator.

This javascript is really just an encryption key and algorithm, and if you
implement it correctly, it should take quite some time for snoopers to reverse
engineer the encryption key based on a sequence of one-time-use cookies.

Logistically, I suppose you would run into some trouble setting a new cookie
for each request depending on how the page is loaded. For instance, if the
user pastes a url into a new tab manually, then this system wouldn't have a
chance to set the new cookie first.

However, I think you could architect a system that solves this. For instance,
put the javascript token generator source in local storage. If a new page
loads with an invalid key, that new page can just get the cookie generator
code out of local storage and manually refresh the page's content by making a
request with a valid token. This should be quick enough for most users not to
notice, in the rare case that they circumvent the site's usual navigation.

A downside is obviously that the content itself is still not safe, but at
least the account would be. Any thoughts?

~~~
Groxx
I _think_ all cookies are sent with every request, so cookies can't be used to
(securely) pass data to the next page. It'd work just fine on the login page,
but every page after that would have to renegotiate to generate a new cookie,
meaning you basically just created SSL everywhere.

Local storage, however, could probably be used to do just such a thing, as it
exists only locally. In which case you could just have the login page generate
an RSA key pair, receive the server's public key in the response, and use that
for any kind of secure communication on each page load. The server would have
to remember sessions => encryption keys, but that's not too hard.

------
meelash
Wow, good work. And pretty scary- imagine what one could do with this on any
college campus.

~~~
colonelxc
A guy I know used to do this in airports (just for fun, didn't do anything
malicious) by grabbing webmail logins. Running wireshark with some simple
filters and watch the cookies roll in.

------
dacort
Wow, I've been wanting to do this for a while to raise awareness. Great
implementation by plugging it into Firefox - well done.

------
amanuel
You can slightly reduce the dangers stated here by logging out immediately
after you are done doing whatever it is you are doing. This will make the
captured session useless.

The best solution is of course to get a VPN acct and use it when you are at
free/open wifi spots. I use WiTopia (www.witopia.net)

~~~
josto
Or just get a mac mini server that will run vpn 24/7

------
chrisbroadfoot
Has anyone checked the source code to check that the passwords aren't sent to
the author's website? :)

~~~
cdine
It's 100% open source! Please feel free to review it.

<http://github.com/codebutler/firesheep>

It doesn't currently do anything with passwords, it's only pulling out cookies
from HTTP Response headers. But it would be trivial to also get passwords in
non-HTTPS requests for logins with the same method.

~~~
staktrace
Again, not assuming you're evil, but it's possible that the compiled binary
(.xpi) was _not_ created from the source posted on the github account :)

------
gregwebs
What can an end user do to minimize this?

This exploit is for insecure Wifi networks- so only using encrypted Wi-fi or
Ethernet would seem to remove this attack vector. Is there a real risk that
someone (besides the government) can see your cookie?

~~~
amanuel
logging out will cause the captured sessions to be useless.

So remember to logout.

VPN is really the best overall option.

~~~
cdine
Most sites don't properly invalidate sessions when you log out, you can't
protect yourself as well as you think. See our slide on this topic:

<http://codebutler.github.com/firesheep/tc12/#18>

~~~
amanuel
Excellent points on the slideshow. The general lack of care on this topic
among web companies is worrisome.

------
ianhawes
This looks really cool. I can't wait to try this out. Very nice work, Eric.

~~~
EricButler
Thanks! If you or anyone has any problems, email me (eric@codebutler.com) with
the details.

~~~
gilaniali
On Mac OS X, it gives an error saying: Run --fix-permissions first.

Run with which command? and how?

~~~
xorglorb
I found the binary "firesheep-backend" in:

    
    
        ~/Library/Application Support/Firefox/Profiles/<profile>.default/extensions/firesheep@codebutler.com/platform/Darwin_x86-gcc3
    

I ran both:

    
    
        ./firesheep-backend --fix-permissions
    

and

    
    
        sudo ./firesheep-backend --fix-permissions
    

and it still asks me to run it with "--fix-permissions". I guess it's time to
go digging around in the source to try and find out what it wants me to do.

EDIT:

After a bit of digging, I found out that running it with --fix-permissions
really just chowns the binary to root then setuid's it. I don't see anything
wrong with it on the surface, but I'll keep digging.

~~~
gilaniali
There is an another firesheep-backend at /firesheep-
backend.dSYM/Contents/Resources/DWARF inside the Darwin folder. However this
one wont run using ./

Any ideas?

~~~
xorglorb
I believe that it is a file containing debug info, not an actual program, so
you can't run it.

------
DJN
The main problem will be with SaaS apps that allow custom domains names (i.e.
_mywebsite.com_ instead of _mywebsite.mysaasprovider.com_ ).

I made an early decision to enable SSL everywhere in Trafficspaces with the
obvious downside being that I need to allocate a dedicated IP address each
time someone requests a custom domain name.

I used to get worried that perhaps it would have been better to _only_ provide
SSL in specific stages (such as sign-in and payment) and _only_ through a
generic domain name. Not any more.

Firesheep clearly vindicates that decision.

~~~
danudey
Wouldn't it be easier to get a wildcard SSL certificate for
*.mysaasprovider.com? That way you can serve all subdomains off a single IP
address, since the name will always match.

~~~
DJN
That's what we are currently doing now.

I was referring to cases where the account holder wants to use an custom
domain name e.g. _ads.mywebsite.com_ , instead of the generic
_mywebsite.mysaasprovider.com_.

In that case, we'll need to host their certificate within our Pound load
balancer and get it to listen on a dedicated IP.

------
ElbertF
Why don't Facebook and other major sites check the user agent and IP address
of client as well, instead of just relying on a cookie? That would solve this
problem in 99% of the cases, right?

~~~
sdurkin
If you're on the same wireless network as someone, you have the same external
IP address.

~~~
ElbertF
I realize that but at least my neighbors won't be able to hijack my session
from home. Logging in over a public network always seems risky.

~~~
chrisbroadfoot
Are your neighbours on your private network? If not, you don't need to worry
about them capturing your network data, because they're _not on the same
network_.

------
icode
It states that it works for "open networks". What does that mean? All networks
that you have access to? Including those in Cafes where they give you a key to
log in? Or just networks that are completely open? And why does it work at
all? I thought the wlan access point would encrypt the communication between
itself and the computer. Would be interesting, which protocols are vulnurable
to this and which are not.

I guess the logging of raw wlan packets is a one-liner under linux? Does
anybody know it?

------
charlesshonston
So wait... this works regardless of wireless card? I've tried to use BackTrack
on my mac before and it failed due to the card not being able to run in
passive mode.

~~~
mrgordon
Yes, I believe it should work on any wireless card because you're not doing
packet injection.

~~~
robhu
It doesn't work on my late 2009 MBP (sniffs sessions from other browsers on my
laptop but not other laptops on our wifi).

~~~
phamilton
are you sure you aren't on a WPA encrypted network? My understanding is that
it doesn't work over WPA. WEP apparently does work though.

~~~
zombocom
I'm on an open network (no security) and I too am only seeing traffic from the
computer I'm running it on. I have two Macs on the same wifi network, but no
luck so far =/

------
petenixey
What a shame. There are going to be so many kids whose Facebook accounts get
broken into and abused this week as a result of this.

------
jayphelps
Doesn't work in 3.6.4, even if you override install it or change the
minVersion (which is 3.6.10)

Once I upgraded to 3.6.10 worked awesome.

------
s3graham
SSL requires a unique IP per hostname, correct? Maybe _this_ will be what
actually ends up getting IPv6 going... :)

~~~
rubinelli
It used to be so, but newer servers can now serve more than one HTTPS domain
using the same IP. For more details, check out
[http://serverfault.com/questions/109800/multiple-ssl-
domains...](http://serverfault.com/questions/109800/multiple-ssl-domains-on-
the-same-ip-address-and-same-port)

~~~
amalcon
Newer servers can serve more than one HTTPS domain using the same IP... _to
users who are not using IE/Chrome/Safari under Windows XP_. If you depend on
SNI, you're leaving out something like a third of your user base.

~~~
rubinelli
Thanks. There really isn't anything more dangerous than just a bit of
knowledge.

------
pilom
Anyone going to get HN on HTTPS? I'm very partial to my kharma points and
don't want anyone to log in as me!

------
JshWright
It's an interesting assortment of sites that are "supported" out of the box.
Some of them are pretty harmless (bit.ly, Flickr), some could cause some
pretty serious hassles (Google, Amazon), and some could be absolutely
devastating (Deleting someone's Slicehost account? Ouch...).

------
marcuswestin
The sidebar is not showing up for me after installing and restarting.

Firefox 3.6.11 OS X 10.6 firesheep-0.1-1.xpi

~~~
zemaj
Same setup. Sidebar shows for me after selecting it from the View -> Sidebar
menu, however it pops up with a message that says "Run --fix-permissions
first." Not sure where I'm supposed to run this flag.

~~~
cheungpat
There is so many hoops I have to jump to make this work in OS X.

$ mv firesheep-backend firesheep-backend.binary $ cat > firesheep-backend
#!/bin/sh sudo /path/to/firesheep-backend.binary $@ ^D $ sudo chmod +x
firesheep-backend

Then restart Firefox and start capture. You need to run sudo once every
certain period.

~~~
xorglorb
I keep getting a "Failed to fix permissions" error. Any insight into that?

~~~
zemaj
FYI if you're still looking into this, this comment helped me
<http://codebutler.com/firesheep#comment_5843350>

I have filevault turned on. Moving the binary out of my home folder (and
adding a symbolic link) solved the problem.

------
al_james
What does this mean for HTTP basic authentication? How about digest access
authentication?

~~~
pornel
Basic is useless - sends password in the clear.

Digest authentication is safe against _passive_ sniffing (it doesn't exchange
any password/token in the clear and uses nonces), but it doesn't protect
against active attacker who could modify server headers and replace "Digest"
with "Basic" to reveal password.

~~~
al_james
Ok, so digest authentication is safe against this new firefox extension?

If so, why don't facebook et al. switch to digest based authentication?

Surely its better than unencrypted cookie based logins. Is it just that its
ugly (the browser login popup)?

~~~
pornel
Yes, Digest is safe in this case, but one could write a more advanced (packet-
injecting) tool/Firefox extension that breaks Digest too.

Terribly bad UI and lack of standard way to log out are dealbreakers for HTTP
auth.

There's also no reliable way to customize UI to offer help, password
reminders, branding or anything like that.

There has been proposal to improve this in 1999:

<http://www.w3.org/TR/NOTE-authentform>

and recently discussed in HTML5 WG, but the conclusion was Digest and
countless JS tricks proposed in its place are only partial solutions, cookies
have unstoppable momentum, so it's better if everyone just switches to SSL.

------
robhu
On my Macbook Pro (purchased 1 year ago) it doesn't seem to be able to capture
traffic on my wifi. It can see sessions originating from another browser on
the same Mac, but not other macs on the wifi network.

Is there a way of debugging what's going on?

~~~
dekz
Which sites are you using this on? It only works on a few select sites (and
you can add more with some more javascript code). It worked for me on my MBP
on the main sites, twitter some igoogle.

~~~
robhu
I tried it on Facebook.

I have a WPA2 protected Wifi network. Two laptops (a MB and a MBP) on it. I
run it on the MBP, on the MB I refresh a logged in Facebook page, and nothing
appears as captured on the MBP.

If on the MBP I refresh Facebook in another browser it appears.

~~~
jonknee
Try on an open wireless network.

~~~
robhu
Why? It should work on a WPA encrypted network as long as I have the network
key - from the perspective of my network interface nothing is encrypted.

This indicates that the card has not properly been put in to listening mode,
which means the plugin is not operating my card correctly.

------
jawee
I'm eagerly waiting trying this out once a Linux version becomes available..
looks very nice! Unfortunately I don't have a Windows or OS X installation
available to me at the moment.

------
Ripst
PHP session_regenerate_id(true)

[http://www.php.net/manual/en/function.session-regenerate-
id....](http://www.php.net/manual/en/function.session-regenerate-id.php)

------
flexterra
Here is a simple tutorial on how to set up an SSH Tunnel for Mac OS X
<http://bit.ly/cffjOY>

This way all your communication is encrypted

~~~
cdine
I love SSH tunnels, but in regards to this particular problem, it really just
pushes the problem off to wherever you ssh tunnel terminates. Do you trust you
server operator? ISP? This is addressed in our presentation, here (VPN's are
essentially doing the same thing):
<http://codebutler.github.com/firesheep/tc12/#20>

~~~
flexterra
Totally agree!

But right now I'm more worried about a co-worker or stranger in a Starbucks
taking over my personal Facebook or Gmail account than my server operator
trying to spy on me.

------
rfugger
It would help a bit if there was a way to automatically encrypt sessions on an
open wifi access point without requiring a password to connect.

------
pberry
On a positive note, at least a lot of people will be updating to the latest
secure version of Firefox to run it.

------
dennisgorelik
On the other hand, stealing somebody's real life identity is not that hard
either. But it does not happen too often, in part because it's illegal.
Stealing somebody's cookie on the Internet is a crime just as is stealing
somebody's driver's license. Although technical solution to this security hole
is desirable, it's not the only solution available.

------
AndyKelley
Linux installation needs work. README is empty, and the INSTALL says use
./configure which doesn't exist. ./autogen.sh complains about needing
xulrunner-sdk path, which is isn't something normal for linux.

Edit: Oops! Linux support is "on the way." I guess I assumed since linux is
the easiest platform to get your driver to go into monitor mode.

------
geuis
I just tried this here in a coffee shop. This is fucking evil.

------
gasull
I couldn't install it on FF 3.6.9 on Windows XP.

~~~
EricButler
What was the error?

~~~
gasull
"Firesheep 0.1 could not be installed because it is not compatible with
Firefox 3.6.9."

And yes, WinPcap is installed. I don't think it should matter, but I'm running
Windows XP on a VirtualBox.

~~~
EricButler
Oh, you just need to update to the latest version of Firefox (3.6.11). Your
version is out of date and not secure. [http://www.mozilla.org/security/known-
vulnerabilities/firefo...](http://www.mozilla.org/security/known-
vulnerabilities/firefox36.html)

~~~
linhares
What should happen if you use iPhone tethering? Could it top into the vast
people on that network? (I have absolutely no idea). If this is the case, the
internet will have a panic attack in 2 days max.

~~~
daten
No. Cabled tethering to a cell phone only gives you access to your own
packets. It's like a switched network where only packets addressed to you are
sent to you.

On 802.11 wireless networks your wireless network card is capable of capturing
traffic addressed to other computers. When encryption isn't used or is
compromised, you can steal their credentials.

Doing something similar against cellular networks would require a much more
sophisticated attack with specialized hardware that's largely illegal in the
United States. I would also hope that cellular communications are encrypted
these days.

------
mattermortel
Isin't this extension great ? =D

------
freefire4629
what version of firefox do you need to have to run it? i can't get it to work.

------
linhares
please don't tell 4chan

~~~
Perceval
/b/ is going to have a field day with this. A long unbroken string of field
days. For a long time.

------
drivebyacct2
Interesting. I was going to do something similar but keep it limited to
Facebook chat. That way you could eavesdrop on conversations in the room and
impersonate people, etc. This is actually probably easy to program and more
versatile at that.

------
AlexRodriguez
Works for me.

------
bluesmoon
Well, whatever... encrypt all you like, $5 will still crack your session:
<http://xkcd.com/538/>

~~~
bluesmoon
wow, -1. HN readers sure left their senses of humour at home today.

I shall call this experiment a success.

