Over the weekend a new FireFox plug-in appeared. The functionality behind this plug-in is not new, what is new is the ease of use and how easily accessible it is not for anyone to be malicious. Because of this it’s important to know what it does and how to protect yourself from being a victim of it’s misuse.
Before I go into explaining what this plug-in does it’s important to know a few important things about how websites work. The web is a stateless environment, meaning that there is no persistent connections between a user machine (You) and the web server (Facebook, Twitter, etc). To keep track of who you are the web servers create sessions in their environment and then assign users unique identifiers (generally passed via a cookie) that the user’s browser then sends with all subsequent requests to identify themselves.
While most websites secure their log-in pages with https security after you log in they may redirect you back to an unsecured (http) portion of their website. My assumption for why they do this is to reduce the overhead that is caused by encrypting and decrypting https traffic. Standard http traffic is not encrypted however, so anyone who can view this traffic can see your session key in plain text. If they then attach your session key to their requests the server will think that they are you and give them access to your session.
That’s what this plug-in does, it listens over an unsecured wireless network for web traffic that is not encrypted going to or from various websites. It then checks to see if there is a session key that it can find, if so it gives you a handy little user interface for selecting the user and taking over their session. It should be noted that they only can take over your session until it expires or ends, so if you initiate a request to kill your session they will loose access to it as well. They will have no access to your user name or password and won’t have the ability to log in as you without hijacking another one of your sessions.
The biggest issue would appear to be with the websites themselves, and there is no doubt that website security needs to be re-evaluated (the actual purpose behind this plug-in), but there are a few easy steps that can be taken to protect yourself from falling victim to this plug-in.
First of all, stop using unsecured wireless networks. Let’s think of an unsecured wireless network as trying to have a private conversation with someone in a subway car. Anyone else who is in that subway car just simply has to stand near you to be able to over hear your conversations. Anything you send over an unsecured wireless network that is not encrypted can be viewed by anyone else on that network. Secured wireless networks, ones that you have to enter a key in order to connect, encrypt all their traffic to begin with so they are not affected.
Alternatively, you can make sure that all your website activities are done over https or are secured in a different way. There are various plug-ins out there, or settings that you can change that will force your connection to select servers to be forced over https. There are also other alternatives that can be done by more advanced users.
Finally, if you are tempted to download this plug-in yourself and head out to a Starbucks or Barnes and Noble to try it out then please keep the following in mind. This is of very questionable legality, some have said that according to the Computer Misuse Act of 1990 it would be against the law. So be warned, if you use this and get caught you could very well face criminal charges.