Defending Against Firesheep
The best line of defense against Firesheep and other session hijacking attacks lies in the hands of web developers and web server administrators. If you develop web applications that rely upon cookies for session management, be sure that they are always managed in a secure fashion. Here are a few ways you can do that:
- Send cookies only via SSL. If you require browsers to encrypt the cookie before transmission, it won't be vulnerable to interception while in transit. This is as simple as setting the secure option in the cookie and allowing full HTTPS access to your website.
- Limit the applications that can make use of your cookies. You should also set your cookies so that their use is as restricted as possible. At a minimum, you should set them so that they are only accessible to systems in your domain using the domain option in the cookie. Ideally, you should set the cookie's use to a specific server within your domain. You can also restrict the cookie's use to specific applications in your domain by setting the path option.
If you're an end user, you don't have control over the way cookies are configured, but you do have some options at your disposal:
- Limit your use of websites that do not offer HTTPS connections. You can vote with your feet by refusing to use sites that may be vulnerable to session hijacking attacks.
- Tunnel your connections through a VPN. If you're using the Internet in a risky location and are concerned about eavesdroppers conducting session hijacking attacks, connect to a VPN (virtual private network) at your workplace and use that connection to encrypt traffic that you're sending on the local network.
Media reports recently highlighted a number of tools designed to thwart Firesheep, most notably a tool called Fireshepherd that shuts down instances of Firesheep running on the local network. These tools are flawed in that they only limit the effectiveness of Firesheep as a tool but do nothing to remedy the underlying flaws in web authentication via unencrypted means. A moderately sophisticated attacker can use a network sniffing tool, such as Wireshark, to monitor traffic and steal your session without detection.