Information Technology Reference
In-Depth Information
site streamed the X-rated content for 22 minutes before Google could shut down the
site [10].
Only a small fraction of the information transported by the Internet is encrypted; ev-
erything else is sent “in the clear” using the HyperText Transport Protocol (HTTP).
Encrypting everything would make Internet communications slower and more expen-
sive, which is why most Web sites use encryption only when communicating the most
sensitive information, such as usernames, passwords, and credit card numbers. You can
tell when a Web site is encrypting the communication because the start of the address in
the Web browser is “https://” (meaning “secure HyperText Transport Protocol”).
The widespread use of Wi-Fi to connect to the Internet has exposed a vulnerability
caused by Internet packets being sent in the clear. A Wi-Fi network uses radio signals to
communicate between devices. If the wireless access point is not using encryption, it's
easy for devices within range to snoop on the network traffic. (Encryption is the process
of protecting information by transforming it into a form that cannot be understood by
anyone who does not possess the key; i.e., the means of reversing the process and re-
creating the original information.)
Sidejacking
is the hijacking of an open Web session by the capturing of a user's
cookie, giving the attacker the same privileges as the user on that Web site. (You can
find an explanation of cookies in Section 5.3.11.) Ecommerce Web sites typically use
encryption to protect the username and password people provide when logging in, but
they do not encrypt the cookie that the Web browser sends to the user to continue
the session. Sidejacking is possible on unencrypted wireless networks because another
device on the wireless network can “hear” the cookie being transmitted from the Web
site back to the user's computer. Even though the Internet security community had
known and complained about the sidejacking vulnerabilty for years, ecommerce Web
sites did not change their practices.
On October 24, 2010, Eric Butler released an extension to the Firefox browser called
Firesheep. Firesheep makes it easy for a Firefox user to sidejack open Web sessions. The
user starts the Firefox browser, connects to an open Wi-Fi network, and clicks on a
button called “Start Capturing.” When someone using the network visits an insecure
Web site that Firesheep knows about, the user's name and photo are displayed in a
sidebar, along with the name of the Web site he is connected to, such as Amazon,
Facebook, or Twitter. By double-clicking on the photo, the attacker becomes logged in
as that user on that Web site and is able to do the same things that the legitimate user is
able to do, such as post status messages and purchase products.
Butler released Firesheep as free, open-source software for Mac OS X and Windows.
He wrote: “Websites have a responsibility to protect the people who depend on their
services. They've been ignoring this responsibility for too long, and it's time for everyone
to demand a more secure web. My hope is that Firesheep will help the users win” [11].
The Firesheep extension was downloaded more than 500,000 times in its first week
of availability, and it attracted a great deal of media attention [12]. The typical story
warned social network users about the dangers of using unencrypted wireless public
