The big news of the week, emanating from Toorcon 12, is the release of Firesheep. This tool makes SideJacking – that is, “hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server” – painfully simple for anybody to use. How easy? Well, let’s see… you download and install Firefox… and then you download and install the Firesheep extension to Firefox… and then you restart Firefox and run the tool to start hijacking sessions… that’s it! Simple enough for ya?

SideJacking is not a new concept, nor is the existence of tools. Robert Graham of Errata Security made a bit of a splash with his tool Hamster back at Black Hat 2007 (also see “Wi-Fi SideJacking opens eyes at BlackHat“). And, really, the concept of intercepting and hijacking sessions is even older than that. Poor session management continues to be on the OWASP Top 10 list, as does the lack of adequate transport layer protection (that is, SSL/TLS for web sites).

Read the rest of this entry »

A while back I posted about my and others’ concerns about Firefox’s newly handled way of dealing with self-signed or unapproved certificates. It seems the folks over at Carnegie Mellon University have released an extension for Firefox to help deal with this exact issue.

My main issue with my last posting wasn’t directly tied to the error in the security model Firefox was introducing, but simply the intrusion factor of what was taking place, and the lack of information that FF was providing when denying access to the site. The extension provides two primary benefits:

1. If you connect to a website with an untrusted certificate (e.g., a self-signed certificate), Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
   The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

   The primary description for Perspective also states:

   A client can automatically make a secure connection to one of several publicly available “network notary servers” located around the world. These servers tell the client:

   1. What key does the server see for host.domain.com right now?
   2. What keys has the server seen in the past for host.domain.com?

   The replies from the network notaries can go a long way toward either providing the user with confidence that the key it received is valid, or that a real threat of a “man in the middle” attack exists.

   The end result is that instead of having applications issue bland warnings, which users often ignore, the application can either skip the warning if notary data indicates that the key is valid, or give a very stern warning in the rare cases when an attack appears to be in progress.

   This extension does pretty much exactly what I wished Firefox would have done with the new policy from the beginning.

   Link to the project: HERE