Firesheep Countermeasure Tool BlackSheep 122
Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."
Re:Secure login (Score:5, Informative)
Secure login doesn't matter. You need secure everything, or people can just steal your session cookie. That is almost as bad as having your login stolen.
Re:Secure login (Score:3, Informative)
Re:or just use proper security (Score:5, Informative)
Exactly, this is what EFF's Firefox Addon does [eff.org]
Re:Secure login (Score:3, Informative)
Re:So, to clarify... (Score:4, Informative)
For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).
As long as the hijacker keeps using your session the session will stay alive, even if you close your browser. But if you actually log out of the website then the hijacker gets kicked off too. So if Blacksheep tells you that someone's on your account then log out of Facebook immediately. Or, better yet, check that your email address hasn't been changed while the other guy's been on your account, then log out.
Re:or just use proper security (Score:4, Informative)
Mmm neat, but force-tls is not helpful for wikipedia (and other similar sites), that need mapping from en.wikipedia.org/wiki/Google to secure.wikimedia.org/wikipedia/en/wiki/Google
Re:or just use proper security (Score:4, Informative)
Mmm I have not pasted the link properly... EFF's plugin can map automatically from http://en.wikipedia.org/wiki/Google [wikipedia.org] to https://secure.wikimedia.org/wikipedia/en/wiki/Google [wikimedia.org] It is not possible with force-tls
Re:or just use proper security (Score:3, Informative)
Re:or just use proper security (Score:4, Informative)
Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ [bankofamerica.com] from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ [bankofamerica.com] . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).
Re:So, to clarify... (Score:3, Informative)
As far as I know, Twitter doesn't behave this way. If you log out on machine_x, only machine_x is logged out. Not the attacker.
GMail's "Destroy all other sessions" would be closer to the behaviour you're talking about.
Re:So, to clarify... (Score:3, Informative)
However two different "machines" (even two different browser sessions on the same machine) should get different session IDs. As such, this would be expected, since each session is independent. The session ID is, generally, just a cookie with a specific value, your browser hands this back with every request, thus associating each request to the session.
So if you logout, and that invalidates the session, then this is to be expected, since each browser/machine has its own session cookie, each one is independent.
This is not the situation for a hijacked session. The original session and the hijacker will both have the same ID. So when you log out, if that invalidates the session properly, then the hijacker is logged out too, even if other sessions are still active.
Of course, this is "in general how it works". Most sites probably follow this model and will work this way. There is nothing to say all sites will. A site could easily correlate sessions and either allow only one session at a time for a user, or any number of things that would make it behave differently.... but usually you will have different sessions in each browser.
-Steve