Sidejacking, Firesheep, and AOSSL
HTTP session hijacking, better known as “sidejacking”, poses a major threat to all internet users. This is due to the common use of Wi-Fi networks, which are inherently unsecure, but also because of the wide-spread misplaced trust in the safety of internet use on phones and perceived secure connections. It has been demonstrated that wired networks are also not necessarily safe from sidejacking attempts and even your interactions in an App store can be at risk as well.
If you are logging into Facebook using the open Wi-Fi network at your local watering hole, an individual with a simple tool such as Firesheep can gain access to your account, change your password, and then potentially take advantage of other programs linked to that account. These sidejacking attacks can be done without any programming knowledge and the problem isn’t simply limited to the unencrypted Wi-Fi networks we are familiar with. Firesheep can be used to intercept information sent over any unencrypted HTTP session, whether it is wired or wireless. And what can a Sidejacker do with my connection to an App store, you may wonder? Great question! Elie Bursztein at Google cites the various ways your App browsing and buying can be compromised. It can be everything from password stealing to App swapping, when an attacker’s malware App is downloaded instead of the actual App that was paid for.
The industry is slowly starting to adapt the practice of always on SSL to protect users, including in App stores. The implementation of always on SSL, or end-to-end encryption using HTTPS, is a great place to start. It is natural to visit a website and feel secure because you have logged in to your account with a unique username and password, but the problem is that if the rest of the traffic is not encrypted, a Sidejacker can gain access to the vulnerable cookie and then manipulate any personal information within the account. However, when a website is secured with HTTPS from the time of first access to the time you leave, the entire session is encrypted in a way that prevents your information from being compromised.
Always on SSL is the considered the industry best practice for encrypting information online but unfortunately, HTTP is still prevalent in the online ecosystem on e-commerce sites. So how can you safely navigate the internet when the entire ecosystem is not secure? The fact is that the best way to ensure your online privacy and safety is to be your own security advocate. These tips will help you stay safe online and prevent sidejacking attacks when always on SSL is not present.
- Do research online to see if your App store operates using always on SSL
- Make sure that you check for HTTPS throughout your online session, not just when you log in
- Do not stay permanently signed in to your accounts
- Use different passwords to ensure that one compromised account doesn’t mean multiple ones are at risk
- Pay attention to web browser warnings that caution about fraudulent websites
- Ensure that your browser and security software is up-to-date
Lastly, HTTPS Everywhere is a helpful extension that encrypts your online communications when visiting certain websites; however, it is only operable if the website has an HTTPS option. The extension is unable to independently create SSL encryption but can be helpful to enhance HTTPS on websites where encryption is available. Be your own security advocate and follow these tips to help keep your information private and your online communications safe from sidejacking attacks.