Sidejacking, Firesheep, and AOSSL

HTTP session hijacking, better known as “sidejacking”, poses a major threat to all internet users. This is due to the common use of Wi-Fi networks, which are inherently unsecure, but also because of the wide-spread misplaced trust in the safety of internet use on phones and perceived secure connections. It has been demonstrated that wired networks are also not necessarily safe from sidejacking attempts and even your interactions in an App store can be at risk as well.

If you are logging into Facebook using the open Wi-Fi network at your local watering hole, an individual with a simple tool such as Firesheep can gain access to your account, change your password, and then potentially take advantage of other programs linked to that account. These sidejacking attacks can be done without any programming knowledge and the problem isn’t simply limited to the unencrypted Wi-Fi networks we are familiar with. Firesheep can be used to intercept information sent over any unencrypted HTTP session, whether it is wired or wireless. And what can a Sidejacker do with my connection to an App store, you may wonder? Great question! Elie Bursztein at Google cites the various ways your App browsing and buying can be compromised. It can be everything from password stealing to App swapping, downloading an attacker’s malware App instead of the actual App that was paid for.

The industry is slowly starting to adapt the practice of always on SSL to protect users, including in App stores. The implementation of always on SSL, or end-to-end encryption using HTTPS, is a great place to start. It is natural to visit a website and feel secure because you have logged in to your account with a unique username and password, but the problem is that if the rest of the traffic is not encrypted, a Sidejacker can gain access to the vulnerable cookie and then manipulate any personal information within the account. However, when a website is secured with HTTPS from the time of first access to the time you leave, the entire session is encrypted in a way that prevents your information from being compromised. Always on SSL is the best way to protect your information and identity when browsing and buying online.

Leave a Reply