Cookies and Sidejacking

The birth of the cookie came to be when small amounts of cake batter were dropped onto baking pans to test the temperature of ovens before a large cake was baked – opps sorry wrong blog 
Lou Montulli was the founder of the Web cookie whilst working for Netscape, together with John Giannandrea, they wrote the first spec for the cookies to be used in Netscape way back in 1994. It took a year before support for cookies was added to a release of Internet Explorer.
OK, enough of the history, just how do cookies affect me (and not the type that taste good with a cup of coffee)?
There are various RFC standards that the cookies should follow, and following a few ‘indiscretions’ where Microsoft, The CIA, The NSA and the White House drug policy office were caught using cookies for tracking and other things… the US government set laws about the use of cookies in 2000. The EU followed suit in 2002 with Directive on Privacy and Electronic Communications this has been updated and revised in 2009, and 2012.
Now cookies can be a source of both good and evil…. I’ll revisit the dark side of cookies in another post, but let’s look at legitimate cookies first.
The session Cookie.
Let’s start at the server. A person connects to the web server via HTTP… OK straightforward so far. HTTP is stateless and session less…. do what?
You type in the web address in the browser and the browser issues a GET request to the server and it gets the document then drops the connection – this is the basic function of HTTP 1.0. This is all very good if you are getting a basic page and not interacting with the site. Just like in 1993..
But, what people actually want is to interact with the web sites, buy things, on-line banking, sell things, look for that pet rock they never had as a kid on ebay/craigs list, google themselves (hasn’t everyone!)….. wherever…
So, the applications on the server now need a way of keeping track on who you are, otherwise you might do a search on ebay for a pet rock, and ebay would return a list of replacement parts for a xyz vacuum cleaner.
To get round this problem the modern application server creates a ‘session’ for you on your connection – it’s the web applications job to maintain the state on the connection and keep track of users and their session data, such as the document you are viewing and what you are doing with it. For example a Web application: shopping cart, where the server is expected to keep a list of items in the cart, and present this list at checkout.
There are several ways of doing this, but the cookie is the simple answer. Trouble is If a website uses cookies as session identifiers, attackers can impersonate users’ requests by stealing a full set of victims’ cookies. This is where ‘sidejacking’ comes in. From the web server’s point of view, a request from a sidejacker has the same authentication as the victim’s requests; thus the request is performed on behalf of the victim’s session.
Sidejacking is done by listening to traffic on a network, since most cookies are sent in plain http format and not https, all the attacker has to do is listen to the network traffic on the network and use intercepted cookies to impersonate a user. If you’re using a public network or a public WiFi hotspot using WEP then anyone on the same network can listen in. None of this is new. These problems have been generally known, at least in the security community, for years.
Tools such as Hamster and Firesheep have opened the vulnerability up to just about anyone from hackers to script kiddies, and anyone who knows how to download a file and run it. Firesheep puts identity theft attacks in easy reach of even casual users. Hamster was somewhat more technical to use than the later Firesheep, and as such wasn’t as popular. But, Firesheep is an extension for the Firefox web browser developed by Eric Butler and released in October 2010 at ToorCon 12, conference in San Diego. It works with a packet sniffer such as WinPcap to intercept unsecured cookies. It then displays the names of users on the local network and the services to which they are connected in a frame on the Netscape browser. The attacker can connect to those services using the victim user’s credentials just by double-clicking on the name. Point and click sidejacking….
Whilst cookies can be sent with a “secure” flag which tells the browser only to send it over an HTTPS (TLS/SSL) session, which would avoid this. It is common for websites to encrypt the login process, it’s not so common to use the secure flag for session cookies. And thus are open to attack.
Sites that commit to using TLS/SSL for the safety of their users also need to use a trusted certificate authority. Full HTTPS authentication with a trusted CA is the only way for users to know for sure who they are dealing with. But there is a cost implication and SSL/TLS encryption also adds a small load on the server in the case of non-commercial sites this may be too much to bare.
I’ve already covered in another post the fact that WEP as a security measure on WiFi is a total waste of time, it would be far more secure simply to implement WPA2 with a shared password on Public WiFi hotspots. Just put a sign up that says ‘The password is xxxxxxx’ or to make the network name ‘the wifi – pw is xxxxxxx’.. Since WPA2 also implements user isolation no packet sniffing would be possible at least on the WiFi, but as soon as the traffic hits the access point/network it can be an issue again.
From a network perspective, you have to move to 802.1x encryption right across the network, to be of any use here. But that involves certificate servers/user certificates etc. and whilst it would be a solution for businesses, it is beyond practical use for the average Starbucks or where else you’re getting the ‘free’ WiFi from.
As previously mentioned the only comprehensive way for users to protect themselves on such a network is to use Tor/Orbot or any form of virtual private network, which encrypts all the traffic across the network. HTTPS everywhere could also be used but this has its own issues and will not work on all sites.
Whilst not a solution to the problem, you can get the free ‘BlackSheep’ tool. Another FireFox plugin, it creates fake sessions and then monitor’s network traffic to see if these are being copied, it then alerts the user this is happening. Once again on Windows you’ll need to install WinPcap first.