Monday, November 15, 2010

Coding Horror: Breaking the Web's Cookie Jar

Coding Horror: Breaking the Web's Cookie Jar

"The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here's how it works:

  • Connect to a public, unencrypted WiFi network. In other words, a WiFi network that doesn't require a password before you can connect to it.
  • Install Firefox and the Firesheep add-in.
  • Wait. Maybe have a latte while you're waiting.
  • Click on the user / website icons that appear over time in Firesheep to instantly log in as that user on that website.
    ...

    what Firesheep does is relatively straightforward:

    1. Listen to all HTTP traffic.
    2. Wait for HTTP headers from a known website.
    3. Isolate the part of the cookie header that identifies the user.
    4. Launch a new browser session with that cookie. Bam! As far as the target webserver is concerned, you are that user!

    All Firesheep has to do, really, is listen. That's pretty much all there is to this "hack". Scary, right? Well, then you should be positively quaking in your boots, because this is the way the entire internet has worked since 1994, when cookies were invented.
    • Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)