Skip to content

Posts tagged ‘cookie’

5
Nov

Firesheep Detection and Defence with FireShepherd [and BlackSheep]

When Firesheep intercepts a valid session cookie for the sites it supports, it automatically makes its own request to that site using that session. Just as the Firesheep user can intercept network traffic over wifi, so can the normal users, so this behaviour means that Firesheep itself is detectable.

By transmitting a request to Facebook, Twitter or Google with a fake session ID, and monitoring the network using Wireshark, it is possible to look for follow-up connections from another host, using your fake session ID. By performing this ‘reverse attack’ on loop, it’s possible to flood the attacker’s Firesheep window with tons of invalid sessions. Note that this doesn’t protect you entirely, and any valid login to these sites will still be intercepted by Firesheep. But it’s possible to detect whether a Firesheep user is on the network.

Someone has released FireShepherd (currently Windows only), a tool that automates the flooding of invalid sessions, supposedly temporarily killing Firesheep running on the local network. Note that FireShepherd doesn’t detect the presence of Firesheep on the network.

[Updated] BlackSheep, a Firefox plugin, has been released which alerts the user if Firesheep is in use on the network. It does this using the method described above.

19
Oct

Persistent Tracking using Supercookies and Evercookies

Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.

The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.

Modern supercookies comprise a number (or all) of the following:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!

Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).

This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.

Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.

     - Standard HTTP Cookies
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage
     - Storing cookies in RGB values of auto-generated, force-cached
        PNGs using HTML5 Canvas tag to read pixels (cookies) back out
     - Storing cookies in Web History
     - Storing cookies in HTTP ETags
     - Storing cookies in Web cache
     - window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage
     - HTML5 Local Storage
     - HTML5 Global Storage
     - HTML5 Database Storage via SQLite
css.php