The importance of HTTPS login pages – Session hijacking fits in a pocket now

You should always prefer SSL-encrypted (HTTPS) login pages on sites over non-SSL (HTTP). Why?

Session hijacking is why.

First, let me [very briefly] explain the difference for the unfamiliar. SSL stands for Secure Sockets Layer and it’s the encrypted, secure version of HTTP, the protocol that loads web pages. Normal web access is over unencrypted HTTP (the http:// part of the web address) and secure access is over HTTPS (the https:// in front of the address bar). In the most basic terms, the extra ‘s’ stands for ‘secure’.

Some screenshots using Firefox:

Normal (unencrypted) session:

Secure (encrypted) session:

So why am I bringing this up? Because I got a chance to play with an app for Android that claimed to allow one to “capture” login sessions over wireless connections.

How does it work? Well, without going into too much detail you simply connect your Android-powered device running this application to a wireless network and it just sits and listens for login data and captures it. I sat down with the app a few minutes ago, put it on my network, and logged in to various sites. You know what? It worked. I was able to capture several logins in just a few minutes and log in to those sites from my mobile device without needing the password. Among those captured were my Facebook and Google login. Note that I had to disable HTTPS logins on Facebook to get it to capture. The encryption provided by HTTPS is enough to prevent this type of hijack from working.

That means that Joe Blow sitting two tables away from you at Starbucks with his phone in his pocket could be capturing your Facebook, Amazon, or other login credentials while you’re casually surfing the web and sipping coffee.  This could also mean that your neighbors unsecured wireless network, which you’ve been casually using to avoid paying for your own, could be silently capturing your login details. This also means that if your own wireless network is unsecured, you’re leaving yourself open to this type of attack.

Note that this worked even though my network is WPA2 secured: I just had to enter the wireless key to connect to the network.

I’m not going to mention the name of the app, though it is available in the Android Market and does require a rooted phone, so if you want to go play with it you have to find it on your own. I’m also not encouraging stealing other people’s identities. As far as I know it’s a Federal crime. :) I’m writing this to make people aware that they should:

  • Use HTTPS login pages whenever possible.
  • Avoid using unsecured wireless networks.
  • Secure your own wireless network and be aware of who you share the key with.
  • Change your own wireless key from time to time if you share it.

Have a nice day :) As always, feel free to share your comments below!


, , , ,