Well-known security experts Robert Graham and David Maynor, founders of Errata Security, wrote an interesting paper for the Black Hat 2007 security conference being held this week. Their claim is that many Web applications may be vulnerable after the initial logon takes place. Gmail and Facebook are two examples mentioned in the NetWorld.com article. Apparently the password exchange is encrypted, but, after that, the traffic sent between the browser and Web server isn't encrypted for the remainder of the session. Why not? Simply put, it costs more in bandwidth and server processing to encrypt the entire session.
OK, so traffic isn't encrypted for the entire session. If the password is secure, why should this be of any concern? It comes down to the infamous cookie, session ID, and the information they provide. According to Graham and Maynor, this information, especially the session ID, can be imported into a Web browser which then mimics the original user's Web browser and allows a third party to access the same Web application. This is called sidejacking and is obviously not a good thing.
Sidejacking can occur on any network, but is the easiest to do on a wireless network since the packet analyzer used to sniff the traffic doesn't have to be physically attached to the network. If the wireless network is an open network all the better.
So how do you prevent this? Here are some simple but, for the most part inconvenient, solutions you can use to protect your data.
- If possible, avoid using public or open wireless networks
- If you need to use a public wireless network, do not access Web sites that require personal information.
- If you need to use a public wireless network and require access to a Web application requiring personal information, use a VPN or SSL proxy to access the website.
As I mentioned, these aren't very convenient, but it's much less of a hassle than trying to rectify the loss and misuse of your personal information.