Sidejack Prevention
A Firefox plugin called Firesheep was released this week that makes it easy to capture and exploit other user’s HTTP session cookies sent over insecure connections on untrusted networks. This…
A Firefox plugin called Firesheep
was released this week that makes it easy to capture and exploit other user’s
HTTP session cookies sent over insecure connections on untrusted networks.
This vulnerability makes it possible to login to other people’s accounts on a
variety of services by spying on network traffic and extracting those cookies.
Wikipedia has a decent article on this technique: Session
Hijacking.
GitHub was susceptible to this attack, but we have now taken measures to
protect you and your data. As a result, you will be prompted to re-login to the
site on your next visit. This is necessary in order to switch you to the more
secure system.
The Technical Details
Today, we’re rolling out the first in a series of measures we have planned to
make GitHub more resilient to session hijacking attacks. The basic approach revolves
around setting a second cookie (in addition to the normal session cookie) that is
marked as secure. Cookies marked secure, are sent only over SSL requests
and are omitted on non-SSL requests. They look like this on the wire:
Set-Cookie: somename=somevalue; path=/; secureWhen someone logs on, we set the secure cookie (_github_sec in our case) to
the checksum of the user’s id and password hash along with a secret (known
only to the application) salt value. Then, on subsequent SSL requests, we
verify that the cookie’s value matches the same checksum. If the values are
different, authentication fails.
Most browsers have a way of viewing cookie details. Here, we see the cookie
is sent only over secure requests:
Since we already require SSL for all sensitive requests, including
browsing/admin’ing private repositories and viewing/editing account details,
this extra bit of verification ensures that sidejacked session cookies cannot
be used to gain access to any sensitive information.
Broader Solutions
Sidejacking is still a problem for many sites on the internet. The only way to
protect yourself on every site you visit is to secure and encrypt your
connection for all requests.
SheepSafe from Nick
Sieger is an easy to install solution for Mac
that relies on an SSH tunnel and SOCKS proxy to encrypt every HTTP request you
make, no matter what site you’re on.
Written by
Related posts
GitHub Availability Report: November 2024
In November, we experienced one incident that resulted in degraded performance across GitHub services.
The top 10 gifts for the developer in your life
Whether you’re hunting for the perfect gift for your significant other, the colleague you drew in the office gift exchange, or maybe (just maybe) even for yourself, we’ve got you covered with our top 10 gifts that any developer would love.
Congratulations to the winners of the 2024 Gaady Awards
The Gaady Awards are like the Emmy Awards for the field of digital accessibility. And, just like the Emmys, the Gaadys are a reason to celebrate! On November 21, GitHub was honored to roll out the red carpet for the accessibility community at our San Francisco headquarters.