General :  K-Meleon Forum
General discussion about K-Meleon. 
FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: Munkymind
Date: October 27, 2010 08:40PM

Quote

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you're instantly logged in as them.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
http://codebutler.com/firesheep

I guess I will have to go back and read those posts on converting an extension for K-Meleon. grinning smiley



Edited 1 time(s). Last edit at 10/27/2010 08:42PM by Munkymind.

Options: ReplyQuote
Re: FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: ndebord
Date: October 30, 2010 08:39PM

Firesheep is a scary extension for FireFox, imo, and one that makes open and free WiFi cafes even scarier to use.

http://www.zdnet.com/blog/perlow/firesheep-its-gonna-cost-you/14327?tag=content;selector-blogs

The following FireFox extensions are supposed to make that browser safe by forcing SSL and HTTPS. Will they work with K-Meleon?

Force the use of TLS or SSL Many, but not all sites, support the use of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS) but default to not encrypting your traffic. There are browser extensions, however, that will force those sites that support TLS or SSL to use these protocols. Once authenticated and encrypted, your traffic will be safe from Firesheep.

These extensions include HTTPS Everywhere and Force TLS. Other broader Web security extensions, such as NoScript, also include this functionality. That’s the good news. The bad news is that they only work with Firefox. There are, to the best of my knowledge, no such add-ons for Internet Explorer, Chrome, Safari, or Opera. If anyone knows of some, I’d love to hear about them.

N

Options: ReplyQuote
Re: FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: guenter
Date: October 31, 2010 12:09AM

Quote
ndebord
The following FireFox extensions are supposed to make that browser safe by forcing SSL and HTTPS.

Will they work with K-Meleon?

...


The bad news is that they only work with Firefox.

There are, to the best of my knowledge, no such add-ons for Internet Explorer, Chrome, Safari, or Opera. If anyone knows of some, I’d love to hear about them.

Nobody here cares if anything is not available for IE and Safari tongue sticking out smiley

Who told You they work only on FF? surprised smiley

To me the interface of e.g. Force TLS looks pretty much like the self contained XUL-Window type that we use in a number of other K-Meleon ports. smiling smiley

4 K-Meleon: You got to try. Unpack the xpi. Install the software prerequisites...



Edited 1 time(s). Last edit at 10/31/2010 01:59AM by guenter.

Options: ReplyQuote
Re: FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: ndebord
Date: October 31, 2010 09:31PM

Quote
guenter
Quote
ndebord
The following FireFox extensions are supposed to make that browser safe by forcing SSL and HTTPS.

Will they work with K-Meleon?

...


The bad news is that they only work with Firefox.

There are, to the best of my knowledge, no such add-ons for Internet Explorer, Chrome, Safari, or Opera. If anyone knows of some, I’d love to hear about them.

Nobody here cares if anything is not available for IE and Safari tongue sticking out smiley

Who told You they work only on FF? surprised smiley

To me the interface of e.g. Force TLS looks pretty much like the self contained XUL-Window type that we use in a number of other K-Meleon ports. smiling smiley

4 K-Meleon: You got to try. Unpack the xpi. Install the software prerequisites...

Guenter,

You flatter me. Moi? Write a KM extension? Not bloody likely! <VBG>

N



Edited 1 time(s). Last edit at 10/31/2010 09:32PM by ndebord.

Options: ReplyQuote
Re: FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: gordon451
Date: September 24, 2011 06:51PM

Quote
guenter
To me the interface of e.g. Force TLS looks pretty much like the self contained XUL-Window type that we use in a number of other K-Meleon ports. smiling smiley

Guenter, what do we need to do to the XUL to make this fit KM? And it looks like one or two other things may need hacking...

Gordon.

____________________
Gigabyte H61M-USB3-B3 r2.0, I5-2400 3.10GHz, 4GB RAM; W7HPx64 SP1, Lotus SmartSuite 9.8, K-Meleon74, Opera 12.17, IE9, Eudora 6.2, Foxit Reader 5.3.1.0606, PaintShop Pro 6.02, Avast! 7.0.1506
____________________
Sugar, greasy foods and Microsoft are dangerous to your health -- eat, drink and be merry!
____________________
Early to bed and early to rise makes a bloke crook, broke and stupid.

Options: ReplyQuote
Re: FireSheep Firefox Extension: Sidejacking (cookie stealing) Made Easy
Posted by: guenter
Date: September 26, 2011 03:26AM

http://kmeleon.sourceforge.net/forum/read.php?1,119221,119291#msg-119291

The extension is probably not working for K-Meleon.

Else You'd unpack the xpi.

Repack the chrome files of content, locale and skin into forcetls.jar (a zipped folder). Fix the paths of the chrome.manifest so that they work and point to a jar in ./chrome. Create a kmm that calls the forcedsites.xul in this jar.
Distribute all files where they belong in chrome, components, macros & moduls.

NoScript seems to use the extensions technology. Maybe look there for a replacement.



Edited 1 time(s). Last edit at 09/26/2011 03:27AM by guenter.

Options: ReplyQuote


K-Meleon forum is powered by Phorum.