A Guide to Sniffing Out Passwords and Cookies (and How to Protect Yourself Against It)

Roughly one year ago, a tool called Firesheep introduced a lot of us to just how easily another person on the same network as you can snoop on your browsing session and even masquerade as you on sites that require a login, like, perhaps most notably, Facebook. Here's a closer look at how network snooping works and how to protect yourself from it. It's a long post, so I've separated it into two sections. Jump to the one you're most interested in: How to Get Started As a Network Snoop How to Protect Yourself from Network Sniffing How to Get Started As a Network Snoop Long before Firesheep came along and scared us all by making it trivial to hijack another user's Facebook session, another, more robust cross-platform tool called Wiresharkwas already allowing anyone with a little bit of know-how sniff out usernames, passwords, and authentication cookies on any computer connected to the same network as you. A Brief Overview of How Your Computer Talks to the Other Computers (and the Internet) In order to understand what Wireshark does, you first need to understand a little bit about how computers talk to one another over networks and how they use this information to, say, log you into a web site. (I'm not a networking expert by any stretch, so don't worry—I don't have a choice but to make this beginner friendly.) When your computer talks to another over a network, they each send packets of data back and forth between one another. These packets do things like negotiate the connection, pass around cookies or passwords to authenticate, and ultimately do the things you want them to do—transfer files, the HTML that makes up a web page, and so on. What Wireshark Does What Wireshark does is sniff out the packets being passed around your network—whether they're heading to or from your computer or to or from other computers on the same network as you—and let you poke around at the data passed back and forth in these packets. When you log into a web site, for example, your browser sends what's called a POST request to a server somewhere on there on the internet. Wireshark can capture that POST request, and if you know where to look, you can find your username and password in plain text—assuming you're logging into a site that isn't using a secured HTTPS connection, which will encrypt that information so you wouldn't be able to make sense of it. (See our previous guide to why you should care about HTTPS on Facebook and other sites for more details.) To combat this, a lot of sites, like Facebook and Gmail, have turned on HTTPS by default for all communication between your browser and their servers. But there are still a whole lot of web sites out there that don't encrypt logins, and many that use HTTPS for logins but not for cookies. Cookies are relatively small strings of text set on your browser by web sites. Cookies can be used to track your behavior, they can be used to keep your settings persistent on a web site, and, most importantly for this post, they can identify to servers that you've already logged in—meaning that if you hijack the right cookie, you can masquerade as someone else without ever needing their username or password. (This is what Firesheep did.) Similar to how it can capture usernames and passwords sent over HTTP connections, Wireshark can also capture cookies for you (or some other nefarious sniffer) to gobble up toward whatever end you prefer, including to gain access to your online accounts. Also similar to the username/password situation, if a site uses HTTPS for all its connections, you won't be able to successfully sniff out and use its cookie. So now that you know the basics, let's jump right into it: How to Sniff Usernames and Passwords with Wireshark In the video at the top of the post, you can see me demonstrate how to sniff out a username and password when I attempt to log into Lifehacker (which, unfortunately, doesn't use HTTPS). Here, I've rounded up a few other more detailed videos that demonstrate how to use Wireshark to sniff out usernames and passwords (you'll probably want to go fullscreen on the video). Note: If you're capturing over Wi-Fi, you'll need to run Wireshark in promiscuous modeso that it'll sniff out all the various packets on your network (including those coming from other people's computers). This process varies depending on your device, so you may have to do a little hunting. How to Sniff Cookies with Wireshark This video demonstrates how to sniff out cookies, and while the site it demonstrates the process for (Facebook) now uses HTTPS by default, the same basic method would work for sites that aren't using HTTPS. How to Protect Yourself from Network Sniffing The kind of network sniffing demonstrated here is something anyone can do without much experience. As Mike from the password video points out: "Technology is like a gun. You can use it for good, to hunt for your family, or you can use it for bad, to rob a store." This dissection of Wireshark is aimed at education, but the fact is, anyone interested in using Wireshark for skeezy purposes need only spend a few minutes on YouTube to dig up the same information. So now that you have a better idea of how easy it can be for anyone on the same network as you to poke around and potentially sniff out your passwords, cookies, and so on, what can you do about it? Here's a quick rundown of some of your best bets, from least practical or effective to most effective. Avoid working on the same network as people you don't trust: The kind of network sniffing we've demonstrated here can only be done by people on the same network as you. Keep in mind that it doesn't even have to be an openWi-Fi network—coworkers on your password-protected work network can sniff your packets just as easily as someone at your local coffee shop. The catch: You probably don't want to be limited to only using the internet when you're at home or on a network where you trust everyone. Always use HTTPS: A lot of sites—like Facebook and Gmail—have made HTTPS the default connection, and as we explained earlier, packet sniffing won't reveal your password or cookies on a properly encrypted HTTPS connections. Other sites support HTTPS but don't make it the default, which means you often have to manually type in https:// before the rest of your URL. Some of those sites, like Twitter, allow you to set your account to always use HTTPS (for Twitter, go to your Account settings and tick the Always use HTTPS checkbox at the bottom of the page). Some sites don't offer an Always use HTTPS setting, which is where HTTPS-forcing browser extensions come in. The most popular is probably the HTTPS Everywhere extension for Firefox (written by the Electronic Frontier Foundation). This extension automatically directs your browser to the HTTPS version of over 1,000 sites. The catch with HTTPS Everywhere is that it only redirects sites in its list, so if you'd like to be able to redirect any site to HTTPS, you may want to check out Force-TLS for Firefox or HTTPS Everywhere for Chrome. Both of these extensions allow you to add new sites to the automatic HTTPS redirect. The Catch: First, lots of sites still don't support HTTPS at all, and others only support it for logins (meaning your password is safe, but your session cookie isn't). On a separate technical note, Eric Butler (the developer of Firesheep) noted last year that some sites don't correctly support HTTPS anyway, and on those sites, in order to get the full benefits of HTTPS, you'd need to manually type out the https:// part every time you visit: Some sites support full encryption everywhere, but don't implement it properly by failing to set the "Secure" flag on authentication cookies, negating most of the benefits and leaving users at risk. What that means is that any time you type the URL (e.g. "manage.slicehost.com") into your web browser (without explicitly typing https:// beforehand, which people rarely do) you will inadvertently leak your cookies with that first request, prior to being redirected to the HTTPS page. Slicehost and Dropbox are good examples of this mistake. Use a VPN or SSH Proxy (BEST OPTION): A VPN or SSH tunnel will act as the middleman between your computer and the dubiously secure servers on the internet so that everything sent between your computer and your VPN or SSH server will be encrypted—in effect encrypting all traffic that someone on your current network might want to try sniffing. I'm not going to show you how to set up a VPN or SSH server here, but I will point you in the direction of some good do-it-yourself options: If you happen to already pay for access to a web server to which you have root access, you can use that to encrypt your web browsing session with an SSH SOCKS proxy. If you don't feel like paying, you could set up your own personal home SSH server. If you're willing to pay just a little, you can get an Amazon EC2 instance with SSH access for around $0.50/month or pay $1 one time for access to Silence is Defeat. For another free option, check out our guide to secure and encrypted web browsing on public networks with Hamachi and Privoxy. Android users should check our guide to encrypting all internet use on your Android phone. If you're on a Mac, I'd highly recommend installing previously mentionedSidestep. The app automatically reroutes your traffic through a secure proxy whenever you connect to an open Wi-Fi network, and you can also turn it on any time you want from its drop-down in the Mac menu bar. The Catch: The biggest hole in this option is that at some point along the line, your VPN or SSH proxy needs to submit the unencrypted version of a request to the web server, so if there were someone sniffing packets on the same network as your VPN or SSH server, they could sniff out the unencrypted data going between the middleman and the web server. You've still got other security concerns to consider if you want to stay safe on public Wi-Fi networks, but the above options can make all the difference for securing your browsing. The best-case scenario is actually out of your control: Web sites and services all implement HTTPS by default for any and all potentially sensitive data.