14

Given a website with various security flaws, one of them is session hijacking, session token continuously being sent as an argument over unsecured HTTP. In my field it's not surprising that others sniff networks I use, so I contacted the owner of this site and notified them of the vulnerabilities and suggested that they should use TLS encryption. Some arrogant guy replied that they know it better and it's not my business anyways.

Since it's not always possible for me to use VPN when I access this site, my question as a regular user is, are there other reliable ways to defend against people stealing my session?

Anders
  • 64,406
  • 24
  • 178
  • 215
Rápli András
  • 2,124
  • 11
  • 24

6 Answers6

22

Here are some suggestions. None of this will give you the same level of security as TLS would, though.

  • Don't use the site unless you really have to. But since you ask, I assume you do.
  • If you visit it, use a VPN (or Tor) as often as possible. An attacker would have to get in the middle of your VPN exit and the server in question, which is harder than getting in the middle of you and the server (but not impossible, especially not for a governmnet - or the provider of the VPN/Tor exit node...).
  • If you don't use a VPN, at least don't use it over Wi-Fi. That is so much easier to sniff than a cable network.
  • Stay logged in for as short periods of time as possible, and always logg out when you are done. Don't check the "remember me" box.
  • Unless the login page is over HTTPS, you should be more worried about your password then your session ID... If the login page is over HTTPS, always check that you have a secure connection so you don't become a victim of SSL-strip.

Depending on how likely you think it is that you will be the target of an attack this may or may not be enough. I am afraid there is not much else you can do.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 5
    As you can see, I did came back on my answer. Beside the fact that Tor will protect user data from computer to entry node, the exit node, which can be run by an evil person, we'll see the unencrypted traffic. – Xavier59 Jan 03 '17 at 00:31
  • You can also use "HTTPS Everywhere" browser plugins to help increase your browser's resistance to SSL stripping attacks, particularly if you add additional rules for sites not in the standard lists. I'm not sure that I'd personally recommend a VPN or Tor as a panacea. They're good tools if you're worried about your local network being untrusted (e.g. cafe WiFi), but not if you're worried about state-level attacks, as you mentioned, and you can also introduce additional points of failure (evil exit nodes). – Polynomial Jan 03 '17 at 00:37
  • 5
    For general security, I would not recommend using Tor to protect yourself in this circumstance. Using Tor with a non-encrypted website gives the exit node full, easy access to everything you do on that website. This is as bad or worse than wifi-sniffing. If you are trying to protect yourself from a specific person you know has access to your network, then Tor may help. But for general security, I think Tor is a step backwards in this case. – phylae Jan 03 '17 at 03:04
  • I'm mixed on this answer. On the one hand I strongly agree with "Don't use the site unless you have to" (and really, if you're a customer of theirs, the most effective way to get them to stop this nonsense is to collectively stop paying them until they get their act together), but I also agree with the points raised by @phylae about Tor potentially being a step backwards. – neocpp Jan 03 '17 at 03:45
  • 1
    I would agree that Tor probably isn't a good idea in this case. Tor is much more focused on providing anonymity than security. Though a VPN provider can sniff and modify unencrypted traffic the same way a Tor exit node can, I'm much more inclined to trust a major VPN provider backed by a strong privacy statement and its reputation, than a random and anonymous Tor exit node operator. – tlng05 Jan 03 '17 at 07:02
  • 4
    @phylae however, the tor exit node doesn't know who you are, unlike your ISP. Sometimes this is important difference. – Display Name Jan 03 '17 at 07:44
  • 2
    Another suggestion: Don't have any other websites open in the same browser while using the vulnerable website. This should reduce the chance of XSS attacks. – bdsl Jan 03 '17 at 08:38
  • @SargeBorsch The tor exit node has less information about who you are than someone on the same local network. But depending on your browsing habits, it is possible for the tor exit node to identify you. https://www.torproject.org/docs/faq.html.en#AmITotallyAnonymous – phylae Jan 05 '17 at 15:17
4

A vpn only protects your session to the point where it exits the vpn - ssl is exactly the same but the tunnel extends to the site you are connecting to. So when you access an http site using a vpn, you are only protected against an attack on your local network and a few hops along.

If your description is accurate, and there is any sensitive data being passed in either direction, then these people are idiots who are ignoring their duty of care to their customers. But there are sites which do not exchange any sensitive with your browser.

TLS is just part of the security controls a website should implement. I don't know why you feel the need to protect their identity.

symcbean
  • 18,278
  • 39
  • 73
0

Admins of sites with high traffic and low added value generally hate HTTPS, because it uses much more resources and resources cost money. So there is always a balance between the sensitivity of exchanged data and the cost for their protection. A password should only be passed over HTTPS, for what remains, the data admin is responsible for his decision.

The best way to mitigate the risk of session hijacking is to explicitely logout when you are no longer actively connected to the site in order to have the server to reject the session token starting at that moment. In addition, the site admin will be glad because you will not let unused sessions consuming resources...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

If possible, tunnel your traffic through a trusted machine. I have an SSH server at home that I can tunnel through if I'm on an untrusted network. While someone could theoretically MitM your SSH server over the internet, that's far more difficult and far less likely than a local machine on a public network or a network that, as you put it, is "not surprising" to be sniffed.

You could also, as others have said, use a third-party VPN/tunnel/proxy service. These vary in quality and cost, and while I personally trust my own machine more than a third-party service, this may be more practical for you.

Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14
-1

You say little about the site in question and what services it offers, but further steps that might be worth taking are:

  • (an obvious one this) using a strong, random, fully unique password even if you don't follow this best practice normally. They've demonstrated that they can't be trusted on security so they're prime candidates for password leaks.

  • Not using an app they provide: Could you trust it to log out? What if you're logged on to your own wifi and then go somwhere with public wifi?

  • If you have to log in using a wireless device at all, be sure to close the session when leaving a network you trust (even if you used a wired connection). I suggest not just logging out but also using your browser's tools/addons to clear everything related to the site in question on exit, and closing the browser. This will deal with accidental attempts to reload the page.

  • registering with a userID that you don't use elsewhere
  • using a pseudonym (or if you can't get away with that a misspelt/uncommon version/abbreviation of your name)
  • using an email address you don't use for anything else (and if you run a personal domain, ideally one that's not on your domain).

These three are about two things, both dervining from not allowing your personal data to be leaked to someone hijacking a session and reading your account details: Not allowing the attacker to impersonate you (beyond the bounds of the site/associated community; and not allowing them to impersonate anyone other than the site in question (in anything addressed to you) without raising your suspicions.

Chris H
  • 4,185
  • 1
  • 16
  • 22
-3

If you connect through a wireless network, I don't think so. Everything can be sniffed if the traffic is in plain. If the site is unsecure, I think always there is some attack to perform. Sorry, nothing to do.

Anders
  • 64,406
  • 24
  • 178
  • 215
OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48