Dan Podsedly

Tracker and Session Hijacking


Last week a certain new Firefox extension made headlines by making it trivial to hijack sessions over wireless networks, and easily access unsuspecting users’ accounts on a long list of major social networking and other websites. Pivotal Tracker had the dubious honor of being on that list.

The plugin author’s intent was to raise awareness of the insecure nature of wireless networks, and encourage websites to increase the use of secure (SSL) sessions, which encrypt transmission of data and prevent network sniffing and session hijacking.

Today, most sites use SSL for sign-in, and selected pages that handle sensitive information, but SSL is generally not enabled (or available) site wide. What this means is that after you sign in to Facebook, as soon as you visit any Facebook page that isn’t SSL enabled (for example, your private messages page), your session cookie becomes exposed, and allows a hacker (or just any bored person with Firefox at your local coffee shop) to gain full access to your Facebook account.

The recommended solution is for sites to enable SSL for all pages, from sign-in to sign-out.

As of this morning’s update, this is now the default in Tracker. After signing in, you should notice that every page is served via SSL (https:// prefix in the URL). If you never access Tracker on shared networks, however, and would prefer to turn this off, you can do that on the My Profile page by un-checking the ‘Always Use HTTPS’ option.

In addition, you can enable the ‘Always Use HTTPS’ option for specific projects, which will force SSL for every member of the project who visits the project, even if they’ve disabled the HTTPS option on their profile.

We have also added a secondary secure session cookie to prevent your session from being hijacked if you accidentally end up on a non-HTTPS page while signed in (via a bookmark, for example). This approach is similar to what Github describes in their blog post about the problem and their solution.

Note: As part of this change, we’ve had to remove the ‘remember me’ functionality, so you will have to sign in again after you close your browser. We’ll add a more secure version of this feature back to Tracker in the next update, later this week.