Do I need to use Google Account Authentication instead of Spring authentication to avoid a Firesheep cookie-sniffing attack?

Question

I was reading about Firesheep and wondering how I can protect my Spring MVC 3.0 site against attacks like this:

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Are there particular configuration settings in Spring MVC that could help protect against this kind of attack?

According to the article:

The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.

I have a Spring site that I'm running on Google App Engine. Does this mean I need to use Google Account Authentication rather than the built-in authentication provided by Spring if I want to avoid this kind of attack?

Answer 1

You need to setup HTTPS handshake with the webserver, not exactly sure how it is done on Google App Engine, but it's apparently possible. Here is some more information.

Answer 2

The whole point of firesheep is that the authentication mechanism isn't the only problem. Most systems protect the authentication step with HTTPS, but not subsequent interactions with the user. Regardless of which authentication mechanism you use, you should make sure all interactions involving logged-in users take place over HTTPS. This is possible in App Engine, but only if you serve off your app's appspot domain (myapp.appspot.com).