Comments(1)

|

E-mail

|

Print

One of the joys of living in the Internet age is the increasing ubiquity of Wi-Fi hotspots. More and more businesses – particularly those where consumers congregate – are offering Wi-Fi access. It’s often free, as well as being free of any password requirements or encryption.

While that’s convenient, it’s also dangerous. Security experts have long warned that connecting to a non-encrypted hotspot leaves you vulnerable to attack. It’s a warning that most Wi-Fi users gleefully ignore, as they sign in to check their Facebook walls, scan e-mail messages or browse their Twitter streams.

It’s even more dangerous if you’re not making secured connections to the websites themselves. Sites that use a secure, encrypted connection have https in their Web address – rather than just http – and show a lock icon in most browsers.

In the past, you could take some comfort in the fact that it requires some skill to launch one of these attacks. Most people are honest, and even more people are clueless as to the hackery needed to access someone else’s online accounts.

Firesheep changes all that. It’s a Firefox extension that makes it ridiculously easy to log into certain sites as another user. It’s as simple as this:

1. Launch the Firesheep extension in a Firefox sidebar.
2. Click the Start Capture button.
3. See who’s connected to which sites.
4. Double click on one of those connections.
5. You’re logged in as someone else on that site.

Ian Paul at PCWorld has a good explanation of how Firesheep works.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail; if it was Facebook they may be able to post a message; and so on. Any operations that require your password, however — such as accessing your credit card information on Amazon — should not be possible using Firesheep.

On Wednesday, I downloaded Firesheep and started testing it to see if it was as dangerous as some have said. During last night’s episode (MP3) of Technology Bytes, a Houston-based radio show I co-host, I was able to see some of my compadres’ connections using the extension. At one point, I logged into a co-host’s Facebook page as him.

It freaked me out so much, I immediately logged out.

I mentioned this on the air, and co-host Jay Lee grabbed the extension, installed it, and then used it to log into the Twitter account of J.R. Cohen, who was our guest in the studio. Jay wasn’t as timid as I – he tweeted through Cohen’s account that he’d hijacked it.

Although security experts note that Firesheep doesn’t give you access to a user’s password, it may give you access to settings that let you change it. If the site doesn’t require you enter an existing password to change it to a new one, an account owner could be locked out.

Why would someone create a tool like this? Seattle developer Eric Butler said he wrote Firesheep to point out that too many websites don’t provide an encrypted, https connection, leaving their users vulnerable.

And even when an encrypted version of a site is available, it’s often not the default. For example, most people get to Twitter by way of http://twitter.com. But Twitter also has https://twitter.com, which is secure. You should use the latter URL when connecting.

Facebook, on the other hand, has https://facebook.com, which takes you to your Wall when you log in. But as soon as you click on a link to go to another part of the site, you revert to http://facebook.com. A Facebook rep told TechCrunch the company is working on a fully encrypted version of the site, but it will take months to finish.

So what can you do to protect yourself? NetworkWorld suggests subscribing to a low-cost VPN service that provides a secure connection anywhere on the Net. However, that may be a layer of complexity that’s daunting to some users.

Another solution is to fight the Firesheep extension with another Firefox extension. HTTPS Everywhere lets you sign in to many mainstream sites using an https connection. While it doesn’t cover every site, and it’s only available for Firefox, it’s a start.

You could, of course, avoid public Wi-Fi altogether, which is inconvenient but secure. Or, you could opt for a cellular provider’s 3G or 4G data plan, which is expensive.

There’s no easy answer, at least not until all Web operators wise up and offer fully encrypted access to all their sites.