Beware of Public Wi-Fi

November 4, 2010 08:39 – 08:39

Have you heard about Firesheep? It’s an extension for Firefox that allows anyone on the same network as you to tap into your session on non-secure (non-HTTPS) websites, instantly logging in as YOU. There are defenses, but few people know about them (yet). Firesheep isn’t the only danger, but it clearly demonstrates the vulnerability. Codebuttler has released Firesheep into the wild with the aim of forcing sites such as Facebook, Twitter, and Google sit up and take notice, inviting them to move to more secure sites ASAP. As a user, you should demand this security.

First, go read about Firesheep. This is not necessary. But, frankly, I wasn’t convinced of the risk until I installed it.

To add the Firesheep extension to your computer, Microsoft Security Essentials will warn you that it is a threat—you’ll have to choose to allow Firesheep to install it. You might need to jump through some additional hoops, as well. For one thing, the system refused to recognize the XPI packet that contains the extension. I had to explicitly tell Windows 7 to use Firefox to open it.

Once it’s installed and you’ve restarted Firefox, choose View – Sidebar – Firesheep, as shown here.

This then opens a new sidebar at the left. At the top, click Start Capturing.

It then starts monitoring the network stream for packets sent to non-secure sites… such as those sent to Facebook and Twitter. As entries appear, you then can log in as whoever/whatever you see on the list—gaining instant access to someone else’s session—Facebook, Twitter, etc.—anything that uses HTTP instead of HTTPS.

What Defense Do You Have?

One defense—and one that Verizon and other carriers would love you to acquire—is to use wireless broadband and never to use open access WiFi. Verizon will charge you $40 to $60 per month for the privilege. This approach has a number of advantages, not the least of which is the ability to be online pretty much everywhere you have cell service. The disadvantage—it ain’t cheap—is clear.

Another defense, although partial, is to use something like the Electronic Frontier Foundation’s HTTPS Everywhere extension for Firefox. It forces Firefox to use HTTPS (instead of HTTP) everywhere possible, which fortunately includes a number of major website. According to EFF, the plugin currently works on these popular sites, as well as many others that aren’t listed:

  • Google Search
  • Wikipedia
  • Twitter
  • Facebook
  • most of Amazon
  • GMX
  • WordPress.com blogs
  • The New York Times
  • The Washington Post
  • Paypal
  • EFF
  • Tor
  • Ixquick

For my own purposes, HTTPS Everywhere seems like a workable defense. I hardly ever use coffee shop Wi-Fi, but it’s not unusual for some of the hotels where we stay to use unprotected Wi-Fi. I’ll have to do some testing and experimenting before I will feel completely secure.

How Can You Tell If Your Surfing Is Vulnerable?

If you’re using a secure/encrypted network—protected by WPA, WPA2, etc., for which you need a password and user ID to gain access to the Internet—then you’re probably safe. If you’re using public WiFi, check the URL you’re using in the address bar. If it says HTTP instead of HTTPS, you’re probably at risk.

Or, install Firesheep and see if your sessions are viewable in the Firesheep sidebar. With EFF’s HTTPS Everywhere disabled, here’s what I see:

This means that someone else using Firesheep would see the same thing on an unsecured public WiFi network! By clicking on the Facebook entry, they log in as ME! And they have instant access to my account. Ditto for Amazon and Twitter!

When I enable HTTPS Everywhere, the sidebar stops seeing anything—even if I open Chrome or Internet Explorer. As long as Firefox is running with HTTPS Everywhere enabled, it appears to inoculate other browers’ sessions as well.

Fortunately, when I actually try to shop on Amazon, the session switches to HTTPS. I should note that a number of sites, such as those used by banks, already use HTTPS. The aim of Firesheep is to make all sites that use personal information switch to more secure protocols.

Sorry, comments for this entry are closed at this time.