Firesheep does this by 'scooping' cookies out of the air. Whenever you log into a website your name and password is only sent once -- afterwards, a stored authorization token is used. This means that if someone has your cookie they can pretend to be you -- and with unsecured wireless networks, anyone can grab your cookie.
This is a huge issue, and you have every right to be concerned -- but there is a solution!
Hopefully you've all heard about SSL and HTTPS, the encryption techniques used to secure Internet communications. The 'secure padlock' icon in your browser is most commonly found when buying things online, but most major sites also use it to secure login and registration. If you see this padlock, you are safe. If you could browse the entire Internet with that secure padlock in place then I wouldn't be writing this post.
Unfortunately, many sites redirect you to an unsecured page after you log in. Yes, your password remains secret -- but what good is that if your exposed cookie can be stolen by anyone on the same unsecured Wi-Fi network?
Fortunately, there are a few solutions for Firefox, and at least one good solution for every other browser.
The key to staying safe is by forcing every connection to use HTTPS, or to go via another connection that encrypts your communication. Almost every website has HTTPS capabilities, but because of the increased overhead that encrypted communication requires, it's often only used for logins and registering. Years ago this might not even have become an issue, but with everyone storing more and more personal information on services like Facebook and Google, and with Wi-Fi blanketing our streets and coffee shops, encryption really is required.
If you use Firefox, these add-ons should do the trick:
- HTTPS Everywhere -- this gem from the Electronic Frontier Foundation is about as good as it gets. By default it forces most popular websites to use HTTPS, and you can add your own rules for other sites. This is one of the few add-ons that I use everywhere
- Torbutton -- this solution is slightly more involved (it's for power-users), but if you want to be really secure and anonymous, the Tor network is a fantastic solution
- Force-TLS -- this is like HTTPS Everywhere, but doesn't come with a built-in dictionary of secure sites. Adding them is very easy, though
Chrome users, due to a limitation of the browser, aren't quite so lucky. There is no way to force HTTPS with an extension. You may have read elsewhere that KB SSL will help you, but it won't. Instead you need to use a secure SOCKS proxy. This isn't particularly hard, it does involve a bit of work.
- A guide for Windows users, using SpoonProxy
- A guide for Mac users, using Meerkat -- our sister site TUAW has a guide that might help, too
Ultimately, though, if you use unsecured Wi-Fi networks you will leave yourself exposed. The best solution might not be to install add-ons, but to ask your local coffee shop owner to secure his network with WPA2. The entire problem would go away if big-name websites used HTTPS across the board, too.Permalink | Email this | Comments