Do you trust your wifi connection?

We’ve all been known to sometimes use public wifi networks to quickly check on something online or kill some time and we all know they’re not exactly secure. But just how insecure are they? Here’s a perfect example simple enough for anyone able to use a Firefox extension to use it. Since it is, in fact, a Firefox extension.

Meet Firesheep. Rather than trying to explain it myself, I’ll use the author’s words..

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

What exactly does this mean? It means that if you use a public or not trustworthy wifi network, anyone using this or similar tools can hijack your authentication method and impersonate you on the website you just logged in to. How’s that for borking things up?

If you’re willing to avoid this kind of methods from harming you I highly recommend you simply don’t use public or otherwise not trusted wifi internet links. If you absolutely have to use them, take some time preparing to use them beforehand. Other than using SSL whenever possible (i.e. for example use https://gmail.com instead of http://gmail.com) I suggest you get a hold of some other also free tools such as TOR or Hotspot Shield or any other tool that creates a VPN or encrypts the data between you and the rest of the internet. An option for the most paranoid of you might even be having your home computer running some sort of SSH and tunnel your public wifi http session through it. Sure it may be slower than not using anything at all, but are you willing to risk it?

What knocked off my feet when I read this is imagining what kind of chaos this tool coupled with others such as Penetrate could potentially generate. It’s sort of a security time bomb waiting to happen.