A new proof of concept Firefox extension called Firesheep has many casual web users on edge. In a nutshell, Firesheep is a packet sniffer that watches open or public WiFi networks and intercepts unencrypted cookies that were intended to be sent to/from popular social networking sites, such as Facebook or Twitter. Firesheep then allows a user to “hijack” a session and log in to these social media accounts without entering their login credentials.
Firesheep isn’t meant for nefarious hackers. Rather, it’s a proof of concept extension that’s supposed to educate the public and software developers about gaping security loopholes. So, now that we are aware of this issue, what should we do?
The first step is to nag the makers of your favorite social networks. Tell them to close these loopholes by encrypting session cookies and following other best practices for logged in sessions. At the very minimum, restricting site usage to HTTPS should staunch much of the vulnerability. That’s the very least that a social network as sprawling and pervasive as Facebook should do in order to be a good steward of their users’ privacy.
But until they fix these security loopholes, you’ll have to take your Internet security into your own hands. Here are a few best practices that you can use to protect yourself from attacks similar to Firesheep:
Don’t use public WiFi networks
Maybe that seems a bit extreme, especially on those long, boring layovers in the airport. But that’s where you’re most vulnerable. If you simply must hop on to an unsecured public WiFi network, refrain from logging in to sites that are known to be unsecure, such as Facebook and Twitter.
Look for HTTPS
Sessions with sites that use the HTTPS protocol are more difficult to hijack. Take note of the URL at the top of the screen and restrict your activity to only sites that use HTTPS when you are on a public network. You can also use extensions such as the HTTPS Everywhere extension to ensure that you “Always Use HTTPS.”
When someone hijacks your session, they don’t get your login ID and password. They just get to take control the logged in session that you initiated. Solution? Log out when you are done. This is especially critical if you’ve been using an unsecured public WiFi network.
If you are a businessperson or a frequent traveler, it may be worth your money to invest in a mobile wireless plan. These use the same 4G and 3G data networks as your smartphone. Aside from allowing you Internet access in more places, you also get more control over who shares an IP with you. There are 4G/3G wireless devices available, but since you own the device, you can set a password and restrict access to it, essentially putting an end to any Firesheep-like attacks.
Never Join “Shared” Networks
Don’t join WiFi networks that are ad-hoc, or computer-based networks. These will usually have a different icon next to the network ID, or they’ll be in another section called “shared networks.” These networks use another computer as an intermediary prior to accessing the Internet. More often than not, these are traps—even when they are called something innocuous sounding like “Public WiFi.”