Be very careful in the coffee shop–someone is compromising your privacy.

I am not usually one to forward on emails describing the latest virus and what you need to do about it, but when I saw this snippet on our local ABC affiliate I was alarmed.  It describes a Firefox extension that allows anyone to capture and reuse cookies for unencrypted sessions such as facebook and twitter.  A short video of firesheep shows off its power and everyone’s exposure.

Now it should be noted that ‘cookie capture’ is nothing new but firesheep changes the game by making it available to virtually anyone. To see its potential for harm the video at the KOMO TV  link shows what happens when firesheep is used in a typical Seattle coffee house.

The motive behind this extension is to point out how vulnerable we are to having our privacy violated and not even know about it. The authors point out correctly that the major websites have known about this security hole for years, to really fix it websites HTTPS_Everywhere_new_logoneed to move to always on encryption and not just for the initial logon. One of the actions, you can take is to install an extension for Firefox distributed by the EFF called HTTPS Everywhere that forces all of your sessions to be encrypted. It works with the major web sites.

There are a number of other precautions that can also be taken to reduce your exposure to session hijacking a.k.a. side jacking. from the KOMO TV article.

    • Always log off sites not just close your browser. Cookies can have a life of their own unless you take steps to prevent it. (some sites are better than others in this regard)
    • Using a virtual private network will also prevent Firesheep from capturing your network traffic.
    • Look for an “https” in the address bar of the website you’re visiting. It should be there when you log into the website, but if it’s not there after you’ve logged in, anything you send could be easily hijacked by someone using Firesheep.
    • Sites that keep an “https” in the address bar during the entire session are using encryption and cannot be accessed with Firesheep. Banks and other financial institutions commonly use “https” for the user’s entire online session.
    • If you are on an open and unsecured Wi-Fi or wired network, do not go to sites that require a login to access your information. Looking at sites that require no action on your part should not compromise your privacy.
    • Beware that any communication you send over an unsecured Wi-Fi network has the potential of being viewed by anyone else on that network.

    So is there a silver lining to Firesheep?, I think so the publicity may force sites to follow GMAIL’S lead an institute encryption throughout the session and if you want to track your kids activities on facebook and twitter etc.  while they are on your home network, you now can.

    Some questions that have occurred to me that I have no idea about.

    1. What about Wi-Fi on airplanes?
    2. Firesheep has been downloaded over 750,000 times, how many of those are just curious and how many are nefarious?
    3. What do I do about Chrome and Internet Explorer?

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>