The recent publications in the Guardian about NSA access to Google, Facebook, Yahoo and all the rest have been met with a flurry of leftist abhorrence and mutterings from the twittering, as opposed to the twitter, classes. However, all reports refer to access to data, in such a way as to make people think that their personal emails and photos and so on are being read by the NSA, or their computers – this is not the case. Because the media is governed by soundbites, polemic and an absence of nuance, the headline is that the security services have access to data. The truth is, they don’t need or want access to the data. They need the models. And this allows the internet companies to deny they are granting access to the data.
Now it should be noted that ‘cookie capture’ is nothing new but firesheep changes the game by making it available to virtually anyone. To see its potential for harm the video at the KOMO TV link shows what happens when firesheep is used in a typical Seattle coffee house.
The motive behind this extension is to point out how vulnerable we are to having our privacy violated and not even know about it. The authors point out correctly that the major websites have known about this security hole for years, to really fix it websites need to move to always on encryption and not just for the initial logon. One of the actions, you can take is to install an extension for Firefox distributed by the EFF called HTTPS Everywhere that forces all of your sessions to be encrypted. It works with the major web sites.
There are a number of other precautions that can also be taken to reduce your exposure to session hijacking a.k.a. side jacking. from the KOMO TV article.
- Always log off sites not just close your browser. Cookies can have a life of their own unless you take steps to prevent it. (some sites are better than others in this regard)
- Using a virtual private network will also prevent Firesheep from capturing your network traffic.
- Look for an “https” in the address bar of the website you’re visiting. It should be there when you log into the website, but if it’s not there after you’ve logged in, anything you send could be easily hijacked by someone using Firesheep.
- Sites that keep an “https” in the address bar during the entire session are using encryption and cannot be accessed with Firesheep. Banks and other financial institutions commonly use “https” for the user’s entire online session.
- If you are on an open and unsecured Wi-Fi or wired network, do not go to sites that require a login to access your information. Looking at sites that require no action on your part should not compromise your privacy.
- Beware that any communication you send over an unsecured Wi-Fi network has the potential of being viewed by anyone else on that network.
So is there a silver lining to Firesheep?, I think so the publicity may force sites to follow GMAIL’S lead an institute encryption throughout the session and if you want to track your kids activities on facebook and twitter etc. while they are on your home network, you now can.
Some questions that have occurred to me that I have no idea about.
- What about Wi-Fi on airplanes?
- Firesheep has been downloaded over 750,000 times, how many of those are just curious and how many are nefarious?
- What do I do about Chrome and Internet Explorer?