In the past when I’ve tried to explain to people how dangerous it is to use open wireless networks, nobody’s really paid much attention. This is because we believe the chances are minimal of there being some über geek hacking into the network, and besides, if there was we’d spot them because the sattelite dish duct taped to their laptop would make them stand out.
their computers are left unlocked overnight
and I frequently hear complaints about them
having to use a password at all
But that all changed a few days ago when Firesheep was released. Firesheep is a free Firefox extension that is simple to install and even simpler to use. I demonstrated it’s awesome power this morning to a group of graphic designers that are so lapse about security that their computers are left unlocked overnight and I frequently hear complaints about them having to use a password at all.
The first step is to install FireSheep. I downloaded the .xpi file and then dragged the downloaded file onto a Firefox window causing the install add-ons window to appear. I clicked install and then clicked the resulting Restart Firefox button. Job done.
Next I activated Firesheep while in Firefox by selecting View>Sidebar>Firesheep which opened a sidebar in the browser with a big Start Capturing button at the top which I duly clicked.
Within seconds of his log in, his profile picture
appeared in my Firesheep sidebar.
Next I got one of our designer’s, Nick, to sign in to Facebook on his computer. Within seconds of his log in, his profile picture appeared in my Firesheep sidebar. That’s pretty shocking, but the sucker punch is that when I double clicked his likeness my computer logged in to his Facebook account! I now had full access as if he’d given me his password!
Our normally laid-back-about-security designers had suddenly had their eyes opened to the dangers of unencrypted network traffic. I then proceeded to use another computer to log in to my accounts on Facebook, Flickr, Amazon, and the WordPress admin for this very site. One by one these accounts appeared on the original computer’s Firesheep window, and for each one I could simply double click to log into each site as if I’d used the password.
What’s more I didn’t actually need to log in to give away access to my account. Had I been already logged in to any of those sites I would just need to visit a new page on the site to broadcast my log in, and for sites like Facebook I wouldn’t even need to click anything as an open page keeps automatically updating itself, each time handing out the keys to my account.
In this demonstration, as you can see in the accompanying screengrabs, I’ve only gained access to my own accounts, but had I been using a hotel’s wifi, or a Starbucks, or a plane, I would have been granted access to a lot of people’s accounts. Gulp!
using an open network can be like sitting in a public space and shouting your username and password out loud
I’ve shown a few people this now and without exception they’ve freaked out, accusing it of being illegal. But the way to think about this is that using an open network can be like sitting in a public space and shouting your username and password out loud. People will be able to hear you, and that in itself isn’t illegal, but obviously it leaves the opportunity for unscrupulous persons to abuse this information.
Many people now use the messaging systems built into social networking sites as an alternative to email, especially when they want to keep something private from their main email account which may be a work account. This means some people keep there most private conversations on Facebook, and now if you access your account while on an open wireless network you are letting everyone read your secrets with ease.
This isn’t anything you couldn’t do BF (Before Firesheep), but it required considerable technical accumen and a fair degree of patience. It’s not the sort of thing you give a walkthrough for in less than 200 words as I’ve done here. And this is why Firesheep was created – to highlight just how possible this is, by making it very simple to accomplish. If everyone knows just how simple it is then the hope is that we will all do something about it.
here’s my top four ways to
avoid becoming a Firesheep victim
And there is something you can do about it. Always try and access your accounts securely – here’s my top four ways of avoiding being a Firesheep victim.
- Don’t use open wireless networks. Only join a wireless network if it needs a password to see anything in your browser. Don’t be fooled by hotel networks that need a password on a web page the browser forces you to view once connecting to their wifi. That password is to ensure you pay for access, it provides you with no additonal security over a completely open network.
- If you have to access an account while in a public space, use a mobile device that has its wifi switched off. This means you’ll be using the mobile connection, 3G or something like that.
- Set up SSH tunneling on your computer so that everything you do is secure, regardless of the network you are connected to. This is the most secure approach by far and the technique I use, but the problem is that it’s far from simple to set up and therefore not an option for the average internet user.
- If you have to use an open wireless network, for example on a laptop, or iPad without 3G access, then install HTTPS-Everywhere or Force-TLS – two Firefox extensions that automagically force relevant sites to use more secure communications. Essentially they make sure the http bit in your address bar is replaced with https like it is on your online banking. I installed HTTPS-Everywhere and it kept my Facebook access confidential, but failed to protect me on Flickr as it appears they don’t offer https access yet.
Scary, isn’t it? But now this problem that’s been around for years is about to become incredibly visible to the world at large – I expect mainstream news media to start covering it with much sensation over the next week or so – and as a result the pressure on sites to fix it will deliver results.
Google force https access for their Gmail service (although not for their other Apps), and all internet banking is done through https, so isn’t it about time for social networking sites to start treating our private information with the same degree of confidentiality?