From the BlogSubscribe Now

Use Public Wi-Fi? You May Be Exposing More Than You Know

How many of you have ever logged into a site like Facebook, Twitter or Google from a public wireless connection, whether in a coffee shop, airport lounge or hotel? Yeah, that’s what we thought. I’ve never done things like online banking or shopping from a public connection because why take chances, right? Turns out it’s not just banking and credit cards you need to worry about. If you’ve ever visited a site that required you to log in while on public Wi-Fi, you’ve left yourself open to sidejacking.

Sidejacking? Never heard of it.

When you log in to a site you typically enter a username and password for the site to authenticate. If everything matches up, the site replies with a cookie. It’s sort of like the ticket taker at a concert handing you back a ticket stub upon entry to the venue. Nobody checks your details after that. If you have the stub then you must be ok. It’s normal for the site to encrypt this exchange to protect you; however it’s surprisingly uncommon for the site to encrypt anything else past that point, which leaves your account vulnerable. Sidejacking is when a hacker gets their hands on your cookie. It lets them do anything you could do on that particular website.

Change your Facebook relationship status? Sure. Fire off spam email from your account? Why not? Send out a tweet with a rude comment? You betcha. Or worse.

Hanging out on a site that doesn’t encrypt data past the point of entry is like standing up in the coffee shop or airport lounge and shouting out your username and password.

It’s not a new problem and yet, very few people are doing much about it. This week Firesheep was launched to prove just how easy it is to hack into these types of accounts. If you use Firefox, all you need to do is install the extension, log in to a public Wi-Fi network and watch the accounts roll in. Double click on someone and bam! you’re instantly logged in as them.

Protect Yourself

The only foolproof way to prevent this is to either not visit sites where you need to log in while you’re on a public wireless network or refrain from using public Wi-Fi altogether. There are a few other steps you can take though.

  • If you’re a Firefox user, you can install the HTTPS Everywhere extension which will force the browser to use a secure session rather than the default HTTP. If you don’t normally use Firefox, consider switching to it for the times when you’re on a public wireless network and using the HTTPS Everywhere extension.
  • If you’re using a 3G enabled device like an iPad or a smart phone, turn off Wi-Fi.
  • If possible, consider purchasing a mobile internet connection that uses 3G. Bell and Rogers both have these available. Check with your local provider to see what the options are.

Demand Better

It’s the responsibility of those who create these websites to protect their users from harmful attacks as much as they can. This is a problem that has been ignored for too long. Hopefully with the attention it has been getting lately, we’ll see some changes soon.

Had you been aware of the issue before? Will you changing any habits when it comes to public Wi-Fi now? Do you have any other tips for protecting yourself?