There has been quite a bit of controversy recently about the hacking tool Firesheep.
Most of us are aware that every time we open our laptops and connect to a free public wifi hotspot, there is the potential danger of identity theft and other wireless intrusions by advanced hackers.
Yet critics of Firesheep allege that the free Firefox download is so simple that almost anyone can access personal information on Facebook, Twitter, Amazon, Foursquare, or any site that lacks proper encryption past the login point.
That’s right, with Firesheep, even novice hackers without any special skills –- you, your grandmother, your ten year old nephew — can spy on users’ online activities.
Think it is not happening? Think again. In fact, it was downloaded more than 104,000 times within 24 hours of its launch in October; a few months later, and there have been nearly one million downloads.
The Cookie Thief
Cookies are what allow us to stay signed in to multiple websites without having to enter our user name and password every time we return to the site.
To protect yourself in a wifi hotspot, first make sure the network you are using is password-protected. If it is not, all of your cookies and other online activities are essentially wide open for anyone to see.
And this is where Firesheep becomes a very big problem.
With Firesheep, the extension searches the network for cookies and steals the data. Firesheep hackers can use this data to easily log into your account and bypass your secure password.
VPNs and Other Security Measures
Of course, the best security management is to use a virtual private network (VPN) such as PRIVATE WiFi™, which encrypts all of your communications over a hotspot so that hackers and snoopers can not reach it.
If you do not want to spend any money, there are “free” VPN programs such as Hotspot Shield VPN. In exchange, however, you are allowing Hotspot Shield to insert advertisements on the websites you visit and in your browser’s window. When you install it, Hotspot Shield might also try to make changes to your PC, such as changing your default search engine.
In the absence of a VPN, there are other preventive measures.
If you browse online using Firefox, try a free add-on called Blacksheep, which you can download here. Unfortunately, it only works if you are using the Firefox browser, and as BlackSheep’s developer Julien Sobrier told TechCrunch, it only warns that an attack is already occurring:
“BlackSheep leverages much of the Firesheep code, but the twist is that rather than being used to hijack sessions, it instead detects when a session is being hijacked and alerts the user.”
Look For the ‘S’
Another important step in protecting yourself is to determine whether “https” is in the address bar of your web browser instead of just “http.” The extra “s” means that the website you are visiting uses encryption and the session is protected.
Google has updated its security through the use of “https” to encrypt everything past the initial login page, but Facebook, Foursquare, and Twitter have not taken the same preventive security measures.
For example, Facebook uses an “https” encryption, but only on the login page. Once you are past that, Facebook reverts back to the unprotected “http.” This means that your session is no longer protected and could be hijacked by either a novice using Firesheep or a more advanced hacker.
If you use Firefox, the free add-on HTTPS Everywhere can encrypt some of your browsing information on select sites using the HTTPS protocol. It alerts you to when full encryption is active or when just part of the communication is encrypted. It cannot fully encrypt content on sites that incorporate material from third parties.
If you use Chrome, check out Google’s just-announced “False Start” feature being built into new Chrome browsers. Google says this enhancement focuses on faster encryption methods — especially in light of the debut of the Firesheep software — and that False Start can speed up secure communications between websites and its Chrome browser.
For the moment, there is not a long-term solution to the Firesheep problem. So until each and every website installs better encryption, remember that it is ultimately up to you to ensure your own online privacy.