- Joined
- Oct 13, 2010
- Messages
- 10,780
As a PSA for the readers of this board, I thought I'd mention that if you like to take your laptop to the Starbucks (or any other open wi-fi access point), there's been a huge increase in risk lately due to a Firefox plug in called "Firesheep".
If you have to type a password to get on your hot spot, you're probably ok, even if the password is posted on the wall at the coffee shop!
This is true because that means the traffic is WPA encrypted, and sniffers can't see each others' traffic.
But if there's no password, sniffers can see all of your traffic. It has been this way "forever". What's different NOW is that with a few clicks, anyone can hijack your session (basically they become you), for many web sites (Facebook, twitter, eBay, etc.... see this link for a list: Handlers - firesheep - GitHub).
Hijackers can "become you" in that coffee shop or wherever, meaning they could not only read everything that you can read on the hijacked account, but change anything they want too! This is going to be really fun to watch profile pictures get changed on Facebook! If there is any "good news" is that 1) They probably can't change your password (because most sites re-ask for your password, and the hijacker doesn't have that, and 2) If you log off of the site (instead of just closing the browser tab), the cookie will become invalid for the hijacker.
So what do you do? Don't use open wifi hotspots for web sites that don't protect your privacy all the time. The web sites that are the problem are ones that do https encryption during the login, but pop you out to non-encrypted http afterwards, and just use a session cookie to keep you going. This is how Firesheep works; it just listens for your session cookie, then uses it to "become you" on those sites at risk.
Be safe!
--Dale--
If you have to type a password to get on your hot spot, you're probably ok, even if the password is posted on the wall at the coffee shop!
This is true because that means the traffic is WPA encrypted, and sniffers can't see each others' traffic.
But if there's no password, sniffers can see all of your traffic. It has been this way "forever". What's different NOW is that with a few clicks, anyone can hijack your session (basically they become you), for many web sites (Facebook, twitter, eBay, etc.... see this link for a list: Handlers - firesheep - GitHub).
Hijackers can "become you" in that coffee shop or wherever, meaning they could not only read everything that you can read on the hijacked account, but change anything they want too! This is going to be really fun to watch profile pictures get changed on Facebook! If there is any "good news" is that 1) They probably can't change your password (because most sites re-ask for your password, and the hijacker doesn't have that, and 2) If you log off of the site (instead of just closing the browser tab), the cookie will become invalid for the hijacker.
So what do you do? Don't use open wifi hotspots for web sites that don't protect your privacy all the time. The web sites that are the problem are ones that do https encryption during the login, but pop you out to non-encrypted http afterwards, and just use a session cookie to keep you going. This is how Firesheep works; it just listens for your session cookie, then uses it to "become you" on those sites at risk.
Be safe!
--Dale--
