Image via Wikipedia
Technology Thursday
I love taking my laptop to the coffeeshop and getting a bit of work done there. A new venue is often a nice change of pace. And while I'm lucky to be able to work from home quite a bit - even that luxury gets a bit stale. And just the other day I tweeted that I'm totally bored with the decor in my office downtown (and may make revamping that into a project - perhaps it'll mean I even go to the office a bit more often!) But my wishes for a change of scene may not be worth the security risk from using public WiFi.
There has long been a vulnerability in the way some websites handle keeping you 'logged in.' This is typically done through the use of "cookies" - small bits of data stored on your computer to provide websites you interact with information about you. Generally speaking, if someone can get access to your cookies, they may be able to get access to the sites using the information in those cookies. The vulnerability has been that many sites don't bother to encrypt cookie data. There may be encryption of your password when you log in, but after that, nada.
So, if you're surfing around on a public WiFi network, your cookies are flying around 'in the clear' (as the security gurus, say). So, you think, whatever. Who's going to be looking for my cookies? But some, myself included, think this is pretty poor practice, particularly on the part of very large websites (such as that social network I loathe). And some have taken an additional step to try to prod better behavior on the part of these websites. There's now a Firefox plug-in you can download and install in your browser, and any time you're sitting on a public WIfi you can look around, using this plug-in, and grab other people's cookies (and log in as them to popular websites). Now, that'll probably get someone's attention!
It's called FireSheep. Here's how the developer describes this plug-in:
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room. Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is. After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you're instantly logged in as them. [emphasis added]
Glenn Fleishman over at Boing Boing had some reactions:
Of the large firms with this flaw, I'd argue that Google took this most seriously. In the intervening three years, Google has been layering SSL/TLS on ever more of its services. Gmail even added an option to kill other sessions. (Scroll to the bottom of the Gmail screen, and click Details at the end of the "last account activity" line to view the option.)
Many other sites have let the problem remain, though, beefing up security through the sop of offering secure logins, as noted above. It's quite rare to find any major site allowing an unencrypted login, which is a big improvement over a few years ago. Firesheep comes with 26 prefabricated sidejacking tools for sites like Facebook, Amazon, and bit.ly. Amazon and other sites that have a mix of plain HTTP and SSL/TLS-protected pages require re-authentication and SSL/TLS when you move into making a purchase, canceling an order, or other account-based activities. But you can place a 1-Click order without logging in again.
Less-visited sites in the millions have this sheepish problem, and some use identical software (and thus token names in the browser) making a mass-exploit via a Firesheep update the work of minutes.
He goes on to offer some solutions to those who are worried about this vulnerability, including don't log in to unsecured sites (like FB) while working on an untrusted network and/or using a VPN.
So, how worried should we be about this? I think... somewhat. It irritates me no end when known holes like this are not dealt with - especially by the BigBoyz. (On the positive side, Gmail, for instance, got more serious about this sort of thing in January of this year.) The practical question for me is about using public WiFi networks when I'm out and about. Most of the time I don't actually need Internet access (beyond quick checks of email on my phone, which I use 3G for and not public WiFi); I can just load up some working documents on my laptop and work on them without a network connection. But I'd prefer to have full Internet access from the coffeeshop. So then the question becomes really a risk analysis assessment. What are the chances that someone at my local coffeeshop is going to be messing around looking for cookies to hijack? And if they're there, what are the chances they'll hijack mine? Just because something can be done doesn't mean that it's likely to be.
For me, I'll probably think twice before keeping myself logged in to some of the more egregiously-behaving sites, like that social network that irritates me so much! I have to confess that I'll probably still take advantage of free WiFi when it's available. But I'll pay a bit more attention to whether it seems like strange things are happening in my accounts at the sites I use.
Eternal vigilance, ho!
Thanks for this post, Lyn. I had a suspicion that free wi-fi would undermine my security but now I know exactly how. As I use Facebook more and more for work-oriented purposes, I need to protect my account more closely!
Posted by: Katherine | Thursday, October 28, 2010 at 11:26 AM
Here's some more information and context on this issue:
http://www.cdt.org/blogs/aaron-brauer-rieke/dont-get-hijacked-net-firesheep-and-https
Posted by: Lyn | Thursday, October 28, 2010 at 03:58 PM
Oh yes, very vulnerable. I also use the coffee shop WiFi regularly, but I got a really bad trojan virus that almost destroyed all the data in my netbook. Luckily, my husband is in the IT field and he was able to save it, but boy did it scare me straight! I now scan, scan and scan for viruses constantly in order to avoid letting a virus "brew" in my computer and give it the time to destroy my hard drive. Nice article!
Posted by: Ana | Thursday, November 04, 2010 at 11:18 AM
Hacker and Phishers can take advantage of this free connection. The public should be warned about the threats with using free connections.
Posted by: chicago collocation | Thursday, January 12, 2012 at 01:23 AM