1
Your login can be stolen with an easy browser plug-in
If you are working on a public wireless connection, you should be aware that for just about any website, your login can easily be hijacked by someone sitting next to you. The month of November always sees a sharp uptick in the number of people out writing in public. NaNoWriMo writers, mostly - but a lot of people respond to winter's closing in by heading out to the café just to get out of the house. And a lot of those writers will be distracting themselves by logging into Facebook, Twitter, Amazon, their Wordpress blogs… it's natural!
But a simple browser plug-in will allow anyone else on that public wireless connection to steal your credentials. Firesheep is easy to install, and even easier to use. It filters all the internet traffic going on around it. When it intercepts credentials it can use, it gives the user a button to click. Just by tapping the mouse, that person is now logged in as you.
How does Firesheep work?
When you log into a website, that login page is usually secured by HTTPS. (Most browsers will show a gold lock.) But after logging in, the site gives your computer a token and redirects you to the non-secured HTTP version of the site.
The token tells the site "This person has logged in, so go nuts." Firesheep basically makes a copy of that token and gives it to the person running it.
What's vulnerable to Firesheep?
Any site where you log in, and then go to a non-secured (HTTP) version of the site. Which is to say, just about any site on the internet, including Facebook, Reddit, Twitter, Amaqzon, Wordpress, Flickr, and Ravelry (for the knitters in the house!).
What's safe?
Gmail, Google Docs, probably your bank's online banking section (test this at home first!) and Dropbox are the only sites I have found which are safe because they use HTTPS throughout.
How can I protect myself?
The obvious answer is, don't log into anything when you are on a public wireless connection. (Maybe this is the nudge you need to focus on your work instead of updating Facebook!)
The only real way to protect yourself is to use a VPN. Many home computers can be configured to serve as VPN hosts, so you're essentially tunneling through the internet to your home computer, then back out to the internet. It isn't too hard to set up a home VPN if you are somewhat computer-savvy. But I have to note that using a VPN makes your connection SUPER SLOW AND ANNOYING.
Printer-friendly version