Do you log into services such as Facebook from public Wi-Fi hot spots? Are you logging into these services without forcing them to use HTTPS? Well I’ve got bad news for you, there is a Firefox plugin called Firesheep.
What is Firesheep? Well it’s a Firefox plugin that listens to Wi-Fi traffic and looks for authentication cookies for known services. When you log into Facebook an object called a cookie is sent from Facebook’s server to your computer. The Facebook server knows this cookie was sent to you and hence it is used by your computer to authenticate yourself to Facebook when you’re interacting with the website. Here’s the problem, that cookie isn’t sent through a secure tunnel (HTTPS) unless you using something like HTTPS Everywhere or NoScript to force it.
Without the cookie being sent through a secure tunnel anybody listening to your network traffic can grab that cookie. With that cookie they can log onto your account as Facebook only asks for the cookie as proof that you are you. Open Wi-Fi hot spots (such as those at Starbucks) use no encryption meaning everything you sent and receive that isn’t in a secure tunnel can be seen by anybody with a Wi-Fi card.
Scenario time! Let’s say you go to Starbucks and log onto your Facebook account on their free and open Wi-Fi hot spot. The guy sitting across from you has his laptop open and is running Firesheep. When you log in he obtains your cookie and then logs onto your Facebook account, changes your e-mail and password, and starts doing all sorts of malicious shit to your friends. This is what happens ladies and gentlemen when you use unsecured Wi-Fi access points. Don’t do it! If you’re going to be in a situation where you know you’ll be required to use an unsecured Wi-Fi hot spot (such as a hotel) use a VPN service (quite a while ago I reviewed HotSpotVPN which is one of those services).
Firesheep was created to raise awareness of this problem. If you head over to this link you can download a slide show used by the creator of Firesheep for a presentation at Toorcon.