6 Comments

Summary:

The recent appearance of the Firesheep plugin for Firefox has raised concerns over the lack of security for browsing sessions that are conducted at public hotspots, so the release of Fireshepherd to stop digital eavesdropper is welcome news. Hotspot sessions are more vulnerable than many realize.

locks

The recent appearance of the Firesheep plugin for Firefox has raised concerns over the lack of security for browsing sessions conducted at public hotspots, so the release of FireShepherd to stop the digital eavesdroppers is welcome news. Firesheep (it’s the naughty one) lets anyone using the browser plugin snoop out login credentials for commonly used web sites like Facebook and Twitter. Using this information strangers can access private accounts to do whatever they wish, as the web site being hacked thinks they are the owner of the account.

While the developer behind Firesheep claims the tool was released to demonstrate the vulnerability of private information at public Wi-Fi hotspots, it has been downloaded over 200,000 times. Unfortunately, Firesheep works because many web sites do not use the more secure HTTPS, which makes individual sessions secure even over public networks. No doubt some of those now using the tool to snoop do not have the same good intentions as the developer. FireShepherd (the nice one) kills any Firesheep sessions running over unsecured hotspots. Unfortunately, FireShepherd is a Windows program, which leaves users of other systems unprotected.

There are tools besides FireShepherd that our friends at WebWorkerDaily list, which can be used to protect hotspot sessions from hackers, but apparently as one man’s recent trip to a Starbucks in New York City proved, many web surfers don’t run such tools or ignore the threat even when it’s pointed out. Gary LosHuertos used Firesheep in the Starbucks to gather login information for 20 people surfing the web, and then sent each a warning that they had been hacked. To make his point, LosHuertos sent the warnings from each patron’s own Facebook (or other network) account. He observed that some folks dropped offline after receiving the warning, but others kept on using the account as if nothing had happened.

The threat of having hotspot sessions compromised is not that far-fetched, and Firesheep makes it even more of a likelihood that at some point you might be exposed. Windows users should definitely look at FireShepherd, and those with devices on other platforms should take other steps to protect public web interaction. Many smartphone owners are accessing the web via Wi-Fi hotspots, but those devices have the best protection against hackers in their 3G or 4G connections. As tempting as using the free Wi-Fi may be, the safest way to connect to the web is using the phone’s integrated 3G/4G data connection. These connections are encrypted at the carrier level, and are risk-free as a result.

Image credit: Flickr user Swift Benjamin.

Related content from GigaOM Pro (sub req’d):


You're subscribed! If you like, you can update your settings

  1. Crazy, a “counter-plugin”.

    Let the plugin-wars commence! ;-)

    Share
  2. Why not just have a plugin that takes URLs for certain sites and changes them from “http:” to “https:”? The plugin could have a list of sites that it would apply to (with wildcards accepted).

    So, a good starting list:
    *.facebook.com
    facebook.com
    *.twitter.com
    twitter.com
    *.google.com

    Seems like it would fix the problem pretty easily.

    Share
    1. use the ‘https everywhere plugin’. it’s awesome

      Share
      1. What does it do with sites that a) don’t support https, or b) have completely different content for https vs http?

        Share
  3. The nature of the WiFi security architecture (since it is left unsecured) is a major cause to this vulnerability. An Average user does not have a clue.
    More software/plugins is not the solution, the WiFi access point to terminal should have been architected to be secure (even in hotspots)
    Bluetooth does not leave the link unsecured.
    I have written a post in my blog here ..
    http://dennismathews.wordpress.com/2010/10/28/on-wireless-security-and-googles-wifi-scanning/

    Share
  4. I invented firefox, also windows 7. Bill stole the idea when he was balls deep in my sister!

    Share

Comments have been disabled for this post