The recent appearance of the Firesheep plugin for Firefox has raised concerns over the lack of security for browsing sessions conducted at public hotspots, so the release of FireShepherd to stop the digital eavesdroppers is welcome news. Firesheep (it’s the naughty one) lets anyone using the browser plugin snoop out login credentials for commonly used web sites like Facebook and Twitter. Using this information strangers can access private accounts to do whatever they wish, as the web site being hacked thinks they are the owner of the account.
While the developer behind Firesheep claims the tool was released to demonstrate the vulnerability of private information at public Wi-Fi hotspots, it has been downloaded over 200,000 times. Unfortunately, Firesheep works because many web sites do not use the more secure HTTPS, which makes individual sessions secure even over public networks. No doubt some of those now using the tool to snoop do not have the same good intentions as the developer. FireShepherd (the nice one) kills any Firesheep sessions running over unsecured hotspots. Unfortunately, FireShepherd is a Windows program, which leaves users of other systems unprotected.
There are tools besides FireShepherd that our friends at WebWorkerDaily list, which can be used to protect hotspot sessions from hackers, but apparently as one man’s recent trip to a Starbucks in New York City proved, many web surfers don’t run such tools or ignore the threat even when it’s pointed out. Gary LosHuertos used Firesheep in the Starbucks (s sbux) to gather login information for 20 people surfing the web, and then sent each a warning that they had been hacked. To make his point, LosHuertos sent the warnings from each patron’s own Facebook (or other network) account. He observed that some folks dropped offline after receiving the warning, but others kept on using the account as if nothing had happened.
The threat of having hotspot sessions compromised is not that far-fetched, and Firesheep makes it even more of a likelihood that at some point you might be exposed. Windows users should definitely look at FireShepherd, and those with devices on other platforms should take other steps to protect public web interaction. Many smartphone owners are accessing the web via Wi-Fi hotspots, but those devices have the best protection against hackers in their 3G or 4G connections. As tempting as using the free Wi-Fi may be, the safest way to connect to the web is using the phone’s integrated 3G/4G data connection. These connections are encrypted at the carrier level, and are risk-free as a result.
Image credit: Flickr user Swift Benjamin.
Related content from GigaOM Pro (sub req’d):
- Why RIM’s Future (Unfortunately) Hinges on BlackBerry OS 6
- Nokia’s Tie-Up With Microsoft Won’t Help
- Needed: A Neiman Marcus for Mobile Apps