February 24th, 2011
by Nick Briz
By now you may have heard of the hacker-plugin “Firesheep.” If you haven’t, you better finish reading this. It’s no secret to some that your personal information is exposed to the entire WiFi network when you log into your Facebook at your local cafe. However, acquiring the cookies that contain this private information was a skill once reserved for expert “sidejackers.” Despite this, plenty of popular websites remain vulnerable to sidejacking, among them are most social-networking sites. What’s out of site is out of mind.
Recently Eric Butler and Ian Gallagher, a pair of frustrated web developers, created a Firefox plug-in that easily lets anyone hack into someone’s Facebook, Twitter, Flickr, and other accounts in a hacktivist move to call attention to the issue. Butler said he wrote Firesheep because he was, “tired of having to deal with websites that were ignoring this problem of user privacy, and have been doing so for so long. Sites like Twitter and Facebook will encrypt your login and password when you first visit the site, but after that everything that you do is sent unencrypted for anybody to see and it’s been a problem for a long time.”
Hopefully the bad press means these sites get their acts together soon, but in the mean time there are a few things you can do to protect yourself from getting “sidejacked.” Aside from practicing abstinence, and avoiding public WiFi all together, you can try sticking only to protected sites. You can tell a site is protected because a small lock icon will appear somewhere on your browser and the address bar will read “https” rather than just “http.” But what if the only reason you walked five blocks to the coffee shop was to check your Facebook in the first place? Well there are a couple other options. The traditional approach is to protect yourself by encrypting all your pages using a personal VPN (Virtual Private Network) — you can find one here and another here, as well as a free and open-source option here. If acronyms like VPN scare you (it can be a bit techy) there’s yet another option. HTTPS Everywhere is a Firefox extension produced by the EFF (the Electronic Frontier Foundation). The EFF have been warning us about these kinds of security risks for quite some time; perhaps now we’ll listen.
Here’s an extended interview with Eric Butler and Ian Gallagher (via Komonews.com) where they discusses the privacy risks, how the technology works, and why they made Firesheep.