As a web development company, we got asked quite a few technical questions (obviously). Â Some of those questions fall outside the scope of what we do – we design and develop great websitea, we don’t fix your brother’s Windows XP machine.
But, one typical question that we get a lot of relates to security. Â Specifically, how can I (or my company) be safe online.
Well, this really is a complicated questions. Â But recently, I was at a local Starbucks and just had to try out a new firefox plugin.
Recently a firefox plugin was released called FIRESHEEP. Â This simple little plugin takes just seconds to install, is incredibly simple to use, but can wreak amazing havoc!
Just what exactly does FIRESHEEP do? Â After installation, it adds a sidebar to your Firefox browser. Â This sidebar has one simple button labeled “Start Capturing”. Â When enabled (meaning you click the button) it captures anyone’s (yes, anyone) login credentials! Â What does this mean? Â Well, take a look at what I grabbed in just a few minutes at Starbucks:
I’ve blurred out all the names and replaced all the images with the blank people. Â But, in just 5 – 10 minutes at a local Starbucks, I was able to log into 3 different facebook accounts, 1 twitter account, 1 wordpress web site, 1 amazon account, and 1 GitHub account (it’s a code storage service for programmers). Â Amazing. Â Or Terrifying… Â All this without ANY special knowledge on my part. Â All I had to do was start the plugin. Â Then when I clicked on the top Facebook icon, I was instantly logged into facebook AS THAT USER. Â I can change things, update things, delete things – do anything I wanted.
So, how does this work? Â Well, first of all, I did not ever have access to the users password. Â We’ll use Facebook for our example here. Â I never had the user’s facebook password. Â When you log into facebook, typing in your username and password, you are on a secured web site – your browser has HTTPS at the start of the web address. Â What this means is that all the communications between you and the server (Facebook) are totally encrypted and can’t be read by anyone who happens to “capture” them. Â So, this is good. Â But, once you are logged into Facebook, the pages go back to HTTP – meaning the communication is NOT encrypted and if someone just happens to capture the communication, they can read it. Â Now, it gets a bit complicated, but the next step in the process involves how Facebook knows you are already logged in. Â Obviously, as you navigate your way around Facebook, you don’t want to type your password in every single time. Â So, how does Facebook know you are indeed you? Â Well the answer is your cookie. Â Websites you visit regularly stores bits of information on your computer called cookies. Â These cookies contain various bits of information. Â One bit of information is typically a session id. Â This session id is a unique number or ID that proves to Facebook that you are who you say you are. Â So, when you click on a link on Facebook, the web site asks for this Session ID to verify it is you who really did this. Â Without the Session ID, you would have to log in again. Â But, the problem is that this Session ID is sent unencrypted to the server. Â So, anyone who is listening can get this session ID. Â And, once someone has your Session ID, they can “pretend” to be you until you log out (which essentially kills your session id).
Sound scary? Â It should. Â This means anyone at a public wi-fi hotspot (like Starbucks) anyone can log into your facebook, twitter, google, amazon and other accounts (by the way – firesheep only works on 30 or so sites – but it includes all the big ones). Â They could post updates, send tweets, send messages, and more. Â All without your knowledge.
So, what can we do to prevent this? Â Well, here’s a few simple (and a couple not so simple) solutions:
- Avoid unsecured wireless – the simplest solution is to have use wi-fi security. Â If the coffee house would simply turn on WPA encryption, most of the problems would be solved. Â The could freely advertise the password, or just make the password password. Â Just by simply using WPA, they would fix most issues.
- Realize that this is limited to certain sites. Â Sites such as you bank always use HTTPS. Â And, by it’s very nature HTTPS isn’t vulnerable to this problem. But, it’s still not a good idea to do banking on unsecured wi-fi networks (for many reason).
- If you use Firefox, consider using HTTPS EVERYWHERE plugin (http://www.eff.org/https-everywhere). Â This plugin will attempt to convert HTTP connections to HTTPS connections. Â Again, this would solve the problem. Â The best solution is just to make Facebook, Google, et. al. use HTTPS. Â But, realizing that they probably won’t change soon, this plugin does it for them. Â It works on Amazon, Facebook, Twitter, Google Search, Paypal and others. Â This is a good solution requiring very little work.
- Use a VPN solution – a VPN is a Virtual Private Network. Â Basically, a VPN creates a private and secure line from your computer to another server. Â Then the connection goes out to the internet. Â This method virtually guarantees that you are secure. Â It definitely solves the Firesheep problem. Â However, VPN’s can be a bit complicated and sometimes cost money. Â A decent free solution is provided by HotSpot Shield. Â This free option does have advertisements and is limited to approx. 2 GB a month. Â But, it is a really good solution when at a public wi-fi access point.
What about you? Â Any ideas? Â What do you do to be secure when out in public?