There seems to be a general panic and a blogstorm in the user community after the publishing of Firesheep, a simple to use Firefox extension, that you can install in minutes and that can be used to “sidejack” accounts by sniffing for cookies on popular websites like Google, Facebook etc. on open WiFi.
Whats the big fuzz? Everyone has worked hard for many years to ignore the warning message you get when connecting to open WiFI network …”Your are connected to an open network and your information may be visible to others..” or similar. The new thing is probably that Toorcon now has shown that even my grandmother can hijack someones account – the threat cannot be ignored anymore. So, if you absolutely need to be on an open uncontrolled WiFi get your SSL or VPN solution working. I guess WPA/WEP gives you some protection if you can rely on that only “the good guys” have the key ;-).
The discussion whether Firesheep is illegal is of course ridiculous – I think by openly publishing the software to anyone, Toorcon does us a great service exposing threats that where always there. However, I think that there could be people out there prepared to do nasty stuff with this tool…
Some Swedish blogs on how to protect your sessions on open WiFi
I read the Wireless communications security (Imai, Hideki) book, and I felt safe from the complex algorithms they used to make the wireless network secure, but tools like firesheep, vanishing my safe from most Wifi spots, I never imagine it would be that easy …….
What about activating MAC adress control in your access point. Wouldnt that inhibit the loophole of cracked WPA/WEP codes ?
@Björn: Definitely. I guess the main problem was NOT your home AP where you can have your own WPA encryption, but but in public networks where you do not have MAC layer control.
A recommendation is to use “HTTPS Everywhere” plugin for Firefox. Download in seconds from https://www.eff.org/https-everywhere. The browser will then connect to the encrypted version of the sites, when available. Works nice with most standard apps like Facebook, Google etc (although some of the functions may not be available encrypted). If you feel safe and want all functions, you may just disable the plugin temporarily.
Facebook doesn’t support https more than during the login procedure, at the next klick you do it falls back to ordinary http.
Btw, for us Chrome users I recommend KB SSL Enforcer https://chrome.google.com/extensions/detail/flcpelgcagfhfoegekianiofphddckof
My Firefox seems to keep the https connection to FB at all times – the chat and “logged in friends” disappear in this mode, though.