It’s even more dangerous if you’re not making secured connections to the websites themselves. Sites that use a secure, encrypted connection have https in their Web address – rather than just http – and show a lock icon in most browsers.
In the past, you could take some comfort in the fact that it requires some skill to launch one of these attacks. Most people are honest, and even more people are clueless as to the hackery needed to access someone else’s online accounts.
From the San Francisco Gate article:
Firesheep: Making Web-connection hijacking easy : Hot Topics
Firesheep changes all that. It’s a Firefox extension that makes it ridiculously easy to log into certain sites as another user. It’s as simple as this:
1. Launch the Firesheep extension in a Firefox sidebar.
2. Click the Start Capture button.
3. See who’s connected to which sites.
4. Double click on one of those connections.
5. You’re logged in as someone else on that site.
Ian Paul at PCWorld has a good explanation of how Firesheep works.
Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.
As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access.
Read the rest of the article at the link:
Firesheep: Making Web-connection hijacking easy : Hot TopicsFind suggestions for use at:
Firesheep, A Day Later
or the forum at:
Firesheep | Google GroupsOther links:
http://brakertech.com/firesheep-wifi-hacking-facebook-twitter-google-flickr/
http://github.com/codebutler/firesheep/downloads
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html[Addendum] At this moment, it seems that Firesheep is unavailable for download. The author seems to have made his point though. Free, open access WiFi hotspots are bait shops for predators.
There are tools to help prevent this type of invasion. Large corporations will have a VPN that places all data through an immediately made and constantly used pipe through their servers. Private access by non-corporate users can be made through companies like proXPN and simple extensions like Hotspot Shield.
Encrypt the Web with the HTTPS Everywhere Firefox Extension – An EFF and Tor Project