Dangers in Public Browsing


I think that we’ve all heard about the dangers of connecting to open networks.  It’s the stuff that spy stories thrive on.  You’re at your local coffee store doing some internet activity and a bad guy attaches to the same network and steals your identity.  After all, you’re both sharing the same wireless connection.  Futuristic, eh?

Not any more.

If you have the Firefox browser and an appropriate add-on, you can do it yourself.  A great deal has been written about the Firesheep add-on lately.  It’s reportedly a proof of concept utility that Mozilla allows to be downloaded and installed to hijack http connections.  Once installed, the curious can monitor the connection for logins and passwords so that you might assume someone else’s account.

In this day and age, I think many of us are quite comfortable with online banking or shopping.  We’ve all been trained to “look for the lock” or whatever the equivalent is for your browser.  That is a visual that you have a secure connection with the other end for the purposes of doing these sorts of things.  You may notice that increasingly more websites are using the same technology for just regular use.  If you head to the Mozilla web presence, it’s all presented securely for you.  So, what’s the issue?

Check out this story.  Watch the CBC report here.

Increasingly, we’re using social networking sites that do require a logon and a password.  The issue becomes one of security.  Is the connection secure or is your logon/password combination open to anyone who happens to be listening.  An article that I read yesterday from the Digital Report Card provides a nice summary of some popular services like Facebook, Twitter, Gmail, Hotmail, Yahoo! Mail, etc.  The report card is an eye opener and the descriptions about SSL and hijacking are important reads for anyone who wants to go online and use these services.  You need to open the link about and read the article, focussing on your own online habits.

Thankfully, the online services involved are responding.  Here’s a report on Facebook‘s concerns.  The claim of over 500,000 downloads is kind of scary.  Especially, if one of the downloaders enjoys the same coffee as I do.

What can you do about it?  FireShepherd (and a tip of the hat to the humour of programmers) is a utility designed to jam Firesheep with random data to make it useless.  But, a better solution is to be aware of the type of connection that you’re making with these services.  More and more of them are offering secure options which you should always opt for.  To help the cause, the Electronic Frontier Foundation offers its own solution – an add-on called https Everywhere which should take the guessing out of the process and force a secure solution when you access the services thereby protecting your credentials.  There is a startup switch that you can apply to Google Chrome to force https connections as well.  That’s been around for a while.

It’s not just coffee shops that you should be concerned about these things happening.  How about a school network where you invite guests to attach?  Not necessarily related, but this report from London should give some pause for thought. Can we ensure that everyone who is attaching to the network is playing nice?  How about a hotel with complimentary internet access?  How about a conference centre like you’d find at an ISTE Conference?

Do we take our online sessions seriously enough?

links for 2010-11-05