Dangers in Public Browsing

I think that we’ve all heard about the dangers of connecting to open networks.  It’s the stuff that spy stories thrive on.  You’re at your local coffee store doing some internet activity and a bad guy attaches to the same network and steals your identity.  After all, you’re both sharing the same wireless connection.  Futuristic, eh?

Not any more.

If you have the Firefox browser and an appropriate add-on, you can do it yourself.  A great deal has been written about the Firesheep add-on lately.  It’s reportedly a proof of concept utility that Mozilla allows to be downloaded and installed to hijack http connections.  Once installed, the curious can monitor the connection for logins and passwords so that you might assume someone else’s account.

In this day and age, I think many of us are quite comfortable with online banking or shopping.  We’ve all been trained to “look for the lock” or whatever the equivalent is for your browser.  That is a visual that you have a secure connection with the other end for the purposes of doing these sorts of things.  You may notice that increasingly more websites are using the same technology for just regular use.  If you head to the Mozilla web presence, it’s all presented securely for you.  So, what’s the issue?

Check out this story.  Watch the CBC report here.

Increasingly, we’re using social networking sites that do require a logon and a password.  The issue becomes one of security.  Is the connection secure or is your logon/password combination open to anyone who happens to be listening.  An article that I read yesterday from the Digital Report Card provides a nice summary of some popular services like Facebook, Twitter, Gmail, Hotmail, Yahoo! Mail, etc.  The report card is an eye opener and the descriptions about SSL and hijacking are important reads for anyone who wants to go online and use these services.  You need to open the link about and read the article, focussing on your own online habits.

Thankfully, the online services involved are responding.  Here’s a report on Facebook‘s concerns.  The claim of over 500,000 downloads is kind of scary.  Especially, if one of the downloaders enjoys the same coffee as I do.

What can you do about it?  FireShepherd (and a tip of the hat to the humour of programmers) is a utility designed to jam Firesheep with random data to make it useless.  But, a better solution is to be aware of the type of connection that you’re making with these services.  More and more of them are offering secure options which you should always opt for.  To help the cause, the Electronic Frontier Foundation offers its own solution – an add-on called https Everywhere which should take the guessing out of the process and force a secure solution when you access the services thereby protecting your credentials.  There is a startup switch that you can apply to Google Chrome to force https connections as well.  That’s been around for a while.

It’s not just coffee shops that you should be concerned about these things happening.  How about a school network where you invite guests to attach?  Not necessarily related, but this report from London should give some pause for thought. Can we ensure that everyone who is attaching to the network is playing nice?  How about a hotel with complimentary internet access?  How about a conference centre like you’d find at an ISTE Conference?

Do we take our online sessions seriously enough?

About these ads

4 Comments

  1. Pingback: Tweets that mention Dangers in Public Browsing « doug – off the record -- Topsy.com

  2. Great and thoughtful post, Doug.

    I think I need to read a lot more about this for several reasons.

    Firstly, I need to ensure my own personal online safety.

    Secondly, I am beginning to examine these issues in light of the case I am trying to make in my new position at the YMCA of Greater Toronto, which like other organizations, keeps their network quite tightly locked up. Yet, I am frequently making the case to ease up and allow some ‘open source’ tools to be installed – like Audacity, etc. – and to allow other social media tools to be used widely.

    Thirdly, it would be nice to know the level of security provided by ISTE’s conference facilities – and indeed ours here in Ontario too!

    And, lastly, our old friend John Perry Barlow has been fighting the good fight for rights in cyberspace for a long time now since he and Mitch Kapor started EFF. Did you know that JP Barlow was a lyricist for the Grateful Dead in earlier times? :-)

    Ok, I’d better go and check out the links you’ve provided!

  3. Thanks for the comment, Peter. I was, in fact, thinking about the upcoming ECOO Conference. The timing is bad as thousands are downloading the Firesheep application to see how it works. Like most things of this ilk, education is the best solution. I think that a lot of people feel secure just because they have to log in with a keycode or something to get access. Since this is a passive application, I don’t see this as being scopable on a network. Further reading indicates that protection will be built into Firefox 4 and you know that other browsers will follow. The question will be how soon. As for the Grateful Dead trivia, I did not know that. But, I do now. Thanks for sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s