Hide Your Dirty Laundry With Our Secure Wifi Cheatsheet

Hanging laundry out to dryphoto © 2010 Karen and Brad Emerson | more info (via: Wylio)
We’ve talked about wireless security before, but thanks to a little Firefox extension called Firesheep, the dangers of using public wifi are finally getting the attention they deserve.   The technology in Firesheep isn’t anything new — in fact, black hat hackers have had the ability to do this sort of thing for years.  But thanks to Firesheep’s convenient packaging, which makes it dead-simple for pretty much anyone on the same unsecure wireless network as you to sidejack your Facebook session or worse, awareness for this threat is reaching a crescendo, and prompting big name web sites to finally adopt full SSL encryption.  Check out this list to see which common sites are vulnerable to Firesheep attacks (as of 11/1/10).

If you’re not a network security geek, you might be wondering how to know if you’re vulnerable — and what to do about it.  Here’s the lay of the land.

How to Protect Yourself On Unsecured Wifi

If you didn’t have to enter a password to connect, this is the type of network you’re on.  Most data that passes through your browser — email, web sites, and social networks — can be intercepted by anyone in the vicinity.

  • Option #1: Use a VPN.  This won’t be for everyone — just power users.  Using a VPN will reroute all of your internet traffic through an encrypted tunnel to a server somewhere else, before it gets blasted out to the internet-at-large.  It’s not point-to-point encryption, but it will protect you against any nearby hackers and ISP snooping.
  • Option #2: Only use sites that are fully SSL encrypted.  The little lock icon at the top of your browser is an indicator that the site is using SSL.  This means that everything you do on this site is fully encrypted from the moment it leaves your browser to the moment it reaches their servers.  Many sites now have optional SSL versions that you can access by adding an “s” to the http in the address bar.  Firefox extension HTTPS Everywhere maintains a library of sites that support this and will automatically switch you over to the secure version of a site if one exists.
  • Option #3: Detect Firesheep hackers with Blacksheep.  This extension, created by Zscaler Research, will alert you when someone has sidejacked your session.  Note that this provides no preventative protection, just notification after the fact.
  • Option #4: Bring Your Own Internet.  Many smartphones now support wifi tethering — which provides a secure and private alternative to wifi.  Portable hotspots like the Verizon or Sprint Mifi are also nice, but require you to pay an additional monthly fee to your carrier.

What About Password-Protected Networks?

Don’t let passwords lull you into a false sense of security.  At public hotspots, even password-protected ones, unless you’re on a web site that uses full SSL encryption, hackers connected to the network can still intercept your traffic using more advanced techniques like ARP poisoning, which reroutes all your traffic to their machine before it gets broadcast out to the internet.

At home, you’re pretty much safe — that is, assuming your wireless network is using WPA encryption, not WEP.  Using a simple hack, your WEP password can be compromised in less than 60 seconds — giving the hacker carte blanche to snoop on your network.  WPA is much more secure — and as long as your password is unique enough not to be vulnerable to a dictionary attack, it is for all intents and purposes uncrackable.

Want to learn more?  Check out episodes 272 and 273 of Steve Gibson’s Security Now podcast.