How to guard yourself and your Mac from Firesheep and Wi-Fi snooping

The prevalence of free/cheap and open Wi-Fi networks in coffee shops, airports, offices and hotels is a great boon to the traveling Mac or iPad user; it makes connectivity and remote work much easier than it used to be.

Unfortunately, since most of those networks don't employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that's transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open.

Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be 'sniffed' by a nogoodnik on the same network segment; that's what Firesheep does automatically. With the cookie in hand, it's simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites.

That process is known as "HTTP session hijacking" (informally, "sidejacking") and has been a known problem for several years, but many sites have not changed to protect their users. Firesheep has made this process of sidejacking very easy, and a reported 104,000+ people have downloaded it. It is important to realize that the security problem exists for users of all browsers. Firesheep is available only for Firefox, but that's just the exploit side; it will gladly harvest cookies from Safari, Chrome, IE or anything else. Unfortunately, you've got to assume that any unencrypted site you go to while on an open Wi-Fi network is susceptible to compromise by this attack.

Read on for some suggested ways to combat this security challenge.

Photo by adactio | flickr cc

The solution -- if your site supports it -- is quite simple: after you connect, the site should keep your session secure using SSL or https. Some sites, including most banking sites, already do this. However, encryption requires more overhead and more server muscle, so many sites (Facebook, Twitter, etc.) only use it for the actual login. Gmail has an option to require https and has made it the default setting, but you should make sure that it's enabled if you use Gmail (Google Apps has a similar feature). This also doesn't necessarily help if you're using an embedded browser in an iPhone or iPad app, where the URL is hard-coded.

Protecting yourself from Firesheep if you use Firefox or Chrome is possible with extensions like the EFF's HTTPS Everywhere, Secure Sites or Force-TLS. These work by forcing a redirect to the secure version of a site, if it exists. The obvious problems with these solutions are: a) you have to install one for each browser (and we have not yet found one for Safari), and b) it only works if a secure version of the site exists.

If you want to protect yourself more completely, you have a few options.

A) Don't use open networks. This is the easiest option, but also the least convenient or practical in some circumstances. What happens if you "need" to get online and an open network is your only option? [You can also suggest to your network provider that they implement WPA security. If they complain that users won't know the network password, tell them they can include the WLAN password in the name of the network, which keeps it effectively 'open' yet encrypts the connections to block this vulnerability. –Ed.]

B) Use a SOCKS proxy and SSH tunnel. By redirecting your web traffic over a secure encrypted connection to another computer, you can lock down all your browsing and work worry-free. If you know your way around the command line, you can do this for free. If you're looking for an easy solution, though, I recommend Meerkat (which we have mentioned before). The developer has a page devoted to protecting yourself from Firesheep.

Setting up Meerkat will take some initial time and effort (and it assumes that you have access to an shell account somewhere, perhaps via your web hosting company; you can also use your home Mac if you turn on Remote Login in the Sharing preference pane). After that, it works very well and, once set up, will protect all of your browsers. For $20 it will make the process much easier, especially if you aren't familiar with SOCKS and SSH tunnels. The developer is also very responsive to questions.

For $25, you can use Slink, which connects you directly to your home machine for access to your data and services. Adding in a Firefox plugin will automatically load your proxy settings for safe and secure browsing. The same approach works with ShareTool, also $25 for a pair of licenses.

C) Use a VPN. This is the easiest solution of all, as well as the most thorough. It will not only encrypt your web browser traffic, it will encrypt all of your Internet traffic (including IMs, email, etc) at least from your computer all the way out to the web. I used Witopia some time ago with both my MacBook and my iPhone. It was very easy to configure and use. For $40/year you can use their "personalVPN – PPTP" service, which will work for both iOS devices and Macs. Their products page describes some important differences between some of their offerings. Their $70/year "personalVPN – SSL/PPTP Combo" is worth a look if you have the budget for it, but the $40/year version will probably suit most people's needs. Of course, if your employer or school offers a VPN client for your use, that will do the job as well.

Although my name is the only one on the byline, TUAW editor Mike Rose also contributed to this article, including several significant additions. He's a goodnik. - TjL