First and foremost, why should you care about computer security? If you never download
dubious software or give away your password, you should be safe, right? Imagine this scenario:
You’re sitting in your favourite coffee shop, sipping a latte and checking Facebook on the
complementary WiFi. All of a sudden, you see a post from you has appeared on your friend’s
wall, with a link to a scam site. What happened? Looks like you just got Firesheeped_.
How could such a thing happen when nobody but you knows your password? It has to do
with the methods your browser uses to communicate with websites. We’re all familiar with
the website address prefixes, like http://, and the occasional https:// (the later often
accompanied by a broken lock sign and various oft-ignored browser warnings). These are more than just technobabble though: they give you important information about how your information is being transmitted.
If something is being sent via an HTTP connection, then it is being sent essentially “in the clear,” meaning that anyone else on the same network as you will be able to see exactly what you’re sending to the site and what it’s sending back. If all you’re doing is asking Google about the history of French colonialism, then that probably doesn’t matter much. This vulnerability to interception becomes very dangerous, however when “cookies” are introduced to the mix.
Cookies, in this context, are small bits of extra data that your browser exchanges with websites
when connecting, and are often used for storing users sessions. The website sets a cookie in your browser after you successfully login that uniquely identifies your browser as being authenticated as you. The problem here arises because, while your username and password may be sent over a secure connection, your browser needs to send the identifying cookie every time you go to another page_. Therefore, if the connection made to the website after the initial login is using HTTP rather than HTTPS, then the cookie will be sent “in the clear”, meaning that a malicious third party could see the secret identifier in the cookie and use it to pretend to be you.
While this sort of attack has always been possible, it recently became better known thanks in
large part to a Firefox extension called “Firesheep.” This extension makes the processes of
stealing these identifying cookies a trivial, single-click procedure. It shows the user with a list
of all the people on the same network currently logged into Facebook, Twitter, and other similar sites, and allows them to log into the site as that person.
This may seem scary, but there are a couple simple things you can do to protect yourself from
such attacks. Also keep in mind that the attacker still doesn’t know your password — the point of this attack is that they sidestep the whole authentication process, essentially stealing the “badge” that identifies you as having already logged in.
Be careful where you connect: The simplest solution, of course, is to just never go on
untrusted networks (such as those in coffeeshops, airports, etc — essentially, any place where
you don’t trust everyone on the network). This will work, but imposes a pretty high degree of
inconvenience.
Always use HTTPS: Partially in response to the recent popularity of this sort of attack,
both Facebook and Twitter have added settings that allow you to declare that you only want to
receive data from the site via secure HTTPS connections. While this does address the problem,
it obviously only works for sites that give you the option.
Always use HTTPS II: If you use Firefox, you can install the “HTTPS Everywhere”
extension, which forces HTTPS connections to sites wherever it can.
Use a VPN: A VPN, or “Virtual Private Network” is essentially a way of making any
network you’re on a trusted network that only you have access to, by routing all your Internet
traffic through a secure connection to a trusted server that then forwards the requests on your
behalf. This is by far the safest way, but will cost you some money.
If you’re interested in learning more about this sort of thing, Bruce Schnier’s blog is an excellent resource: He discusses security in general and computer security in particular in a very clear and useful fashion.
