The Dangers Of Open WiFi And How To Avoid Them

When you use free WiFi without a password (find the network and just connect without asking for a password)

such as in coffee shops and other public places there are a few dangers that are good to be aware of.

If you are not on a secure website, anyone else with a bit of computer knowledge can see what you are looking at

When I say secure website this is one that uses https:// at the start. Banks use this all the time, Gmail uses this, when your checking out and entering your credit card details you should always see this. This means you have an encrypted SSL connection, which cannot be read by anyone else.

There currently is a problem that many sites such as Facebook, Hotmail (they now have an option to force https), Twitter and most other social networking sites many others are using https: when you login, then going back to http:// afterwards

This means that everything you do, all the pictures you look at or upload, details you write ect.. are in the air for anyone with some computer knowledge to look at. They could also login as you to your Facebook account.

When I say computer knowledge, this was true up to last week when now things have changed.

Last week some security researchers released a Firefox plugin called Firesheep, this plugin which is free to download (just Google ‘Firesheep’)

This plugin makes it very easy to login to other peoples accounts through an exploit known as Sidejacking

Sidejacking works in this way:

When you connect to Facebook for example you put in your username and password and Facebook issues you with a session Cookie. (a Cookie is a small file stored on your computer)

That cookie being on your computer tells Facebook who you are and that you logged in and authenticated.

The trouble is if you use a non secure http:// connection, that Cookie is going through the network unencrypted, so anyone else on that open WiFi can see it and copy it.

Once they have a copy of that Cookie on their computer, they can do all the things that you can do on your Facebook account, change your pictures, update your status or change your privacy settings.

Firesheep does this sidejacking automatically

The screenshot below (courtesy of the Firesheep author) shows what it looks like and how easy it is to use, just clicking on the profile picture logs you in to the Facebook page or Twitter account

How to protect yourself

1. The Electronic Frontier Foundation (an internet privacy advocate) have released a plugin for Firefox, called HTTPS Everywhere

This does as it says on the tin and enforces (where possible) https connections.

Other methods are to use a VPN, which encrypts all your connections.

If you currently run open WiFi network

If you have a coffee shop and run some open WiFi or WEP Encrypted (that’s not safe either), and you want to keep it open, my advice would be to change the encryption settings to WPA and make the password the same as the network name.

This would protect the users from this type of vulnerability as WPA stops this from happening.

Another good suggestion I heard was to make the SSID (network name) The Password is Watershed then nobody would need to ask what the password is.

And just to be clear this applies to open WiFi networks and WEP Encrypted networks,

Hope this helps,

Kind regards

Gildas Jones – www.dialageek.co.uk Computer Support for Bristol Call 0800 955 78 78

Apple Mac or PC, we come to your business or home and make your computers work.