Saturday, 30 October 2010

Internet Insecurity

Sample of FiresheepThis week announced a new precedent in Internet insecurity with the release of a Firefox extension, FireSheep (pictured in action above), that allows its users to access private Twitter, Facebook and other accounts when these are used over unencrypted wifi networks. This extension has been downloaded hundreds of thousands of times already, so in effect whenever you’re surfing the Internet over an unencrypted network – and most McDonalds and their likes are this way – you’re in danger.
FireSheep works by “borrowing” the unencrypted Internet cookies Facebook & Co send you in order to identify who you are. By doing so, FireSheep piggybacks on the fact these Twitters & Co have been too lenient in their own observation of encryption policies: while their login process is encrypted, the stuff that follows is usually unencrypted.
There are several things you can do about this threat to help maintain your privacy, and I suggest immediate action:
  1. If your own wifi networks are unencrypted, stop being lazy and change the setting on your wifi router to enable encryption. It’s amazing how many people do not bother with that.
  2. There are plenty of websites offering encrypted connections. That is, you access them and then access the rest of the web through them. I, however, would recommend simply using free VPN services such as Hotspot Shield (discussed here), which mean anything between your computer and Hotspot Shield’s servers in the USA is encrypted and therefore inaccessible to nearby snoopers. The Hotspot shield is available as an easy download and install application for Windows and Macs here, or as an even simpler setting update for iPhones here.
    If you’re using Linux, the way I do, then VPN is a problem. The otherwise excellent Ubuntu Forums contain many stories of anguish with regards to the use of VPN, so I would suggest implementing the next option instead of banging your head against the wall with attempts at VPN.
  3. When accessing the Internet over an unencrypted network, use Firefox as your Internet browser. I have a bit of a problem saying so myself, as I have been finding the Google Chrome browser to provide a much smoother and faster browsing experience than the now too heavy for its own good Firefox, but Firefox does have an advantage through its open source nature.
    What you need to do with Firefox in order to give snoopers a kick where they deserve is install either or both of the following extensions: HTTPS Everywhere and/or Force TLS.
    What the former does is ensure that all your communications with select websites such as Facebook and Twitter are always encrypted, therefore dealing with these websites’ inherent and problematic laziness to do so themselves. HTTPS Everywhere works with a specific list of popular websites, including the likes of Google searches, Facebook, Twitter and bit.ly.
    Force TLS does the same but only for websites you specifically list. This means that you can’t take security for granted until you list the website through Force TLS’ setup menu, but it also means you can add websites that are not in HTTPS Everywhere’s list to your private list. For most people, though, HTTPS Everywhere should be enough.
Needless to say, you can combine your solutions for some extra security. That is, use a VPN connection and browse with an HTTPS Everywhere enabled Firefox browser.
The bottom line, though, is that one needs to recognize one simple fact when dealing with the Internet: Everything you do on the Internet goes out to the whole big world by virtue of the fact you’re transmitting your stuff. Be careful and be calculated with what you’re doing there. Even if you think you know it all, staying on top of things when it comes to Internet security is a full time job, so tread carefully.

P.S. It almost goes without saying that by implementing methods 2 & 3 you would also bypass the Internet filter currently proposed by the Australian government.

No comments: