News

How to protect against Firesheep attacks

Security experts today suggested ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users' access to Facebook, Twitter and other popular services. (See Secure Florida's post about Firesheep.)

One way they can protect themselves against rogue Firesheep users, experts say, is to avoid public Wi-Fi networks that aren't encrypted and available only with a password. Another possibility is to only perform low-risk activities on an open public Wi-Fi, such as reading the news or searching for a local eatery. However, some would argue that these approaches toss out the baby with the bathwater.

The best defense, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos, is to use a VPN (virtual private network) when connecting to public Wi-Fi networks at an airport or coffee shop, for example.

A VPN encrypts all traffic between a computer -- a laptop at the airport gate, for instance -- and the Internet in general, including the sites vulnerable to Firesheep hijacking. "It's as good a solution as there is," Wisniewski said, "and no different, really, than using encrypted Wi-Fi."

There are some VPN services that you can subscribe to for $5 to $10 month and there are even some free ones available that can be found by searching for "free VPN client."

Other free options include a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites. One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google's search engine. The other choice, Force-TLS, serves the same purpose as the EFF's extension, but lets users specify which sites on which to enforce encryption. Google's Chrome browser offers an extension called KB SSL Enforcer, which automatically detects if a site supports SSL (TLS) and redirects you to it.