Beware the Firesheep

Albert Wenger

I have long operated an open and unsecured wifi access point at home.  Why?  For anything that really requires security, such as online banking, I am relying on end-to-end encryption via SSL.  That requires being somewhat diligent to make sure your browser actually shows it has a secure connection because otherwise you are potentially subject to a MITM attack where the attacker rewrites secure to unsecure connections.  But end-to-end based on certificates provides much higher security than any of the wireless standards.

I have also not been super worried about someone sniffing my password or doing a replay attack because those still required a bit of setup and I figure that kids in the suburbs were more likely to be on Facebook than spend time hijacking my session.

Firesheep changes that by shrink-wrapping the replay attack in a browser plug-in.  Now it is entirely a question of point and click.  This is an example of where a change in degree becomes a change in type.  The attack is not 10 percent easier or faster, it is now a mass market product.

I will continue to leave my wifi network open at home and will also continue to use open wifi networks while I am on the road, but I will now do so only over a secure proxy.  Thankfully I run several servers in the cloud, so having my own up and running is straightforward.

But there may also be a business opportunity here.  People could start to run secure proxies and charge for them.  This has been attempted I the past but without much success.  The combination of Firesheep and some of the concerns over profiling may might be enough.  I say might because historically convenience has trumped security and privacy for consumers.

Enhanced by Zemanta
security
wi-fi

Collect this post as an NFT.

Subscribe to Continuations to receive new posts directly to your inbox.