If you have a portable device, like an iPhone, iPad, or laptop, you’ve probably used it at a free and open wifi spot. You’ve also probably used it to visit Facebook, Twitter, Evernote, or to read your email. Most of the time, you’ve probably been on non-encrypted pages – pages that don’t use the SSL protocol (and don’t display the traditional “lock” icon in the address bar, and use “http” instead of “https” in the URL). You probably don’t think about this too much, or if you do, you may think that since the login page was secure, your account is secure, even when on open and free wifi. Unfortunately, none of this is true for most sites. And the reason is pretty simple.
Once you log into a website, like Facebook for example, your web browser stores a piece of information: a unique token. It uses this token each time you view another page to let Facebook know it’s you. The problem is that when you request another page from Facebook, if the page is not encrypted, neither is your token. Anyone who borrows your token becomes you for that session, without knowing your username and password. This is especially easy to do when you are on open wifi network, and there is in fact easy to use software called Firesheep for this exact purpose – no hacker credentials required.
There are two solutions:
1. The first is for free wifi spots to require passwords to use their networks. This encrypts all traffic on their networks and prevents tools like Firesheep from working. This still doesn’t protect you on shared networks that don’t encrypt data, but it’s a start.
2. A better solution is for websites like Facebook to encrypt all of their pages, not just the login page. This encrypts your token along with all of the content and prevents anyone from borrowing it. Fortunately some websites, including Facebook and Twitter, are now providing an options to do this (which of course, should just be the default). For Twitter, look for the setting called “Always use HTTPS” (more details here). For Facebook, look for the setting called “Secure Browsing” (more details here). For the sake of privacy, let’s hope this becomes standard practice.
There’s also a FF extension called BlackSheep which will show if someone is using firesheep on your network (while also making it difficult for them to do so) and extensions that will force your browser to use TLS where possible on sites which support it.