PSA: Do NOT Surf Non-End-To-End HTTPS Sites While On a Public Wi-Fi Network

I'm about to share a not-so-well-known issue with public Wi-Fi networks.  Essentially, many websites we know & love—when logged into while you're on a public Wi-Fi network—do not adequately protect your session information.

What's the problem?

In non-geek-speak (and by way of example):

If you are joined to a public Wi-Fi network…

   …and you log into Facebook (for example)

      …and someone nefarious on the same Wi-Fi network is "listening" to the traffic

         …then said nefarious person can easily log in as you and take over your session.

Let's look at this from the "attacker's perspective":

I, the "attacker," load a simple (free) plug-in for my Firefox browser called Firesheep, available here:

I then, in Firefox, go to View > Sidebar > Firesheep.  I then click the "Start Capturing" button and just wait…

On a busy public Wi-Fi network, and within a matter of 5-10 minutes, you can see a list of all of the logins that I can "hijack" (image has been obscured to preserve anonymity):

So, that's 9 Google accounts, 5 Facebook accounts, 1 Amazon account, and 1 Yahoo account that I can then "take over"--simply by double-clicking on the account I'm interested in.

Let's see what pops up on my screen when I double-click on one of these accounts (image has again been obscured to preserve anonymity):

Now, obviously, you can imagine how this session hijack could be a problem.  Use your imagination… will the "attacker" put up:

> Embarrassing photos?

> A derogatory wall post?

> A link to malware or a virus?

…and that's just for Facebook.  What if someone hijacked your Amazon account and sent you boxes upon boxes of random doodads and geegaws?

The problem (technically speaking) is when a website uses HTTPS only for the initial login.

In other words, your username and password are still encrypted to and from Facebook (for example), but all subsequent communications are across the un-secure HTTP protocol.  Firesheep "captures" the "session cookie"—a bit of code that tells Facebook that you are who you say you are—and intercepts it.  Once I (the "attacker") have a copy of the "session cookie," I'm effectively you, and can do anything that you could normally do once you logged in.

What's the solution?

In short, don't browse to non-end-to-end HTTPS sites while you're on a public Wi-Fi network.

What does "non-end-to-end HTTPS" mean?

When you log into Facebook for the first time, your login is encrypted; however, past that point, your address bar will show just a normal HTTP connection once you're logged in:

So, at this point, the "attacker" can intercept the "session cookie," and thus your entire Facebook login—and again, the same applies to any site that drops you back into HTTP once you log in.

What should I do if I log in while connected to public Wi-Fi and notice that my session is in HTTP mode and not HTTPS?

Log off of the website… and quickly!  Don't just close the browser… actually hit the "Log Off" link in the website itself.  Doing this will make the "session cookie" invalid—so even if the attacker has a copy of the "session cookie" that he/she has intercepted, it will no longer be valid.

Then, don't browse to that site again while you're on a public Wi-Fi network.

Best practices then, Dagan?

Here's a good general rule to follow when you're on a public Wi-Fi network:

Don't do anything on a public Wi-Fi network that you wouldn't want projected onto the side of a building for everyone in the area to see.

Safe surfing :-)

views