The recent flap over Firesheep (intentionally unlinked) and its ability to intercept unencrypted cookies has renewed several issues worth discussing.
I’m highly uncomfortable with the tacit used by Firesheep’s creator, i.e. releasing malicious code under the pretenses of creating public awareness.
Yeah, I understand that Twitter, Facebook, and all the others would have given him the runaround about this, had they responded at all. After all, the decision to pass unencrypted cookies is an obvious risk taken for a speedier experience. Everyone knows speed is the killer feature.
And sure, I get that real baddies with matching intentions are using this already.
Still, in most cases, all this really does is bounce around Twitter, Digg, Hacker News, Slashdot and the usual outlets, never really accomplishing the said goal of educating the real public at large. The social media expert crowd picks it up, with good intentions, but without any real impact. Maybe a couple news outlets pick it up, but with understandably mixed results due to its technical nature.
Most people just aren’t cautious with their online lives. Not because they don’t care, but because it’s too easy to fail.
I don’t really have an alternative, but maybe someone should run with the idea of creating PSAs for this type of technical subject.
The side-jacking technique used by Firesheep is not in any way limited to free wi-fi networks, but from all the coverage, you’d think it was. See my previous point about coverage.
There is no good reason anyone should be using free wi-fi, password-protected or otherwise, without VPN. Not one. It’s not worth the risk.
If you carry a smartphone, you should be tethering to it and using WPA encryption on the phone’s wi-fi network. Use WPA, not WEP, which can be cracked in seconds, and set your network to hide the SSID. Yeah, I know these aren’t hack-proof, but they are challenging enough to deter most people who don’t have a grudge against you specifically.
No exceptions to that rule. Pony up the extra dough to your carrier, or root/jailbreak your phone.
But what if you can’t get a dependable 3G signal, need to work and don’t have VPN? Your employer will thank you for not using an exposed network.
There are no Facebook or Twitter emergencies, don’t ask.
Security and the internet
First, refer to this helpful digram about your privacy and the interwebs, then never share anything online that you think is private.
No, email isn’t truly private, which is why you shouldn’t send credentials or important information through email. If you’re super paranoid, encrypt your email or using a signing authority.
Anyway, bit of a rant. What do you think? Find the comments.