Oneupweb : A Wolf in Sheep’s Clothing

Do you use secure connections when browsing and interacting on social media sites? If you’re like most people, you probably don’t. What I mean by secure is using SSL connections as opposed to just plain ol’ Web browsing. You can tell if you are using a secure connection by the prefix HTTPS://,  not HTTP:// in your address bar. Your browser will also display a lock icon as an indication that your connection is a secure one.

The sheep I speak of is a Firefox extension named Firesheep. There are other applications and browser extensions out there to compromise your security, but Firesheep is probably the best known. The developer, Eric Butler, created the extension as a demonstration of how vulnerable most of us are.

So what’s the idea behind this extension? It’s a common practice for social media sites and many others to encrypt your login to their servers, after which, your session is maintained by a cookie containing your credentials or access token. Anyone using your token will be recognized as you and have access to anything to which you have access. This is possible, because after your initial login, your continued browsing is via regular HTTP and that unencrypted cookie is there for the plucking. Firesheep picks up a copy of the cookies it sees and allows the user to pick who they want to be. As far as the server is concerned, it sees John Smith’s cookie, so it assumes that it is talking to John Smith. Firesheep does this by sniffing wireless networks to capture unsecure communications. In theory, the concept would work the same on a wired network except that it is complicated by the need for physical access and network switching. Open wireless networks on the other hand are available to anyone in range and are commonplace from city parks and libraries to McDonald’s, etc.

So how do you protect yourself? Insist on secure connections. Many, unfortunately not all, of the major social sites now allow you to configure secure connections…this should have been available to all Facebook users by the middle of last month. To set Facebook to use HTTPS, Open your Account Settings and then the Account Security section. Then make sure the “Browse Facebook on a secure connection (https) whenever possible” check box is selected and save your settings. Search the Help section of your other social media sites to determine the security settings to protect your session.

There are also products like HTTPS Everywhere or Force-TLS, both Firefox extensions that act to force secure connections. Google Chrome now supports HTTPS Everywhere and has its own extension called KB SSL Enforcer. To protect yourself without having to depend on individual site settings or while using browsers that do not have extensions to enforce secure connections, you can protect all of your browsing traffic by setting up a SSH SOCKS Proxy.

Always remember to log out of secured sites when done. Happy browsing!