Once you’ve seen just how easy it is to do and how vulnerable most people are, you’ll never want to use a public Wi-Fi connection again.
But sometimes you don’t have any option, so what precautions can you take to protect yourself?
Encrypting your web traffic
To protect yourself against session hijacking and similar attacks, the best thing to do is employ a virtual private network, or VPN.
Put simply, here’s how it works. You tell your browser to visit a website. That request is encrypted and sent in encoded form to a server somewhere on the internet. That server decrypts the message and sends it on to the actual requested website.
Firesheep: who’s vulnerable?
Users on a completely open Wi-Fi network – one that doesn’t require a password to join – are at the most risk. However, even networks secured using the WEP protocol are just as vulnerable since WEP encryption is almost trivial to crack.
WPA-secured networks are harder for attackers to deal with, as traffic to each user is secured separately, so something such as Firesheep won’t work natively. An attacker would have to decrypt each packet they captured before they could exploit the vulnerability – which for many people is more trouble than it’s worth.
The bottom line is that if you’re using any kind of public Wi-Fi network, you’re potentially at risk. Even if you’re on your corporate Wi-Fi network, do you really trust all your co-workers?
The site returns a page to the intermediate server which encrypts it and passes it back to your browser, where it’s decrypted and displayed. All of this happens transparently to you, so it looks as if you’re visiting that site directly. The beauty of it is that all data stays encrypted until it’s well away from that vulnerable Wi-Fi link, the only non-encrypted traffic being between your VPN server and the target website itself.
Of course, there are downsides to using a VPN, chief of which is that it introduces somewhat greater latency (the time between request and response) since the traffic has further to travel and encrypting and decrypting takes time too.
However, most people will happily cope with a fraction of a second longer before each web page appears in exchange for dramatically improved security. Another downside is that your VPN server becomes a single point of failure – if it goes down, you won’t be able to visit any websites until you disable the VPN.
Of course, you could set up multiple redundant VPN servers, or else use a cloud service such as Amazon’s EC2 (Elastic Compute Cloud), so you can rapidly spin up another VPN server if one goes down.
Another thing to bear in mind is that your VPN server will be sending and receiving a lot of data, so if you’re paying for bandwidth to and from that server (as you would with EC2), you’d need to be careful that the charges don’t get too steep.
Despite such caveats, a VPN is definitely a good idea for anyone who has to use public Wi-Fi (or even for people who just don’t want their employer to be able to see what they’re doing online during office hours).
Luckily, there’s a great open-source solution known as OpenVPN, and installing and configuring it isn’t too tricky, although it can take a little experimentation to get it right.
Basically, you’ll install the OpenVPN package onto your server (Linux, Mac or Windows machines are supported), then create or copy a configuration file. Obviously, you won’t want just anyone to use your VPN, so you’ll need to set up some kind of authentication – that way, only people with the correct credentials can access it.
One great suggestion from security expert Justin Morehouse is to employ Amazon’s free EC2 instance as your VPN server. Basically, Amazon offers one free EC2 Micro instance for a whole year to new users of its EC2 service.
This supplies enough free bandwidth each month for most people to be able to use it as their VPN server without incurring any extra charges. If you follow Justin’s tutorial, the machine image you create requires a disk image that will cost around 50¢ per month to store on Amazon’s disks – see the tutorial here.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
