Amid all the yelling and shouting about what sites like Facebook and Twitter do to protect subscribers' privacy, it appears one gaping hole has been overlooked: Whether or not your private information is protected on the trip from your computer to Facebook or Twitter.
In many cases, it isn't - and a new plugin for Firefox exploits that fact.
It's called Firesheep, and what it does is eavesdrop on traffic flowing over public Internet connections, such as those in coffee shops and airports, to see who is connected to a site. The plugin then displays names and other information about users logged onto insecure sites. Once a Firesheep user double-clicks on a person's name or photo, the plugin hijacks the session and impersonates that user.
Released on Oct. 24, Firesheep had been downloaded more than 200,000 times in its first two days of release. The potential for mischief arising from this plugin is therefore quite high.
How can you protect yourself from having your identity swiped from under you? The simplest way is simply to avoid using public, unsecured Internet connections, but in reality, that's not practical for most users. Mobile broadband users may be able to obtain a personal wireless access point called MyFi from their wireless carrier, but it's not cheap - it usually costs $40 to $60 per month for the data plan - and the information you send over it is still not secure once it gets out to the Internet proper.
Another less costly option is to sign up for your own virtual private network connection, or VPN. Several companies offer this service, and rates are reasonable, typically in the range of $5-$10 a month or $50-$70 a year. For most people, this will be all the security they need, as data is secure all the way from the user's computer to the VPN's secure servers. From there to the Internet site, it's not, but chances are low that someone will be sniffing the Internet itself looking for individuals to spoof.
The ultimate solution, however, resides with the owners of the unsecure sites. Since most of these already require logins and passwords to use, it should be relatively easy to implement encryption at the site end. Doing so would make user data unsniffable all the way back to the user's computer. Will the folks who run Facebook, Twitter and all those other popular sites do this? That remains to be seen.
Sniff out the freshest jobs in IT on Techcareers.com.
In many cases, it isn't - and a new plugin for Firefox exploits that fact.
It's called Firesheep, and what it does is eavesdrop on traffic flowing over public Internet connections, such as those in coffee shops and airports, to see who is connected to a site. The plugin then displays names and other information about users logged onto insecure sites. Once a Firesheep user double-clicks on a person's name or photo, the plugin hijacks the session and impersonates that user.
Released on Oct. 24, Firesheep had been downloaded more than 200,000 times in its first two days of release. The potential for mischief arising from this plugin is therefore quite high.
How can you protect yourself from having your identity swiped from under you? The simplest way is simply to avoid using public, unsecured Internet connections, but in reality, that's not practical for most users. Mobile broadband users may be able to obtain a personal wireless access point called MyFi from their wireless carrier, but it's not cheap - it usually costs $40 to $60 per month for the data plan - and the information you send over it is still not secure once it gets out to the Internet proper.
Another less costly option is to sign up for your own virtual private network connection, or VPN. Several companies offer this service, and rates are reasonable, typically in the range of $5-$10 a month or $50-$70 a year. For most people, this will be all the security they need, as data is secure all the way from the user's computer to the VPN's secure servers. From there to the Internet site, it's not, but chances are low that someone will be sniffing the Internet itself looking for individuals to spoof.
The ultimate solution, however, resides with the owners of the unsecure sites. Since most of these already require logins and passwords to use, it should be relatively easy to implement encryption at the site end. Doing so would make user data unsniffable all the way back to the user's computer. Will the folks who run Facebook, Twitter and all those other popular sites do this? That remains to be seen.
Sniff out the freshest jobs in IT on Techcareers.com.
By: Sandy Smith
Sandy Smith is an award-winning writer and editor who has spent most of his career in public relations and corporate communications. His work has appeared in The Philadelphia Inquirer, the Philadelphia CityPaper, PGN, and a number of Web sites. Philly-area residents may also recognize him as "MarketStEl" of discussion-board fame. He has been a part of the great reserve army of freelance writers since January 2009 and is actively seeking opportunities wherever they may lie.
Become a member to take advantage of more features, like commenting and voting.
Register or sign in today!