A new Firefox plug-in, Firesheep, makes it very quick and easy to examine and use unencrypted data sent over any open wireless network. This makes it a simple matter for hackers to access Twitter, Facebook, Amazon, Flickr, some email sites and other non-encrypted websites as if he or she were the account-holder.
The Firesheep plug-in will allow full access to any site users log into that does not have "https://" at the beginning of its web address. The "s" in "https://" means the site has been secured and encrypted with a Secure Socket Layer certificate (SSL.)
While no open wireless network is completely safe, entering usernames and passwords only on https sites will provide a much higher level of security.
If you are on our public wireless network (or any public wireless network) and you type a username and password into a website that uses "http://" instead of "https://" the transactions you conduct on that site and account are vulnerable to theft and fraud.
Please understand this is not a new security risk. What is new is how easily anyone can now access your information with this browser plug-in.
Normal web browsing without entering a username and password is not a risk - the Firesheep plug-in will not record your browsing history or be able to access your computer itself. It only exploits user logins to non-secure (non-https) websites.
A primary write-up for Firesheep can be found here: http://codebutler.com/firesheep
Frequently Asked Questions:
Q: Is the Library wireless network susceptible to Firesheep?
Q: Why? How does this work?
A: Firesheep takes advantage of online service providers who have failed to implement a secure login method. This includes Facebook, Twitter, Amazon, and other services which pass their login information back to the browser as a clear text "cookie." Firesheep parses the information to allow the hacker to log in as the account holder.
Q: What kinds of things could an unauthorized party do with my account information?
A: That will depend upon the account in question. Most financial institutions will not be vulnerable, as they will use https:// when you log into your account. As a rule, one should never type sensitive or personally identifying information (such as credit card numbers, social security numbers and so forth) into a web page that is not secured with https://. Even on non-vital websites, a lot of havoc can be wreaked when someone's Facebook, email or Twitter account is compromised. Essentially, an unauthorized party can do anything you can do when you are logged in.
Q: What can patrons do to protect ourselves?
A: The only way to protect yourself from vulnerability is to refrain from logging into non-secured websites when on a wireless network. We can't stress this enough: https is safe, http is not safe. The simplest way to accomplish this is to use Firefox and a plug-in, such as HTTPS Everywhere (https://www.eff.org/https-everywhere) that can force an https connection. Google Chrome can also do this, using this plug-in: https://chrome.google.com/webstore/search/https Internet Explorer has no tools to protect and assist you.
Q: Is it the Library's fault that its wireless network can be used in this way?
A: No. The fault lies with service providers like Facebook, Twitter, et cetera, who serve up web sites with personal information, but who do not encrypt the traffic with https. Millions of library hotspots, and even airport, coffee shops, and hotels are subject to this issue.
Q: Will a fix be available to solve this anytime soon?
A: This is unknown, and is completely dependent upon the online service providers to encrypt their logins. The big issue is that encrypting traffic on a large scale (like the scale of Facebook) is an expensive proposition. It requires a lot of computing power to encrypt that much traffic at once without adversely affecting throughput and access speeds.
Q: is the Library not fixing the problem due to not having enough money?
A: No. Fixing the problem is entirely up to the online service providers encrypting their traffic. There is no amount of money we could spend to fix the problem ourselves.
Q: Isn't there something the Library can do to fix the problem locally?
A: The only thing we are able to do is to educate our patrons about the inherent dangers of open wireless access points or to turn off wireless access completely. Currently, we feel wireless access is a valuable service to our patrons.
Q: If the Library wireless had WEP or WPA enabled, would this solve the issue?
A: No. Even with WEP or WPA, all persons connected with the WEP/WPA key are already in the network, and as such would see all traffic as un-encrypted/open.
Q: Is the Library's wired network also vulnerable?
A: Not to the same degree. Wireless traffic is broadcast over the air, much like a radio station is, and any receiver in range can pick up and examine the data. With encrypted data, it will look like garbage to anyone who is not supposed to see it. Unencrypted data will come in loud and clear on the wireless network. On the wired network, your information is more secure, because it is going back and forth only from Point A to Point B across a set route. A man-in-the-middle attack would have to be somewhere on that set route, as opposed to being able to grab the information literally out of mid-air. Our security policy does not allow patrons to install programs on our computers, or to run programs from external devices on our network. This means a man-in-the-middle attack on our wired network is unlikely. However, as stated in our computing policy, you should treat any Library network as a public network – While we do the best we can to ensure your security, we offer no guarantee of privacy.
If you have any questions about Firesheep, SSL or our computing policies, we will be happy to answer your questions.