The issue is that although those sites use HTTPS (i.e. secured HTTP) during the login phase, they do not use it for the remainder of the session. And because the Wifi network is not encrypted either, your traffic can be intercepted and read by anyone connected to the same hotspot. This kind of vulnerability, known as session hijacking, exists since a long time, but it is only recently, with the advent of Firesheep, that it received wide coverage.
What can you do against it?
The simplest is that you stop using open Wifi networks... Pretty useful, no? Ok. Next one...
In order to prevent session hijacking, you can configure your accounts to always use HTTPS instead of using it only for the login phase. This will encrypt the entire session, preventing attackers to read the cookie that identifies you against the site you're connecting to. This is an option that's available for Gmail, but is not for Facebook or Twitter.
If you still want to use those sites when on the road, you should use a Virtual Private Network that will encrypt your entire traffic. VPNs are usually set up to allow employees to connect to corporate servers from outside the company's network. Mobile users can thus check their mails, access source code repositories, bug database, etc.
VPNs can also be used on your home network to gain access to your music or video library, or any other service, in a secure manner. But the trick here will be to allow users connected through the VPN to access the Internet at large, not only your local network. The link from your mobile device to your home server will be protected by the VPN, and the connexion from your home server to the Internet will be assumed to be safe: if you're worried about people who could wiretap your ADSL line, then you should probably not connect any Internet site at all...
Setting up a VPN server
There are tons of tutorials out there about how to configure a PC with any reasonably modern OS to act as a VPN server. Here are some information for Windows 7 or Vista (Start > Control Panel > Network and Internet > Network and Sharing Center > Manage network connections, then hit the Alt key, choose File > New Incoming Connection), Mac OS X, or Linux.
Note that, on Windows, you are not offered the possibility to choose your type of VPN service: it's PPTP, and no other. You need to know this when you configure your client... And if you don't have a password on your main account, you must create a new user with a strong password.
Note also that if you have a router, you'll need to configure it to allow the traffic to come to your VPN server. The tutorial for Windows above has some information about this subject.
The only issue I had while setting up my Windows 7 box was that you really want to configure it so that IP addresses for incoming connexions use a specify range, with at least two possible addresses...
Setting up your client
Setting up a server is a necessary step, but you'll also want to configure your mobile device (be it a laptop or a smartphone) to connect to your VPN server. For a Windows client, the 'Connect to a Workplace' wizard will do: Click the Start button > Control Panel > Network and Internet > Network and Sharing Center > Set up a connection or network > Connect to a workplace.
On the iPhone, you have to navigate to Settings > General > Network. Don't worry, it'll be much easier to just turn it on once it's configured... On the lower part of the page, you'll find a button that will allow you to configure a VPN connexion. Here is how I did it:
Use the PPTP protocol, with your own (external) IP address, the name of the account you chose when configuring the server, and its password. Make sure 'Send All Traffic' is ON, so that you are really protected!
You can check your setup is correct by connecting with your iPhone to a service that shows your IP address (don't try this from home, it would not prove anything! Or disconnect the Wifi on your iPhone!): it should tell you that your address is the one of your ADSL connection...
You can now enjoy free Wifi secure connexions!...
If you're using Firefox on a laptop, a simpler option may be to install the 'HTTPS Everywhere' extension provided by the EFF: https://www.eff.org/https-everywhere
ReplyDeleteIf you don't find the 'add incoming connection' menu entry, (1) make sure you're connected as an administraor, and (2) look for it in the 'Change adapter settings' window...
ReplyDelete