Increased use of public WiFi access at hotspots, retail stores, hotels and other similar establishments has recently motivated New York Democrat, Sen. Charles Schumer, to call on major US website operators – including Amazon and Twitter – to switch to secure protocol (HTTPS) to help avoid identity theft and eavesdropping over public WiFi networks.
Public WiFi networks generally aim toward user convenience and do not impose strong security measures. This makes people using them potential prey for hackers. A widely popularized tool, Firesheep, a Firefox extension, released a few months ago has already shown how easy it is to hijack a user’s http session, running over an insecure public WiFi. The tool has almost automated the hijacking experience, allowing a layman to turn into a hacker to fulfill his/her worst intentions.
Most websites do use secure https protocol for the initial login session, but then switch back to insecure http for the remainder (using the unencrypted session cookies) once logged in. Because WiFi signals from an insecure public WiFi network can easily be interpreted in the range of the network, anyone with malicious intent can eavesdrop an ongoing insecure session or can further steal the session cookies to hijack the running session.
With continually growing adoption of smart WiFi-capable mobile devices, such as smartphones and tablets, people using public WiFi services to go online are also growing by leaps and bounds. However, most of them remain ignorant or careless to the underlying risks of using public WiFi and end up as potential hacker targets.
Coming to the rescue of such users, the Democrat’s call for popular website operators to switch to secure https protocol brings much sought relief. Although it is well known, most websites have not addressed the http security weakness completely, but with a rapidly growing list of public WiFi users, it’s high time for the website operators to take this issue seriously and act appropriately.
Facebook, the popular social networking site, has recently added https support for the entire session while accessing the website. The reason might be management's realization of dangers of Firesheep-like tools for the website user base. Hopefully, taking note of Facebook’s security lead and the strong call of Sen. Schumer, website operators will swing into action sooner, to ensure users' safety on otherwise insecure public WiFi networks, at least from today’s trivial attacks.