Someone told me, there was an easy way to hack facebook and other accounts at free WiFi-hotspots, because they didn’t encrypt their traffic …
… my first reaction was like „what kind of bs is that?“, but when my contact said, this was the way schoolkids used to deface their classmates facebook accounts I decided to investigate. So here’s the short, simplified version:
- If you log on to your favorite service on the net, you are sure to use encrypted sign-in pages – at this point everything is fine.
- As soon as you are logged on, you get a „session cookie“ that identifies you against all of the following non encrypted http-pages. This session cookie is transmitted unencrypted, since you are communicating via http, not https or SSL.
- A (public) hotspot acts – technically speaking – as a network hub, transmitting all payload traffic to all connected addresses, so theoretically and practically all session cookies are transmitted unencrypted to all devices connected to the public hotspot. The only difference between public and non-public hotspots ist that everybody can use the public hotspot, whereas private WLans try to shut out the bad boys (and girls!) …
- If you are in possession of such a session cookie, you can impersonate the original owners of said session cookie, i.e. use their account, change passwords, deface profiles – you name it!
See how easy it is with firesheep in a tutorial or on youtube
Or try it yourself: firesheep download for firefox (TM)
This is one of the main reasons security-aware companies like cirosec no longer offer http-webpages – try to change the address of their site from https to http and see what happens …
As long as your favorite portal has not yet implemented this, you should consider using public hotspots with caution or not at all – at least not to access vital personal and sensitive information portals.
If you provide logons using session cookies – who doesn’t – you should consider moving all of your pages to encrypted communication i.e. https!