Tag Archives: hacking

Protecting yourself from Session Hijacking

Session Hijacking has been around for many years. Now that there’s Firesheep, everyone using insecure wi-fi has been given a rude awakening.

You can find all that you want about firesheep and it’s howto on the author’s website here : http://codebutler.com/firesheep

Being Secure:
1: Use HTTPS EverywhereForce-TLS and similar plugins which force SSL on the website that you are browsing. Some sites like Facebook, Twitter use SSL only for login and don’t force SSL on the rest of the pages. These plugins can be useful in those cases. BUT, if a website doesn’t support SSL at all, you’re not left with many options.
2: Use SSH tunnelling (it’s very easy to setup on any OS and does not require any additional costs if you already have some server, for example your website hosting). This solution is not so good because some programs tend to skip system-wide proxy settings.
3: The best option: use VPN!*

Things that you should NOT do:

1: Panic and stop using public wi-fi – Public wi-fi is awesome. It’s very useful in a tech conference, or in a meetup or when you want to kill time in the airport,  etc.
2: Using insecure VPN – If you think a VPN is insecure ( red flags – cheap or free), don’t use it! VPNs that you use have to be secure on the VPN end. Don’t just use a VPN because it’s cheap and make sure the provider is not shady.

Some of the above solutions don’t work for the non-tech saavy crowd. So if you want to be secure generally, avoid using sensitive websites on public wi-fi and to be extra secure, use the aforementioned browser plugins.

Also, if you are a technically saavy person, advise the not-so-technically-gifted-others on how to be secure when using wi-fi. :)

Update: There’s this wonderful article on using Amazon EC2 as your VPN. There’s a free tier that’s been released recently by Amazon, and it will be free for an year from when you sign up. There can be a small monthly charge, but your credit cards, banking details, social networking profiles are worth much more than what you pay for the security you get!

Update 2: Just noticed there’s a more detailed version about protecting yourself from the author of the plugin himself! Check this out here!