Vulnerability of open wireless networks
A developer has released a browser extension which illustrates vulnerability of open wireless networks
To use the Firefox extension, you simply connect to an open wireless network, wait for someone else to login to an unsecured site (recognised by the extension), click on their image, and you have access to full access to this account.
This works using something called "HTTP Session Hijacking" (aka Sidejacking) - most websites use sessions to identify that you have logged in. Details of these sessions are transmitted and are stored on your computer as a cookie. Across HTTP sites and on open wireless networks, these cookies are essentially shouted about for anyone to pick up on.
Websites where every page is protected by a secure certificate, an SSL certificate (a yellow padlock), do not have this vulnerability as the cookie is encrypted.
As a user, you can protect yourself by avoiding using sites that requires a login on open wireless networks, or by using a secure VPN connection.
As a website owner - if your site requires a login and does not have an SSL certificate, you will likely have a similar vulnerability, although the level of risk is significantly less depending on the number of visitors and their geographic location. As a matter of course, Wheredidthetigergo protects critical functionality (such as changing passwords and account email address) by re-authenticating the current user.
Perhaps more of a concern are administration functions, for example modifying the content on your website. Whilst your account is unlikely to be compromised by a chance attack, the ease of use of this Firefox extension means that you could be subject to specific targeted attacks (for example if you regularly use an open wifi connection in the same cofffee shop), and you are strongly recommended to either avoid accessing your website on an open wifi connection or on a public computer, or purchasing an SSL certificate to protect critical functions - prices start from £135 + VAT per year.
If you have any queries or concerns regarding this - please get in touch, and we can talk you through how this threat relates to your website.