Public WiFi Security Notice

Posted by Devin Hayes — 25 Oct 2010

Fair warning for those of you who browse via public networks; either at the park, the cafe, any wireless network that others have access to should now be considered unsafe.

Yesterday, Seattle developer Eric Butler announced the release of a Firefox plugin called, Firesheep. Firesheep makes session hijacking a one click task. What once took experienced hackers time and effort can now be done by anyone using Firefox with zero effort or skill. What this means is: If you browse via public WiFi and you visit a site that you are logged into (Gmail, Google, Yahoo, Facebook, Twitter, Wordpress, Flickr and potentially, JPG) your session cookie (the thing that tells us who you are) can be effortlessly intercepted and used to allow an attacker full access your account.

The solution is to use SSL (HTTPS) when browsing over public WiFi and when available. HTTPS Everywhere is a Firefox plugin provided by the Electronic Frontier Foundation (AKA: The Good Guys) that forces secure connections when and where available. Techcrunch has posted a "How-to" using various Firefox plugins. We plan to add our rules to the EFF's HTTPS Everywhere registry as soon as possible.

To summarize:
- Public WiFi = extremely unsafe
- Use HTTPS if browsing via public WiFi and are logged in to any site.

We've been working with our CDN to enable certain features that would allow us to run secure connections (HTTPS) while preventing browser error alerts incurred by serving content (images) from an "unsecured" location (our CDN servers).

Until then, we recommend you not browse JPG while logged in over public WiFi until further notice. Really, we recommend that you not browse any site without a secure connection while using public WiFi.

UPDATE! You can now browse JPG via SSL by visiting - Firefox and Safari provide a better browsing experience and more tolerable error reporting as the images will throw errors not being served via SSL. You can safely ignore those errors as they pose no risk.

« Warnings and woes v1.3.1 | Sorry for logging you out! »