Back in April I wrote a post on the dangers of NOT using a VPN over public Wi-Fi hotspots. As data is not encrypted, anyone in range using a network tracing tool on a notebook or other devcie can tap into the data traffic of the hotspot and filter out email passwords from non-encrypted POP and SMTP connections and session cookies e.g. from social networking sites (think Facebook, Twitter, …) that are only using non-encrypted http connections. While email passwords are straight forward to be used, things are a bit more tricky with the session cookies. But nothing a willy hacker with a bit of background knowledge couldn't overcome. Agreed, it takes a bit of effort which has so far probably prevented this sort of identity stealing from taking off so far.
But now cookie stealing in unencrypted public Wi-Fi hotspot seems to have become almost trivial with a Firefox plugin called FireSheep. It requires the Winpcap network driver to be installed, the same that is also used by programs such as Wireshark for network tracing. This way FireSheep can intercept all data traffic in a public hotspot and with some processing of the intercepted data, all computers used in the hotspot are shown to the user. As soon as someone with that computer accesses a service only using http, cookies are extracted and the computer running FireSheep can now be used to impersonate the other user with a single click on an icon in the browser. This is really scarry as it doesn't take a lot of effort or knowledge to install FireSheep and Winpcap. When I checked, the software was already downloaded 600 000 times! So I wonder when the first victim stories will appear. How far this will spread probably depends on the precentage of Wi-Fi adapters FireSheep can set into promiscuous mode so all packets are delivered to higher layers of the protocol stack.
Let's be clear, FireSheep does not exploit weaknesses in the browser or the OS that could be fixed. No, FireSheep exploits the intended design of public hotspots, i.e. to send data without any protection. But there's an easy fix: Use secure SMTP and POP (available from most email providers today) and make sure to only use web based services that offer https (still not done by many web sites today). If and when victim stories pop up I wonder how long it will take popular sites to switch over to https!?
On a further note, have a look at Dean Bubley's blog, he's got some interesting thoughts how this "click and shoot" hacking method might influence future 3G offload technology. Especially in that area, automatically established VPN tunnels as part of a Wi-Fi offloading solution would fix the issue for good. For the ordinary use of public Wi-Fi's, however, most users will probably still not care, know, be willing or capable of using a VPN solution. So for that scenario, https is likely to be the best defense.