This title may seem a bit odd for a photographer’s blog, but there are a couple of reasons why you should be concerned. What triggers this post is the emergence of a Wi-Fi hacking tool called Firesheep. I’m not going to provide a link and have never used it but I know what it does. And its sobering.

What’s The Threat?

If you use open Wi-Fi networks, what you do online can be watched and in many cases a “watcher” can immediately impersonate you on Facebook, Twitter, Amazon, and so on. Banking and other financial sites, not so much.

What’s an Open Wi-Fi Network?

For the sake of this article, it’s a network you just “jump on” in a public place like an Internet Cafe, coffee shop, airport. Basically, it’s free Wi-Fi where you don’t know all the other people with access to the network. And for travelers (and we photographers travel), these open Wi-Fi networks are valuable and many of us use them regularly.

What Happens With This “Firesheep”?

The author of Firesheep created it as an example of how insecure many Web sites that require login can be. He is unapologetic about the potential damage he has done, and claims it is a force to make developers of Web sites clean up their acts. In the meantime, your accounts and your data are at risk.

An oversimplification of Firesheep is that someone running it wanders into a free Wi-Fi area and sets up shop. It’s stupid simple. They then wait until Firesheep shows a list of other people on the network and some of the sites they are logged into. The Firesheep user can, with the click of a mouse, hijack the “session” of an unsuspecting user. That makes said Firesheep user appear to be said unsuspecting user. So, take the example of Joe Photographer, who is logged into Facebook, the bad guy Firesheep user can easily impersonate Joe and take steps like these: Change Joe’s password, deface Joe’s wall, upload embarrassing images to Joe’s photo galleries, and all without Joe knowing a thing. As with any identity theft, it’s hard to know the extent of the damage.

And it’s not entirely fair to single out Facebook. Almost every site that requires logging in also uses these “sessions” and many are open to this exact kind of session hijacking. It’s also not accurate to single out Firesheep, as it builds on well-understood hacking techniques but does so in such a user-friendly way that it makes it really easy for your friends to play a malicious prank on you and for bad guys to do worse. It lowers the technology bar on who can do this stuff. Again, I’m not a hacker, but I do watch out for potential risks in an effort to stay safe online.

So, It’s Not Just Facebook? How Can I Tell What’s Safe?

Your browser displays a “lock” icon to show you when you are browsing to what’s called a “secure site.” When the lock icon is showing, all the information your exchange with the site is encrypted and even if Firesheep could see it, the data would be of no use to it. That’s safe. But as soon as the lock disappears, you are back in the clear and at risk again. These sites might include your blog(!), your photo agency… you get the picture.

So, boiling this down, if you go to a secure (lock icon) login page and get yourself logged into xyz.com, then immediately go to an unsecured page, this “session” thingie exists and can then be hijacked. Good that your login and password exchange didn’t happen in the clear, but you are not safe. Only if the lock icon remains showing are you safe. That is the exception rather than the rule because secure sites are expensive to operate.

On the other hand, there are lots of sites where you simply don’t care if the Firesheep user has a peek behind your kimono. Who cares if they watch you read the news or check out the sports scores? That would be the digital equivalent of peeking over your shoulder. Who cares if they watch you read your favorite photography blog. No login, no problem.

What Can I Do About It?

Basically, for the time being, give up on free Wi-Fi. It’s that simple. There are some so-so alternatives. If you have a mobile device like an iPhone, iPad, Android, etc., just shut off the Wi-Fi and use the cellular connection. Slower, yes. Safer for right now.

If you are using a laptop or device without cellular connect, consider one of the closed cellular hotspot devices. Word has it that the Sprint device is relatively affordable, works in many locations, and offers some protection against this particular security risk.

What About Dedicated iPhone, Android, and iPad Apps?

Still not safe. You can’t know how they exchange login information but know that they do exchange that information. Best not to use them on open Wi-Fi.

Where Can I Read More?

TechCrunch says this. Although you can figure out where to get Firesheep from this article, I would beg you not to take it out for a test drive. Please?

WikiPedia says this. They recommend a VPN (kinda geeky stuff) and another Firefox extension. The VPN is not trivial to set up but it is effective if you can live with its limitations. The extension doesn’t solve the problems of mobile devices or computers running browsers other than Firefox.

PCWorld says this. This is a pretty balanced report.