This has been circulating on twitter but is important enough to have it echo here as well. A lot of websites like Facebook, twitter etc are not using a secure way to transfer their login info. In fact once you’ve logged in using a secure HTTPS connection they simply use a browser cookie to “remember” who you are for all following requests to the site.
The problem with this approach is that this cookie is sent over the wire with each request. If that request is done of a simple and unprotected HTTP connection, the cookie can be sniffed off the network you are using.
If this network happens to be an open WIFI hotspot in a public place, that means anybody with the right tools can hack your twitter, facebook or whatever account. Finding the right tools has become extremely simple now as there is Firefox plugin called FireSheep that does exactly that. Check out the screenshots in to see how easy it is and this follow up post for more technical details.
So now that you know this is possible, make sure the web sites you’re using always use a HTTPS connection (all the time) when you’re on an open WIFI hotspot, or simply don’t log in to the websites that don’t offer full HTTPS protection.
Check the security tips listed in the follow up post linked above for more protection tips (on Firefox).
Photo by Krstnn Hrmnsn, cc-licensed.