How to safely login on Facebook/Twitter over public WiFi
Even non-techie folks are aware of the huge security issue in accessing popular social networking sites like Facebook and Twitter over public WiFi networks these days. How do I know? Because my wife is a non-techie, and she is concerned :) Let me try to explain what the issue is in the most non-techie way possible and offer you a solution.
Problem
The problem here is when you use a site like Facebook, over an unsecured WiFi network, the authentication token (which identifies to Facebook that its you) is transmitted in clear text. How do you know if you are on an unsecured WiFi network? Unfortunately, most public WiFi networks are unsecured today to make it easier for users to connect. If you just have to click a check box and say I agree to connect, it's an unsecured WiFi network. Actually, both Windows and OS X warn you before connecting to unsecured WiFi, but most people just ignore the warning. Encrypted WiFi networks require you to type in passwords, which is commonly found in people's homes.
Ok, so what's the big deal if things are transmitted in clear text? The guy sitting next to you at the coffee shop could be running a tool like Firesheep to *very easily* steal your auth token and log into Facebook or Twitter as you. Trust me, it's *really easy*. This problem does not only affect Facebook and Twitter, and you should avoid logging into any website over unsecured WiFi network if the web address does not start with HTTPS. HTTPS web sites use what's called SSL or Secure Socket Layer to encrypt traffic between you and the server, but HTTP web sites don't. Both Gmail and Hotmail use HTTPS by default, so you are safe with those services.
Now, this situation is not only bad for you, it's also bad for me. I like to work at coffee shops and my work involve working with sites like Facebook. While I like working at coffee shops, I don't like it enough to hand out my Facebook authentication token to strangers. What to do?
Solution
The easiest way for you to safely login to Facebook over public WiFi is to use a browser extension that forces the use of HTTPS on Facebook. Facebook actually supports HTTPS, but it's just not persistent. You can try it for yourself. Go to https://www.facebook.com/. You can log in, but the problem is right after you click something, it will go back to the non-https version. By using a browser extension like Use HTTPS for Google Chrome or HTTPS Everywhere for Firefox. After you install one of these extensions, you can try going to https://www.facebook.com. Now you will notice that as you use the site and click on links, the HTTPS remains on the address bar.
To be clear, the browser extension won't help you with any website. It just happens that both Facebook and Twitter have HTTPS versions of their websites but they haven't enabled HTTPS persistence. The two browser extensions above force the connection to use HTTPS.
Now you can have peace of mind when using Facebook in the public.
