The prevalence of free/cheap and open Wi-Fi networks in coffee shops, airports, offices and hotels is a great boon to the traveling Mac or iPad user; it makes connectivity and remote work much easier than it used to be.
Unfortunately, since most of those networks don't employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that's transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open.
Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be 'sniffed' by a nogoodnik on the same network segment; that's what Firesheep does automatically. With the cookie in hand, it's simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites.
That process is known as "HTTP session hijacking" (informally, "sidejacking") and has been a known problem for several years, but many sites have not changed to protect their users. Firesheep has made this process of sidejacking very easy, and a reported 104,000+ people have downloaded it. It is important to realize that the security problem exists for users of all browsers. Firesheep is available only for Firefox, but that's just the exploit side; it will gladly harvest cookies from Safari, Chrome, IE or anything else. Unfortunately, you've got to assume that any unencrypted site you go to while on an open Wi-Fi network is susceptible to compromise by this attack.
Read on for some suggested ways to combat this security challenge.
Photo by adactio | flickr cc