In 2007 software was released which could intercept bits of data used by websites to identify a user from anyone on the same public Wi-Fi network. Session tokens, as these bits are called, are generated after a login, in which a secure connection is used just long enough to allow the entry of a username and password before the web browser is redirected back to an unsecured version of the website. By grabbing hold of these, impostors were able to “sidejack” a Gmail account or other services that his victim had accessed. With access to email, an attacker could visit popular sites, reset a user’s password and use email to retrieve login information. Following a flurry of sidejacking activity Google began the process, which ended up taking several years, of tweaking most of its services to provide SSL/TLS as an option (though not a requirement).
A smattering of technical know-how was needed to sidejack””and the sidejacker had to be in close proximity of a sufficient number of users to make it worthwhile. Two developments have changed that equation. First, the release of a proof-of-concept plug-in for the Firefox browser, called Firesheep, made worldwide headlines last October. With a couple of clicks, even the most unsophisticated user could take over the identity of anybody else on the same network that happened to be browsing any of a few dozen popular websites. (Mr [Charles] Schumer fingered Firesheep in his public appearance.) Second, the growth of smartphones and tablets with Wi-Fi connectivity””along with the spread of free networks in America””dramatically increased the number of proximate targets. A few years ago a sidejacker (or “sniffer”) might have had access to a handful of laptops from which to siphon data; now hundreds of smartphones and slates can be logged on to such networks at any given time.