Obviously Firesheep has been big news this last week or so. Somebody is sitting in a pub right now waiting for you to access Facebook, Twitter or your webmail account so that they can get in and play with all the shinies. Scary stuff; and yet most news outlets haven't really discussed the issue in detail, they haven't discussed where the issue will commonly take place (public places like pubs, cafes, restaurants, libraries with open wifi), and they don't really discuss how SSL on a few major scapegoats will actually solve a worldwide security issue.
Public. Open. Wifi.
I mean, come on! This is the biggest problem; just because someone has an extension that no longer works doesn't mean that somebody else doesn't just have some custom build of Wireshark running that does far more than steal cookies for your favourite social sites. We're talking about the potential for identity theft by people getting far more than a feed of your recent photos and activities. Some sites may encrypt your password on submit but other forums won't. And what are the chances that somebody on an open hotspot doesn't have the same password for a couple of other sites?
Also, people may now be smugly sitting on an open hotspot not going on Twitter and Facebook. But their favourite news site has a like button on it. Is that a problem? Has anyone asked or addressed this in a news article too?
The Solution?
The geek solution is to have a VPN or a SSH socks proxy and to always use it as an interface between open sites; the firefox buff solution is to get one of the many extensions that forces SSL for sites that allow it (and it isn't all of them;) the scapegoat solution is to tell big social networking sites to go SSL so that it's no longer a problem (they should be using SSL anyway the lazy slackers.
None of these ideas really close up the ultimate truth that not everyone gets security. Not everyone will be able to buy a VPN for that rare occasion that they're on an open hotspot; the fact that VPNs are a bloody pain to set up just compounds the problem. Very few know what SSH is.
The real solution needs to have all of these plus: Closed public wifi. There are a couple of ways with various issues for security but will offer a modicum of privacy for people without the ability to take security measures by themselves. For starters, cafes and libraries could simply stick the network key on the notice board for visitors. Change it daily and keep it inside for patrons only. Alternatively, for situations where the business has a rented device, have 2 hotspots. The first hotspot is open and, when you connect, it takes your browser to a login page with instructions and today's network key. Then you disconnect, sign in to the closed wifi, and use the key you just pasted to your clipboard.
Is that it?
Not really. Computer security is about an ongoing awareness of the fact that everyone wants your bank details and identity. But reporting on an issue and calling social networking sites to use SSL is just scapegoating and avoiding a real world problem with security. Get it sorted pubs, clubs and cafes.