A new freely downloadable tool known as 'Firesheep' has been making the headlines over the past few days, and for good reason.

If you use your laptop on a public wi-fi hotspot, such as Mc Donalds, restaurants, trains or major cities and most coffee shops you are leaving yourself open to this exploit.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep's database. When you log in to Amazon, for example, your browser's Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail; if it was Facebook they may be able to post a message; and so on. Any operations that require your password, however — such as accessing your credit card information on Amazon — should not be possible using Firesheep.

I thought I'd spread the word and help some laymen out after work since there's a large Starbucks near my apartment. I dropped in, bought some unhealthy food, opened my laptop and turned on Firesheep. Less than one minute later, there were five or six identities sitting in the sidebar. Three of them were from Facebook.

This wasn't at all surprising; Firesheep is not magical, and anyone that's been to a Starbucks knows that a lot of people mindlessly refresh Facebook while sipping on their lattes. I thought I'd give it more time, so I listened to some music, talked to a few friends, and most importantly (and difficultly) did not navigate to anything sent over vanilla HTTP (including, of course, Facebook).

Around half an hour later, I'd collected somewhere between 20 and 40 identities. Since Facebook was by far the most prevalent (and contains more personal information than Twitter) I decided to send the users messages from their own accounts to warn them of their accounts' exposure. I drafted a friendly, generic message that stated the location of the Starbucks, what the vulnerability was, and how to avoid it. I sent messages to around 20 people.

I cleared the sidebar, took off my headphones, and waited. I heard one expletive muttered a few feet away, and wondered if my message was the cause. Over the next 15 minutes, I didn't hear anyone talk about what had happened (and folks at Starbucks are usually not ones to keep their conversations private). However, what I did see happen was a sharp decline in the number of identities I was collecting when I restarted Firesheep.

This was relieving -- these people got the message. Hopefully they'll tell their friends, hide their kids, hide their wives. I cleared the sidebar once again, and after another twenty minutes of mindless conversation I saw five familiar names had returned to my herd.

This was somewhat puzzling. Did they receive the first message? I logged into their accounts, and surely enough, they had. One of them was even on Amazon.com, which I had warned about in my first message. I targeted him first: I opened up his Amazon homepage, identified something he had recently looked at, and then sent him a "no, seriously" message on Facebook from his account including the fun fact about his music choices.

I cleared again, waited for ten minutes, and after resuming Firesheep's collection it appeared that he was gone. Yet the other four remained persistent. Perhaps, I thought, they thought the message was automatically generated and randomly targeted (despite mentioning their location within 100 feet). So, one last message was in order.

I drafted a very short message (perhaps the first was too long?) and sent it to the four, once again from their own accounts:

Really wasn't kidding about the insecurity thing. I won't send another message after this -- it's up to you to take your security seriously. You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool.

Twenty minutes passed, and all four were still actively using Facebook. Again, I considered that they may not have received the second message, but after viewing their accounts it was clear that they had.

This is the most shocking thing about Internet security: not that we are all on a worldwide system held together with duct tape that has appalling security vulnerabilities; not that a freely available tool could collect authentication cookies; and certainly not that there are people unaware of either. What's absolutely incomprehensible is that after someone has been alerted to the danger (from their own account!) that they would casually ignore the warning, and continue about their day.

So what can you do to avoid being caught out by firesheep? 

NetworkWorld suggests subscribing to a low-cost VPN service that provides a secure connection anywhere on the Net. However, that may be a layer of complexity that's daunting to some users.

Another solution is to fight the Firesheep extension with another Firefox extension. HTTPS Everywhere lets you sign in to many mainstream sites using an https connection. The downsides are that it doesn't cover every site, and it's only available for Firefox, not chrome or Internet explorer.

You could, of course, avoid public Wi-Fi altogether, which is inconvenient but secure. Or, you could opt for a mobile data plan, which is expensive.

There's no easy answer, at least not until all Web operators wise up and offer fully encrypted access to all their sites.