Security experts are advising Firefox users on how to protect themselves against Firesheep, the new browser add-on that lets amateurs hijack users' access to Facebook, Twitter and other popular services.
One provider, Strong VPN , prices its service starting at $7 (£4.45) per month or $55 (£35) per year.
Gallagher, however, warned that a VPN isn't a total solution. "That's just pushing the problem to that VPN or SSH endpoint," he said. "Your traffic will then leave that server just as it would when it was leaving your laptop, so anyone running Firesheep or other tools could access your data in the same way."
"A blind suggestion of 'use a VPN' doesn't really solve the problem and may just provide a false sense of security," he said.
Strong VPN disagreed. "Our servers are in a secure datacenter, so no one's going to be able to 'sniff' the traffic coming in or going out," a company spokesman countered. "All the traffic from, for example, your laptop in San Francisco, is encrypted when it goes to one of our US servers."
Storms echoed Strong VPN's assertion. "I can see [Gallagher's point], that a VPN doesn't solve the root problem, which is on the service end," he said. "But although it's true that the traffic would be clear text when it leaves the VPN server for the site, it's very unlikely that someone would snoop that traffic."
Sean Sullivan, a security advisor with F-Secure, recommended Comodo's TrustConnect as "a VPN in all but name only". Comodo, a rival of F-Secure, sells the service for $7 (£4.45) per month or $50 (£31) annually.
If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.
One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google 's search engine.
The other choice, Force-TLS, serves the same purpose as the EFF's extension, but lets users specify which sites on which to enforce encryption.
"I expect that [Firesheep] will spur the EFF or others, maybe in the open source community, to some additional development [of such add-ons], maybe Chrome ports of those extensions," Sullivan said.
That could take months. In the meantime, Sullivan had another idea. "A Mi-Fi device can encrypt [traffic], so with one you're always carrying your own Wi-Fi hotspot with you," he said.
Mi-Fi isn't cheap, however. Ultimately, moves users make to plug the holes Firesheep exposes are stop-gaps. The elephant in the room, said Butler and Gallagher as they defended the release of the add-on, is the lack of full encryption. And only the sites and services can fix that.
"The real story here is not the success of Firesheep but the fact that something like it is even possible," Butler wrote in his blog on Tuesday. "Going forward, the metric of Firesheep's success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."
But for the moment, even security professionals are worried. "I'm at the airport right now," Wisniewski told PC Advisor's sister title, Computerworld. "And I'm wondering if someone is using Firesheep here. Maybe I should do a little 'shoulder browsing' to see if anyone has it running."
- Avoid public Wi-Fi networks
- VPN isn't a total solution
See also: Mozilla patches 12 bugs in Firefox