WIRED:A new plug-in makes it easy to hijack internet accounts. Your best defence may be a VPN, writes DANNY O'BRIEN

LAST WEEK, at the Toorcon security conference, programmer Eric Butler released Firesheep, a plug-in for the Firefox web browser. It lets you take over the Facebook, Twitter and Google accounts (and a few more besides) of other users on your local network.

Let me spell that out for you: if you run Firesheep, you can randomly pick one of the people on, say, the same open wireless at your nearby cafe, and then easily view, delete, and add comments using their name on these sites.

Many people playing with Firesheep have been surprised and shocked by exactly how easy it is to hijack accounts in this way, and for good reason. For all of the finger-waving we get about choosing long passwords and never sharing our computers, most of us never knew that there’s essentially no security between shared users of a local network.

Like your login, it’s not a big secret. Those working in the same office or using the same wireless network have always been able to monitor all the unencrypted internet traffic on your shared network. And even if companies like Twitter and Facebook go to some length to protect your password, code like Firesheep can still lift from this stream the browser cookies that identify a user to a site after they log in. Using these cookies yourself allows you to mimic that user.

Most office networks have the same characteristics, which means the boss’s Gmail account is vulnerable to surveillance by a casual freelancer (or a disgruntled peer). And all of us are vulnerable to similar surveillance from groups “upstream” from us on the internet. We’re constantly vulnerable to intrusive monitoring from network companies and their employees who provide our internet service.

Frustratingly, though, most people seem to be taking the wrong solutions to heart from the Firesheep debacle. Even professional security experts are declaring that users should beware of open Wi-Fi networks. This might be a good short-term strategy to evade the rampaging hordes of Firesheep users which, I guess, the more paranoid might assume will now emerge.

But it doesn’t fix the real problem.

Open Wi-Fi isn’t the problem, just as open-air concerts aren’t the reason we have pickpockets. Avoiding them may lower your chances of being a victim of random drive-by cyber-crime, but the probabilities are so low that it’s crazy to deny yourself something that might be useful or essential to how you work. If you go to an open-air concert or use open Wi-Fi, the chances that you’ll have your cookies snarfed by Firesheep or your wallet stolen are higher, but not that high.

And it’s not as if the Firesheep attack won’t work in far more places than just open Wi-Fi. While Firesheep does not automate the entire process of hijacking traffic on “secured” Wi-Fi networks, for instance, the possible security flaws are well-known and will be made simpler to exploit in the near future.

Permanently protecting against Firesheep and these future attacks means encrypting your communications with those sites. The responsibility to change that weak point depends on the companies that run Twitter, Facebook and other sites fixing their code.

One way they could improve security for their users would be to provide and publicise an encrypted “https” version of their site. Computer-to-computer encryption like https ensures that no one except the site you’re talking to can monitor or imitate your internet traffic.

It stops casual intercepters like a mischievous cafe Firesheep user; and it also stops the more determined adversaries on other shared networks you use that might have more malicious intentions. Both Twitter and Facebook already offer this feature, although their support is sometimes patchy and poorly advertised.

While we wait for these companies finally to fix their problems, another way we can proactively protect ourselves is to use a virtual private network (VPN). VPNs encrypt and then transfer all of your internet traffic to another remote network, which then connects to the site you intend to visit. The final connection may be unencrypted and therefore vulnerable, but it may be better-placed, away from potential eavesdroppers.

Your employer might spring for a private VPN if you let them know that everyone else on their network is reading their mail and Facebook posts. If not, you can pay for one out of your own pocket. (I use a service called AceVPN, which only costs $5 a month, and has servers around the world.)

Firesheep’s author has publicised security flaws that have been long-known, and largely ignored by large internet companies. He should be commended for it.

Firesheep isn’t the first time the problems have been highlighted, and it won’t be the last. Previously, companies have been able to dodge their responsibilities by misdirecting the blame to either user behaviour or the creator of the tool. We don’t need to be fooled like that again. None of us are really sheep.