As many of you know, but the general public probably isn't really aware of, Wi-Fi hotspots are not encrypted and hence the data transmitted can be read by anyone nearby with just a bit of knowledge and no special equipment required. But how much is actually possible and how easy is it to do it?
First, here are some things which are not problematic:
- Most hotspots I have encountered in the past encrypt the authentication and payment pages so an attacker can't steal credit card information. One has to look closely though at the URL of the landing page and ensure that the connection is really encrypted (URL marked in green or blue on the left side in Firefox)
- Online shopping: I've tested Amazon which by default does not encrypt pages until the time you click on the checkout button. Attackers can therefore see what you are looking for on Amazon but the payment process itself is encrypted.
- Online banking: All online banking pages I use are fully encrypted, so attackers can only see which banks I am using but not what I am doing there.
And now some things which require special attention:
- POP and SMTP for e-mail: The default configuration of most e-mail programs is not to use encryption. While over a properly secured Wi-Fi network at home this is not really an issue, an attacker in a public Wi-Fi hotspot can easily intercept user names and passwords. Switching on encryption is not difficult in most e-mail programs but one has to be aware of it and actually do it.
- I tried the same with my facebook account at home and after transferring the cookies, the session was usable from both computers while the logout button was not pressed. But who presses the logout button? Other web applications such as flickr for example also use non encrypted http so I expect things to be the same.
So there isn't really a way around a VPN tunnel such as this one if you want to securely connect over a public Wi-Fi hotspot.