Wi-Fi Hotspots and Cookies

As many of you know, but the general public probably isn't really aware of, Wi-Fi hotspots are not encrypted and hence the data transmitted can be read by anyone nearby with just a bit of knowledge and no special equipment required. But how much is actually possible and how easy is it to do it?

First, here are some things which are not problematic:

  • Most hotspots I have encountered in the past encrypt the authentication and payment pages so an attacker can't steal credit card information. One has to look closely though at the URL of the landing page and ensure that the connection is really encrypted (URL marked in green or blue on the left side in Firefox)
  • Online shopping: I've tested Amazon which by default does not encrypt pages until the time you click on the checkout button. Attackers can therefore see what you are looking for on Amazon but the payment process itself is encrypted.
  • Online banking: All online banking pages I use are fully encrypted, so attackers can only see which banks I am using but not what I am doing there.

And now some things which require special attention:

  • POP and SMTP for e-mail: The default configuration of most e-mail programs is not to use encryption. While over a properly secured Wi-Fi network at home this is not really an issue, an attacker in a public Wi-Fi hotspot can easily intercept user names and passwords. Switching on encryption is not difficult in most e-mail programs but one has to be aware of it and actually do it.
  • Of particular interest for me are blogging systems as I use one of them myself for this blog. Some of them do not use https for the editing process and use cookies to identify the session. When the pages are not encrypted and an open Wi-Fi hotspot is used, the cookies can be easily intercepted and misused. At home in my own encrypted Wi-Fi network (for which I obviously have the key and where it is legal to experiment) I ran a proof of concept: First, I intercepted the http request for the blog editor web page with Wireshark, copied the cookies and imported them into Firefox on a second computer. Then, I requested the same page on the second computer and could easily access the blogging front end. The damage that can be done this way is limited as a password change requires knowledge of the old password so an attacker can't lock out the owner of the blog. And as soon as the logout button is pressed, the session is closed for the owner and the attacker. Better than nothing but still way to insecure for my purposes.
  • I tried the same with my facebook account at home and after transferring the cookies, the session was usable from both computers while the logout button was not pressed. But who presses the logout button? Other web applications such as flickr for example also use non encrypted http so I expect things to be the same.

So there isn't really a way around a VPN tunnel such as this one if you want to securely connect over a public Wi-Fi hotspot.