Securing Your Starbucks Experience

First, unless you absolutely know otherwise, assume that every hotspot you're likely to encounter is totally open and unsecured. This means that anything you send between your laptop and the access point is in the clear, and anyone sniffing the signals will be able to read everything that goes to or from your computer. This is definitely the case with public access wireless, if only because anything else would likely be unmanageable for the provider. So when you're sitting at scenic San Francisco Airport using those Centrino stations, whatever you do can be seen by anyone in the terminal.

However, you can still use your wireless connection in public, if you're careful, and if you take some precautions before you connect.

Most important is to find out whether your e-mail provider can handle a secure connection. Some POP and IMAP servers at ISPs will support SSL or other types of secure connections, but you'll need to call your ISP or check the Web site to find out, and then you'll probably need help implementing the connection.

If your ISP's POP or IMAP connecton isn't secure, your ISP's Web mail server might well support an encrypted link. You can find out by looking for the lock symbol at the bottom of your browser window when you're using your ISP Web mail. You'll probably also see messages from your browser asking if it's OK to display non-secure items.

Once you're satisfied you have a secure connection, you're safe using e-mail from an open Wi-Fi access point.

If you're connecting to your company's e-mail, regardless of whether it's through a Web mail connection or an e-mail server, the chances are very good that you'll be safe, because you'll be using a VPN. If you are, you'll probably know about it, because your IT department will have installed the VPN client on your laptop for you to use when you're outside the office. Most public hotspots will work fine with most VPN software, but there are times when they won't work.

If the VPN doesn't work, check your company's Web mail to see if it's encrypted in the same manner as you'd check your ISP's Web mail.

If you can't use your company VPN and there's no encrypted Web mail, don't give in to the temptation to risk your e-mail in the clear. You can't afford to take that chance with company information. In addition, it's unlikely you'll be allowed to connect to anything important on your company network without some kind of security that encrypts the data stream.

On the other hand, there are things you probably don't have to worry about, even when working in the clear. For example, if you do your on-line banking in an open hotspot, you should be fine. Every financial services site I've ever seen uses an encrypted link. The same is true about many (but not all) e-commerce sites. But it's critical that you check your browser windows to make sure. Some sites have non-secure access, and you don't want to use one of those by mistake.

While it's true that there's never been a case in which someone has stolen a credit card number over the open Internet, remember that the hotspot you're using isn't the same thing. It is possible to sniff a credit card number, or a user name or password, over the air if the site at the other end isn't encrypted.

Likewise, if you're using a site that requires a log-in, be careful. If the site isn't protected, and you use the same user name and password on that site that you use elsewhere, it could be picked up fairly easily. And if the bad guys have your log-in information for one site, they'll try it for everything that you've attempted to access, just in case you got lazy and used that same information for your bank, or your office. Don't go to these insecure sites unless you're satisfied that your log-in information is not the same as it is for other sites.

It's also important that you have a personal firewall up and running and that you have file sharing turned off on your laptop. Even if someone isn't able to sniff your information over the air, they might be able to get into your computer remotely through your wireless connection.

And finally, be aware of what's going on around you. Most private information isn't stolen over the ether, but rather from over the shoulder. If you're reading your e-mail or doing your banking in a public place, remember that the person seated behind you or next to you may be able to see everything you're doing. That also means that they can read that Post-it Note with your log-in or account information. It may be low tech, but it works.

You have a lot more exposure from people physically looking at your laptop screen than you do from a wireless sniffer, simply because the wireless sniffer requires more skill to run.

Using public Wi-Fi is perfectly safe, as long as you're careful what you do, pay attention to making your computer secure from wireless sniffing and over-the-shoulder peepers, and be careful where you browse. In fact, it's probably a lot safer than using an ATM at night, and chances are you already do that every week.

Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at [email protected]. Contact the editor of Security Pipeline at [email protected].