Biz & IT —

How to stay safe at a public Wi-Fi hotspot

Almost all of us use public WiFi hotspots at one time or another. In this …

Firesheep lit a figurative fire under the feet of folks who otherwise weren't concerned with the security of their data as it passes to and fro over a WiFi network in a public place. That's good. You're at risk whenever you use WiFi on a public network, but thankfully it's never been easier or cheaper to secure yourself thoroughly.

Firesheep's threat is that it allows anyone with a Firefox browser to hijack the sessions of anyone on the same network using a few dozen popular content, commerce, and social-networking sites by snarfing cookies that pass in the clear. But Firesheep is only the easiest to use of a series of freely available tools that can extract and record data passing openly over networks. The only way to defeat all of them is to secure all the connections over which you pass anything personal, financial, or confidential.

You have a variety of strategies to choose from, some of which are free and some of which have a modest cost attached. None are terribly complicated, but just require a commitment on your part if you feel at risk. Which you should.

In a companion piece to this article, we'll provide advice to cafes and other public venues on how to enable basic password-security to provide an additional level of difficulty for fair-weather crackers, who will be deterred by a bar to sniffing traffic easily.

The full Monty: a VPN connection. A virtual private network (VPN) connection encrypts all the data between a device and a VPN server on the other end. For those of us who don't already have a VPN service through work, you can rent the service by the month or year. I've long used and recommended WiTopia, which has services ranging from $39.99 for the lowest-end VPN service to $69.99 for a bundle of offerings, including SSL, IPsec, and PPTP connections. There's also the veteran security provided Anonymizer, which has a $79.99-per-year offering that includes a VPN connection and anonymized browsing.

VPN clients are built into nearly every operating system, including mobile OSes like Apple's iOS that don't allow third-party software that interacts with low-level networking protocols. Depending on what set of devices you own, make sure the service has support for the right protocols. (Apple's client supports five popular kinds of VPN, but omits a couple you might encounter.)

With a rental VPN, the server isn't located in the office of a company with which you work, but rather in a data center somewhere else in the world. This defeats any local hacking and sniffing on the WiFi network, the Ethernet network to which WiFi is connected, and even the Internet service provider offering broadband to the venue in which you're working. (It also bypasses local filtering and governmental intrusion, so long as the VPN itself isn't blocked.)

Some people still don't find that reassuring, because once your data pops out at the data center, there's no further encryption from the VPN portion until it reaches its destination; the same is true for data making the return trip. Still, at that point, you're up at the peering level of the Internet, where sniffing and hacking is much less likely. You can layer encryption with a VPN, relying on encrypted connections with websites and file-transfer servers to protect vital communications, and the VPN to cloak everything else. There's no incompatibility there.

You can set up your own VPN server using free Linux software, or built-in options in Windows Server (several versions) and Mac OS X Server (since 10.4). This may be more trouble than it's worth, however. You typically need multiple static and publicly routable IP addresses, and more knowledge than you care to acquire. Further, because every packet routes in and out of the server (in to the VPN, which decrypts the data, and then back out to the destination), unless you have high-speed upstream rate where your server is located, your roaming download speeds could be constrained by the detour. VPN-for-hire services in data centers don't suffer that problem, as they're backed by massive pipes.

If you work for a company that handles legal, medical, or financial data, or a corporation of any scale, your work laptop and mobile should already be protected when on the go by a VPN (virtual private network) connection. In fact, you might be forced to use a VPN by software that double-checks whether such a service is active before allowing you to communicate over the 'Net.

Secure your e-mail. Just a few years ago, you could not assume that an Internet service provider would offer SSL/TLS-protected POP, IMAP, and SMTP. Now, it's de rigueur, although no provider I'm aware of requires it. (SSL, Secure Sockets Layer, is the name for an older security spec now known as Transport Layer Security or TLS: together, SSL/TLS. The spec lets a client and server negotiate a secure connection using a third-party verification step to confirm the server's identity. It's used with the open Web, e-mail, and many other service types.)

You may already have secured your e-mail. Check your various e-mail clients on computers and mobile devices. Depending on the program, you may need to manually change the port number over which you connect to incoming and outgoing mail. Some clients just let you check a box labeled "Use SSL" or something similar to reconfigure settings to use the right ports.

This is typically port 995 for POP and 993 for IMAP. SMTP commonly uses 465 or 587. With SMTP, you sometimes have to monkey around with finding the right port and setting for obscure and outdated reasons. One port might require setting a mail client to request but not require a secured connection, for instance, while another only allows connections in which the client assumes security will be in place. Many mail hosts and ISPs have a guide or wiki for troubleshooting if your first pass doesn't work.

When setting up a new mail connection, most e-mail clients are smart enough to ask whether or not you want to use SSL/TLS or "security." Say yes! If your host doesn't offer security, it's time to find a new provider.

Webmail is now also widely available with SSL/TLS for an entire session. Hotmail, Yahoo Mail, and Gmail resisted that for a while, securing just the login portion, and only offered less obvious ways to have a secured session. Reality has hit, and it's much simpler. In Gmail, for instance, you check a box in the General settings screen to "always use https." From then on, every time you log in (which is always done securely), you're redirected to an SSL/TLS-protected page.

Force secure Web browsing. This is an area still in its nascence. An extension for a browser or a built-in feature forces an SSL/TLS connection to a website that offers a secure alternative to a plain http connection even when you click a link or type in a URL to the unsecured location. As the cost and complexity of offering an SSL/TLS site has dropped for Web firms and the desire for security among users grown, an ever-growing number of major sites have both secured and unsecured flavors. This includes editorial sites such as the New York Times, Washington Post, and Wikipedia, where you would reveal more about your browsing habits than provide a lever for someone to crack open your behavior or act maliciously in your name. (Sure, they could leave ugly comments and bad wiki edits, but that seems rather childish unless you're being targeted individually.)

The ultimate path for making this work is a proposal at the IETF (Internet Engineering Task Force), with the HTTP Strict Transport Security (HSTS) specification, which is the basis of a built-in forced-secure connection in Firefox 4, currently in beta. When this is finalized and adopted, and browser makers and website operators take heed, the general problem of unsecured connections will disappear, but only for websites that choose to recognize the problem. This may wind up being all of them.

In the meantime, you have to cobble together a solution. A VPN is the best alternative, but you can always layer this sort of protection on top of the VPN. Only Firefox (before 4.0) has true integration with an extension that changes the URL path before a connection is made. (If a connection is made first, then cookies and other data are sent insecurely, making the redirection less meaningful.)

For Firefox, you can opt for ForceTLS, an extension that interacts with sites that use the proposed HSTS method above. You can also opt for HTTPS Everywhere, an extension developed by the Electronic Frontier Foundation and The Tor Project. HTTPS Everywhere comes with a built-in list that can be modified. (An adaptation of HTTPS Everywhere for Apple's Safari, SSL Everywhere, is undownloadable at this writing, although its development project is still alive at github. Safari doesn't allow extensions to intercept URLs, only redirect, so there's some exposure.)

Chrome users could opt for Use HTTPS, which can redirect specified sites to SSL/TLS versions, but according to the developer's site requires some modifications by Google to make it work as intended. Opera 11 users can install Redirect to HTTPS, which connects to the non-secured site before redirecting for a modifiable list of sites. The developer says Opera 11 doesn't provide interception of the request. Internet Explorer seemingly has no good way to offer interception or redirection.

Opt for secure sessions in other services. Checkboxes to secure services are everywhere, although you may have to hunt for them. For instance, the interaction between a standalone Twitter desktop client and Twitter's interface for retrieving tweets and other data for that user can be secured separately from the always-encrypted login portion. In the client I use, Echofon for Mac, I have to open up preferences, click the Advanced button, and check Use SSL for All Requests.

Newer services tend to be designed with SSL/TLS encryption as an integral part. The cloud-sync file manager Dropbox, for instance, always uses encryption for all its communications, on top of encrypting the data it stores for you on its servers. Likewise, all the major Internet-hosted backup services, like Crashplan, Carbonite, and Mozy, employ at least one level of encryption for data transmission; some offer additional layers, such as PGP-based encryption for data is transferred.

Given the level of risk that's currently understood, and the ease of a casual black hat or vandal hijacking information, sessions, and identifies, it's hard to imagine that any company would make the bad decision to design and budget for an Internet-based service that wasn't start-to-finish secured. It's the first question any IT department would ask for business sales, and home and small-businesspeople have been sensitized because of the wide coverage of Firesheep.

The best advice we can offer is the first advice: a VPN connection. Anything else is partial, second best, or complementary. While it increases your hassle, it also removes the local-network risk that your sessions will become someone else's property.

Firesheep icon uses elements from Shutterstock.

Channel Ars Technica