free wifi question

if I’m at a coffee shop or at someplace and turn on my lap top and find a wifi signal, how dangerous is it to surf the web? i don’t want to do any online banking, but what about shopping? what about surfing the straight dope? if I’m logged in already is there still a danger of someone getting my name and password? is there anything i can do to lessen the danger? thanks

Anything that doesn’t use SSL (https) can be snooped upon by anybody “in the middle”, in this case, at least your wifi provider. This also applies to wired connections.

I’m not sure how hard it would be for others to snoop on plain HTTP over wifi. Depends on the encryption, probably (WPA vs WEP).

You should not EVER put in sensitive information on the Internet unless you are using SSL (HTTPS). It is really easy to tell, just look in the address bar; if you see http and not https, it is not secure. This is something everyone should abide by regardless if you are using a “secure” WiFi access point or not, wired connection, dialup, or any other.

I would say, in theory it’s very easy for someone to enercept your data. But I can’t imagine a lot of people wanting to do this.

The big issue isn’t so much data it is passwords. So many people use the same password for everything.

I see your SD login and I see your name and password. I then try the same login and password at Citibank.Com. WOW it works…

You see that is the real issue, people don’t think about things like that.

You need different passwords for each account that needs to be protected. Let’s face it the SD doesn’t need the same level of password complexity as my Citibank account.

what if i’m already logged in to the SD. say i’m using an unsecured wifi signal from my next store neighbor. can he tell what my pass word is even though i didn’t even type it in? what if i do some shopping and make sure its htts. could he tell what my pass word is if i DID type it in?

No, if you’re already logged in, the SD (or most other websites) won’t ask for your password to be sent in plaintext as a method of authentication. It just doesn’t make sense, security-wise.

Not having taken any internet security courses, I can’t say for sure, but off-hand, I would assume there would be some sort of irreversible hash used on both ends, and compared. The fact that it is irreversible allows it to be sent over the internet in plaintext (or encrypted), since it is useless without knowing the password to begin with.

Now, if you were accessing a website coded by Joe the Plumber, he might not have the foresight to go with a secure solution, and you may actually be transmitting your password in plaintext. So it never hurts to be overprotective.

What you should be more worried about is being exposed to infected computers on the local wireless network who are actively exploiting unpatched holes in other systems (potentially yours) in the coffee shop.

is what your saying is that if i go to my coffee shop and log on to there free wifi and it just so happens there server is infected, the virus will attack my laptop? right now i use AVG free antivirus and windows xp built in firewall. i keep everything up to date. am i generally safe?

No he’s not saying that. If you’ve got up-to-date virus protection and a decent firewall, that’s pretty unlikely. But what can happen is that the wifi provider can either steal your current session with any site you’re accessing (even if you’re “already logged in”) if you’re not using HTTPS, or steal your username/password if you’re using that wifi connection to log in (again, if you’re not using HTTPS).

In any case, that has nothing to do with whether you’re using wifi or not, or if it’s free or not. If you you plug your laptop using a wire in a hotel (say), you’ve still got the same problem. It’s a matter of trust. Using wifi just makes it easier for other people to snoop in on the transmission (since you’re broadcasting all that data around) and also steal your current session and/or login. As far as I know, wifi security isn’t all that great, but it does depend on the kind of encryption you’re using (WEP seems to be particularly susceptible to this).