How safe are public wireless hotspots?

What are the security issues involved with public wireless hotspots? How can you protect yourself when working with a laptop outside the home or office?

What is a virtual private network (VPN) and does it help? Examples include WiFi Guardian and Hotspot Shield. Why can’t I just use a decent firewall like ZoneAlarm or Comodo? (A?: It seems that the VPN operates via an external server. Huh? How does that help?)

What special considerations are involved with public wireless hotspots: what vulnerabilities exist for the laptop that has run Windows update within the past month and has a non-MS firewall and antiviral package?

Previous thread: Airports, etc:“Free Public Wi-fi” network. One poster quotes Cache, Johnny, and Vincent Liu. Hacking Exposed Wireless: Wireless Security Secrets & Solutions. New York: McGraw-Hill, 2007.

Google:
7 tips for working securely from wireless hotspots

How do I safely use public wireless hotspots? (#8696)
Bonus question/hijack: List recommended software for wireless public hotspots. How does that software work: what does it do and not do? I’m thinking about NetStumbler, but other tips are welcome.

The primary threats are basically like eavesdropping. If the wireless network doesn’t have any encryption, anyone can see what’s being sent between your computer and the access point. Whoever’s listening can pick out email passwords, login information to commerce or banking websites, credit card numbers if you buy things, etc. Setting up a VPN gives you an encrypted tunnel: your computer encrypts a message, sends it to the VPN server, which decrypts it and sends it on its merry way. It’s assumed that the VPN server is more secure than your public access point, since any schmoe with a laptop and the right experience can listen to everything that’s broadcast on a wifi connection.

Firewalls will help prevent someone trying to directly hack your computer, but they won’t stop anyone from listening to your communications.

Thanks lazybratsche.

But most ecommerce and financial sights work with SSL. Assuming that the bad guys don’t install a keylogger, how could they capture your password?

And if they do install a keylogger, a VPN wouldn’t help, would it? That’s what antivirals and firewalls are for.

Separately, if the VPN server isn’t wholly trusted, SSL would protect you from them, right?

You have to be sure that you’re accessing the SSL version of the site directly, i.e. https://www.mybank.com and not http://www.mybank.com.

This is a subtle but dangerous difference and it’s a very easy mistake to make. If you leave out the “s” or if you simply type in “mybank.com”, your browser will take you by default to the insecure version of the site. Somebody controlling the router or acting as a fake wireless access point can show you a fake version of your bank site and get your login that way.

If you do any SSL stuff over a public wifi at all, make sure to have the SSL version bookmarked beforehand and use that every. single. time.

If the access point is controlled by an attacker, I think they can even break SSL with a man-in-the-middle attack.

And, the same might even apply for a VPN…

[del]Not typically, unless they can sign themselves as the proper owner of a given domain name – which doesn’t happen very often, and when it does, it’s usually due to human error on the Certificate Authority’s part – or they exploit some obscure browser/user flaw. SSL, when implemented and used correctly, is THEORETICALLY safe against man-in-the-middle attacks at least until the underlying math is broken.

ETA: I believe the same applies to VPNs with properly pre-configured keys, but don’t quote me on that.[/del]

Actually, I’m not so sure about this. Going to wait for someone more knowledgeable to chime in.

Agreed, but how many banks have login screens that are not ssl secured? Often at least, the http site will link to the https site, where you can login.

Another question: there are a number of sites that are not https, but claim that the password is nonetheless entered securely. I think Amazon does this; yahoo used to but no longer does; www.inbox.com does it now. Are they blowing smoke? It should be possible to encrypt the password but not the whole webpage, right?
I also await with interest further elaboration on a man in the middle attack on SSL. Thanks for all the replies.

Sure, but if you make a habit of going to the insecure site, out of sheer force of habit you could very well fall for a lookalike hijacking site. Unless you check the SSL status or certificate after the redirection every single time, it’s entirely possible for a hijacker to put up a fake version of the insecure page, including redirecting to another legit-looking secure site.

It’s even worse when a bank uses more than one domain name legitimately (like Citi does for Citi.com, Citibank.com, Citicards.com) – it’d be way too easy for spammers to make a fake Citibillpay.com or Citicreditcheck.com or something similar and unsavvy consumers won’t think twice because Citi does that for everything else.

Even if this is possible (and I think it is), it makes it incredibly difficult for the end-user to gauge whether a site is in secure mode. And, again, it’s even easier to fake for a hijacking.

Usually this means that only the login info is encrypted during the login process. So somebody listening would not be able to get your password because it’s encrypted before your computer sends it over the air. The problem is that once logged in, while you’re reading your email it might be unencrpyted over the air, so all the content of the email could be picked out by someone listening. Thus if you read an email that contains sensitive info someone else might see it. There was also a hack I read about that grabbed the login cookie from the air and was able to then use it to access the victim’s gmail account from the attacker’s computer. No password needed.

This is why I have https://mail.google.com/mail bookmarked on my laptop, so that everything is encrypted, not just the login. I also have a policy of never doing any online banking over wireless just in case.