Laptop Security at Public Wi-Fi: Key Tips

Google and Yahoo do not use HTTPS/SSL encryption for e-mail access by default (although Google recently announced plans to do so). So Wi-Fi eavesdroppers could capture your log in details.
Posted January 19, 2010

Eric Geier

Eric Geier

There are, of course, privacy and security risks involved in using Wi-Fi on public wireless networks, such as the hotspots found in many airports or cafes. While the convenience is a blessing, it can also be a curse. It’s important to keep your guard up, even if you’re relaxing on vacation, bored out of your mind on a layover, or trying to maximize your productivity on a business trip. Should you use the Wi-Fi at the airport or at a hotel? First, consider these points.

What are the real security risks?

To make a sound choice, it’s important to understand what's really at stake when using public wireless networks. Can eavesdroppers see your banking details? E-mails? Usernames and passwords? The answer is…it depends.

Any data transferred between a user and a Website using an HTTPS address (note the “s” at the end of “http”) and SSL encryption, such as online banking sites, is just as secure on a hotspot as it would be on a private secured network. Wi-Fi hackers or eavesdroppers sitting around the hotspot cannot capture a user’s login credentials or see any information from these secured sites.

However, eavesdroppers can capture Web traffic on other sites that use the unsecured HTTP address. For most people this isn't a problem. If you’re just passively viewing sites--checking the news or sports scores, for instance—you’re fine. Your risks increase, however, if you must login to sites that aren’t secured. Even if the site isn't all that sensitive, such as a discussion forum, eavesdroppers can capture your login credentials, which they may also use for other more important sites. That’s why it’s important to use unique usernames and passwords for every site.

Since e-mail is the thing we are most often inclined to check from our Wi-Fi-enabled devices, it’s important to realize that Web-based e-mail providers, such as Google and Yahoo, do not use HTTPS/SSL encryption for e-mail access by default (although Google recently announced plans to do so). This means that Wi-Fi eavesdroppers can potentially capture your log in details, as well as see your e-mail messages.

In addition to Web browsing, other services including POP3 or IMAP e-mail and FTP file transfers are vulnerable to Wi-Fi eavesdroppers. Services like these transfer their data in clear-text, including the login credentials. Most of these services can be secured with SSL encryption, which would mean they were protected from Wi-Fi snooping; however, most users do not secure their data, which leaves the login credentials and messages vulnerable to eavesdroppers when accessed via a POP3/IMAP e-mail client, such as Microsoft Outlook, over an unsecured network.

In addition to eavesdroppers being able to capture the traffic transferred over the airwaves, they could also potentially connect to a user’s laptop or other Wi-Fi device. Windows XP users, for instance, are vulnerable if they have configured their system to share any folders because those folders will also be shared on public networks, where other hotspot users can access them if they aren't password-protected.

How can hotspot owners help?

To protect the Internet traffic of users on hotspots, hotspot owners could implement encryption on their public Wi-Fi network. Though the Personal or Pre-Shared Key (PSK) mode of Wi-Fi Protected Access (WPA/WPA2) encryption typically used in home networks isn't feasible for hotspots, the Enterprise mode can be.

Read the rest at eSecurity Planet.

Tags: security, security best practices, laptops, Wi-Fi

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.