How to Stay Safe on Public Wi-Fi
Your Personal Business Is Your Competitors' Business
But what if you think that your data isn't important enough for someone to snoop on? Perhaps you're just browsing Websites, not logging in to any e-mail systems or Web applications that require passwords. You should be safe then, right? Not necessarily.
Imagine you're on airport Wi-Fi while you're returning from an industry trade show. Instead of checking the hundreds of e-mail messages waiting for you (unlikely, right?), you decide to browse your competitors' Websites, looking for ideas. Or maybe you elect to research potential acquisition targets.
In the background, however, your e-mail client detects an Internet connection and starts to download your e-mail. A colleague back at headquarters sees your instant-messenger status change to 'online' and sends you a panicked plea: "Huge problem @ factory. Possible recall. Call Bob ASAP!"
Armed with nothing more than wireless packet analyzer software, a fellow conference attendee in the same seating area may be able to glean competitive intelligence based solely on the Websites that you visit and your (probably unencrypted) instant messages--not to mention the personal e-mail from the recruiter indicating you're ready to jump ship, or the notes reflecting your relationship problems with your significant other. In short, the "other guy" is reading your messages before you are, and you didn't even do anything.
Stick to SSL for Webmail
First, to combat mail snoops, use a Webmail system with HTTPS for the whole session. Almost all Webmail systems use HTTPS when asking you to log in, so your password is transmitted securely. However, after authentication, they usually switch back to HTTP because it reduces the computational strain on their servers and makes serving advertisements easier.
That means that everyone who is on the same wireless network (either unencrypted or with a shared password) can read the content of your e-mail. In some cases, a person can steal your session cookie and log in to your Webmail session without your password. (That is, until you click the 'Logout' link--which you do every time, right?)
Two very notable exceptions are Gmail and your corporate e-mail system (such as Outlook Web Access). Earlier this year, Gmail switched from the common practice of using HTTPS just for logins to using HTTPS throughout the entire Webmail session.
Google Apps users were previously able to opt in to this feature, but it is now the default with the ability to opt out (if you hate security). This change, combined with Google's new suspicious-login detection algorithms, make Gmail a standout among free Webmail providers. If you were looking for a reason to switch from your AOL, Hotmail, or Yahoo account, you've found it.
Your company's Webmail system is also likely protected by HTTPS at all times, because that is the default configuration for most systems. However, if you check your work messages using local software (Outlook, Thunderbird, Mac OS X's Mail) instead of HTTPS Web-based e-mail, you may or may not be using encryption.