Paid Hotspots: Safety Not Included
While researching this article, I found a common misconception among travelers and coffee enthusiasts--namely, the idea that commercial hotspots that require pay-per-hour or monthly subscription fees (AT&T, Boingo, GoGo, T-Mobile) are more secure than their free counterparts because a payment and a password are involved.
In fact, these hotspots are almost always unencrypted, and they employ what is called a "captive Web portal" only to prevent access to the Internet until you enter a payment method (or subscriber password). Though this "gateway" Web portal is usually delivered over HTTPS (to protect the credit card information or the password), once authenticated all the traffic is unencrypted on the wireless network.
As a result, your $10 monthly fee gives you access but not security. In fact, due to the nature of radio frequency transmissions, another person--even if they aren't a subscriber--can still view any unencrypted traffic that you send, just by joining the same SSID wireless network.
This means that outsiders can easily observe and capture any regular HTTP Websites you visit, any unencrypted POP3 e-mail you access, and any FTP transfers you make. Talented hackers can even modify their wireless card to clone the identity of your wireless card, thus obtaining free access through a commercial hotspot by "piggybacking" on your signals.
Use Your VPN
If your company offers a VPN (virtual private network) connection with Internet access, you should take advantage of that functionality when using either free or subscription Wi-Fi hotspots. By enabling the VPN function on your laptop, you ensure that all of your communication is encrypted with high-strength ciphers and tunneled from the Wi-Fi hotspot, across the Internet, and into your company's data center, where it is unpacked and sent out on the company's Internet connection.
This is a secure method of accessing company resources (intranet, e-mail, databases) because no matter who is also on the shared wireless network, you have a private tunnel back to your company. In some companies' VPN configurations, you can also browse the Internet in addition to accessing company resources.
Such an arrangement may be slightly slower than unencrypted Web browsing, but the security makes it worthwhile. Additionally, if you are traveling in a country that imposes Internet restrictions (such as China or Egypt), you can tunnel your traffic back through your U.S.-based VPN connection and reach sites as if you were stateside.
If your company doesn't offer a VPN service or has a "split tunneling" VPN (in which only requests to company resources travel through the encrypted tunnel, and all other traffic transmits unencrypted directly to the target), don't worry--you can still stay safe.
Try out HotSpot Shield, a no-cost VPN service from AnchorFree. The company offers its own VPN software that you install on your laptop prior to using public Wi-Fi.
Once you enable the software and service, it encrypts your traffic and sends it through a tunnel to the HotSpot Shield data center and then out to the Internet, in much the same way a company's VPN server does. HotSpot Shield even has mobile VPN settings (with no downloads necessary) to protect your Web surfing on your iPhone using the built-in Cisco VPN client software that Apple provides.
By using a such a service, you make your connection secure all the way from the coffee shop to the AnchorFree data center in Northern California. Once there, your traffic travels unencrypted to its final destination on the Internet, as if you were browsing from a laptop plugged directly into the company's data center.
This arrangement isn't perfectly secure, since the encrypted tunnel does not travel all the way to the Website you visit. However, it's certainly more secure than a setup with no VPN at all; to get in, would-be data thieves would need access to the AnchorFree data center, not just the Wi-Fi network you're on.
Wi-Fi Surfing Safety Summary
So, to recap:
1. If your company has a VPN that you can use for Web browsing, use it.
2. If you can't use a company VPN, give HotSpot Shield a try.
3. Don't equate subscription (paid-for) Wi-Fi Internet with secure browsing.
4. On unencrypted wireless networks, everyone can see where you are surfing (except on HTTPS Websites).
5. On encrypted wireless networks, everyone with the password can see where you are surfing (this could be a handful of people in your house, or hundreds of people in an airport).
6. If you must use a Wi-Fi hotspot without any form of VPN, imagine that your laptop is connected to a stadium Jumbotron. Don't visit any sites you wouldn't visit with 80,000 people looking over your shoulder.
For more business security advice, check out "Enterprise Security Tips on a Small-Business Budget."