Surfing Naked At Starbucks

Do you ever use public Wi-fi services, like the AT&T Wi-fi at Starbucks and elsewhere? You might get the impression that the login or checkbox screen you have to go though is an indication of security. You couldn't be more mistaken.

Public Wi-fi services are almost all completely insecure. All the local wireless LAN traffic is unencrypted, at least at the LAN level. The person next to you, or the person sitting in his car outside, can sniff all your traffic and see everything you're doing. Worse, he can co-opt your HTTP session and interact with the site as if he were you. And if you're doing company work, it's your company that's compromised.

But there are things you can do to protect yourself and your organization. One of them, which I have used for some time now, is a public VPN service. All your traffic will be encrypted through to a proxy server out somewhere else and routed to its destination from there.

This is, in fact, an extremely old issue. Open Wi-fi has always been known to be insecure and vulnerable to attackers who can use any number of high-quality and free network sniffers such as Wireshark.

But the issue hit the headlines late last year with the release of Firesheep, a Firefox plugin which made this form of hacking really easy, accessible to any user with a copy of Firefox and a deficient set of morals.

If you are communicating with an SSL site then there's no problem, and Firesheep goaded some major sites, including Twitter and Facebook, into accelerating back-burner plans to implement SSL. But you can't count on all sites--and important protocols, such as SMTP, are unencrypted as well.

So I use HMA! Pro, the paid version of Hide My Ass!, an encrypting proxy server, also known as a VPN. Not only does it encrypt your Web traffic, but it gives you a choice of a large number of proxy servers around the world to connect with. Don't want the site to know you're in Houston? Use Hide My Ass! and, as far as they know, you're coming from Rotterdam.

This has other applications. Some sites, such as Major League Baseball's MLB.TV, use IP location services to determine your location and enforce local blackouts. You could use a proxy like HMA to bypass these. It would be wrong, of course--but you could do it.

HMA! and many other programs work on Macs, but if you're working on a smartphone or tablet your options are somewhat constrained. There are browser-based proxies--HMA! has one--which should work on anything, but they aren't as automatic or as simple to use.

And don't assume that you can use these services to commit real crimes. Consider the case of Cody Kretsinger, a 23-year-old from Phoenix, Arizona, who was recently busted by the Feds as one of the Lulzsec hackers who attacked Sony.

Kretsinger used Hide My Ass! as one of his protections for his attacks, but Hide My Ass! ratted him out. They are a British company and obligated, under British law, to log all connections and surrender logs to the authorities who, in this case, turned them over to the FBI.

So encrypted proxy surfing is not your route to the perfect crime, but it is your route to safe surfing in the unprotected waters of public Wi-fi.