Before logging into any Wi-Fi hotspot, try to check the hotspot's credentials. If WPA/WPA2-protected access is available (e.g., tmobile1x), configure your Wi-Fi client to validate the server's certificate. If you frequent hotspots which use a connection manager (e.g., Boingo), those programs provide server validation on your behalf. Otherwise, eyeball the hotspot login page before entering your password or credit card number. Check for SSL protection (that is, a URL starting with https) and look for browser warnings about the SSL server's certificate. If a hotspot login page triggers browser warnings (or mental alarm bells), don't ignore them.
Once connected to a Wi-Fi hotspot, try to use only mutually-authenticated, end-to-end encrypted sessions. If you're only browsing public websites, you might opt to go skinny-dipping – but keep in mind that the websites you visit could be faked by a phony hotspot which returns a copy of the real deal, modified to contain malicious scripts or phishing URLs. For this reason, it's safer to send all hotspot traffic – sensitive or not – over secure sessions.
For example, when checking email, try to configure your email client to send POP and SMTP over TLS. Today, many email servers support or require TLS to prevent disclosure of email logins, passwords, and message content. Email clients configured to require TLS will validate the email server's certificate and either refuse a session to a phony server or alert you to a problem with the server's certificate. Here again, don't simply ignore email client warnings or make TLS optional.
|Wireless hotspot security|
|Learn how to navigate wireless hot spots securely in this podcast: Wireless hotspot security.|
Finally, combine SSL/TLS or VPN tunneling with a host firewall that prevents unwanted traffic from leaking in or out of your Wi-Fi client. In Wi-Fi hotspots, a common mistake is to leak LAN broadcast traffic – especially NetBIOS file/printer sharing messages. Today, many commercial hotspots block inter-client traffic to neutralize this risk. However, if you've connected to a fake AP or Ad Hoc, you can't depend on the hotspot to protect you. If you take these basic steps to defend yourself, then you won't have to worry about the possibility of encountering a fake hotspot AP.
This was first published in September 2009