"You're at risk whenever you use Wi-Fi on a public network," Glenn Fleishman warns in the introduction to his latest post on Ars Technica, "but thankfully it's never been easier or cheaper to secure yourself thoroughly." The release of Firesheep a couple of months ago highlighted just how simple it is to hack into the sessions of another user on an open network, but Fleishman is here to help with a lengthy piece that outlines several different strategies for staying safe.
Force secure Web browsing. This is an area still in its nascence. An extension for a browser or a built-in feature forces an SSL/TLS connection to a website that offers a secure alternative to a plain http connection even when you click a link or type in a URL to the unsecured location. As the cost and complexity of offering an SSL/TLS site has dropped for Web firms and the desire for security among users grown, an ever-growing number of major sites have both secured and unsecured flavors. This includes editorial sites such as the New York Times, Washington Post, and Wikipedia, where you would reveal more about your browsing habits than provide a lever for someone to crack open your behavior or act maliciously in your name. (Sure, they could leave ugly comments and bad wiki edits, but that seems rather childish unless you're being targeted individually.)
The ultimate path for making this work is a proposal at the IETF (Internet Engineering Task Force), with the HTTP Strict Transport Security (HSTS) specification, which is the basis of a built-in forced-secure connection in Firefox 4, currently in beta. When this is finalized and adopted, and browser makers and website operators take heed, the general problem of unsecured connections will disappear, but only for websites that choose to recognize the problem. This may wind up being all of them.
Read the full story at Ars Technica.