“See, you shouldn’t steel internet on a regular basis” I told my acquittance, “it’s not that it’s wrong – it’s just not safe.” I mean, think about it – you never know if the person running an open wifi node is an idiot or just pretends to be one. It’s fine to jump onto someones unsecured connection to do some casual browsing. In fact, it is recommended to use an open Wifi hotspot that cannot be traced to you for any and all large scale illegal downloading you may want to do. But your regular day to day browsing should be done over a connection you trust.
Why? Because you are likely to be sending private data in plain text over that network. If you ever see me running an open wifi node you can safely assume I am probably sitting thee with a packet sniffer collecting people’s facebook passwords so that I can log in into their accounts and change their profile pictures to Goatse with a caption: “I AM A STEALER OF THE INTERNETS”.
Actually, scratch that – I wouldn’t do that because I’m a nice guy. It’s not in my nature to do things like that and – I can’t really hide it. You can tell whether or not someone is a good guy that by observing how many sexy ladies there are in his orbit at any given time. If you see a guy who has more orbiting bodies than Jupiter, you can tell the dude is an incredible duchebag and a horrible human being. So you should probably hang out with him in hopes of intercepting one of the outlying satellites.
Are these astronomical relationship jokes doing anything for you? No? Well screw you then. The point is that Facebook and similar websites can be prime target for packet sniffing. So are things like POP email, IM clients and etc. You shouldn’t trust any network, including yours but suspiciously open wifi networks are the worst. How do you know the owner of your internet gateway doesn’t have it set up to log all the crap that goes through it. You don’t. Even if you think your neighbor Joe wouldn’t do such a thing, you can’t be sure that his nephew Sid who set up his wifi is not a diabolical jerk who collects peoples passwords for fun and profit.
When you are on a strange network you should be at least using SSL to make sure that things like passwords are not being sent in plain text. Most of the sites are pretty good about it and do serve their content via SSL. Most do not default to it though – facebook is a prime example here. The default login page is not encrypted. Furthermore and because of how the Application API works even if you log in over SSL the content you get served is mixed – parts of it come in un-encrypted so you are still leaking data.
Or even worse – what if, for example you are running a self hosted blog like me. Do you use SSL to log in? You do? Holly fucking shit! I don’t! I never actually thought about it, until few days ago!
Granted I don’t steal internet (like some of you people, you know who you are) but I do sometimes log in from school, work, and etc. This is not acceptable. So as you can imagine, the first thing I did after realizing this was to go and set up an SSL certificate for the blog. The second thing I did was to add this line to my wp-confing.php:
What does this do? It forces wordpress to use SSL for all administrative functions and redirects all links accordingly. So for example if I get an email notification about a post in moderation queue I can hit the “approve” link and have WordPress automatically serve me the SSL encrypted page instead of an un-encrypted one. This makes me feel a little better about logging into my own website from networks I don’t actually own.
I still wouldn’t use someones insecure wifi connection though. Unless for torrents of course. Which is why you should should use WPA/WPA2 or better kids. Otherwise some jerk will use all of your available bandwidth to download tons of movies and video games without ever worrying about being caught.