PSA: Free WiFi Is Really, REALLY Insecure

Well, this is disconcerting. Consider yourself duly warned:

Users of Yahoo! Mail, MySpace and just about every Web 2.0 service take note: If you access those services using public Wi-Fi, Rob Graham can probably gain unlimited access to your account – even if you logged in using the secure sockets layer protocol.

[snip]

The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by “https” in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.

Now we know better. Any session that isn’t protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years – even if we regularly change our passwords.

The only way …. to work around the vulnerability is to use Google and select options that automatically keep Gmail, Google Calendar and several other properties encrypted throughout the entire session.