Slate's Farhad Manjoo answers your questions on Wi-Fi security, proxy servers, and Google Chat contact confusion.

Slate's Farhad Manjoo answers your questions on Wi-Fi security, proxy servers, and Google Chat contact confusion.

Slate's Farhad Manjoo answers your questions on Wi-Fi security, proxy servers, and Google Chat contact confusion.

Your tech questions answered.
Nov. 23 2010 6:02 PM

Wireless Fraud

Slate's tech-advice column on Wi-Fi security, proxy servers, and Google Chat contact confusion.

Illustration by Charlie Powell.

If you've got a burning tech problem you want solved, please send a note to, with "I've got a tech question!" as the subject line. (Your question may be edited.) You can also read previous "Dear Farhad"columns.

Dear Farhad,

I often find myself using my computer on public Wi-Fi networks—at hotels, libraries, coffee shops, and so on. What is and what isn't safe to do online while on these networks? Can I log into my e-mail? My credit card account? My bank account? Does it matter if the network has a password or not?

—Wondering What's Safe

Dear Wondering,

You're right to worry about browsing in public. Depending on the configuration of the Wi-Fi network and on the sites you visit, it's quite possible that a lot of your personal data is flying around Starbucks for everyone to see.


We got a very public demonstration of this danger just last month. Eric Butler, a software developer in Seattle, just debuted Firesheep, a Firefox add-on that lets you see who else at your coffee shop is logging in to Twitter, Facebook, Flickr, and other social sites. Firesheep even lets you steal other people's online identities. See that cute girl at the other end of the library? You can log in to her Facebook account and read her messages, then sidle up to her and impress her with your deep insight into her soul.

Butler's program takes advantage of the fact that HTTP, the protocol over which Web traffic travels, is public—it doesn't hide or encrypt the traffic between you and the Web servers you visit. Logging in to Facebook, then, is a bit like sending a postcard in the mail. While you're hoping that the mail carrier doesn't read your scribblings, you'd also be foolish to write down your Social Security number.

Fortunately, there's a simple fix to the problem Firesheep highlights. Web sites that store personal information simply need to upgrade their login process using a security system known as SSL. Once a Web site adopts SSL, all communications between you and the site are encrypted. You can think of SSL as a sealed envelope for your postcard.

So, which sites are safe? By default, most banks and other financial sites use SSL, so you shouldn't worry about checking those sites on an unencrypted Wi-Fi network. In January, Google added default SSL access to Gmail, so your webmail session should be safe, too. Butler says he created Firesheep to prod other sites into adopting SSL, and since his demonstration several have adopted better security. Hotmail, for instance, recently announced support for SSL, but the feature isn't on by default—you need to go to your settings page and opt in. But many big sites don't use SSL, with the worst offenders being Facebook and Twitter.

If some Web sites use SSL and others don't, how can you know if you're safe? All major browsers include some kind of icon near the address bar that tells you if a particular site is secure. In Internet Explorer, Chrome, Safari, and Opera you'll see a picture of a padlock next to the URL on a secure site; in Firefox, the lock icon is in the bottom right corner. If you click on the lock, you'll get more information about the security of the site you're visiting.

If you don't see the lock, you could try changing the URL of the site you're visiting. If a site supports SSL but doesn't use it by default, adding an S to the end of the HTTP in the address bar will get you the secure version of that site. If you type instead of http://, for instance, you'll get a secure version of the search engine. (You can get a Firefox add-on called HTTPS Everywhere that does this automatically at a wide range of sites.)

Finally, the particulars of your Wi-Fi network will also affect your security. If you have to type in a password to get on the network, that could mean that the network itself is encrypting all your Web traffic; this would make your traffic safe from snoopers even if a specific site doesn't use SSL. But I wouldn't rely on this, because a Wi-Fi network's security depends on where it asked you for a password. If you had to enter the password into your operating system, then it's probably secure. If you got on the network first, then typed a password on a Web page, it's not secure. Unfortunately, most public hotspots—at Starbucks, on airplanes, in hotels, and other places—use this second, insecure methodology.