Oops, he did it again.

Back in September I took financial guru and radio/TV host Clark Howard to task for spreading the half-truth that activities which pose an identity-theft risk such as online banking and shopping are intrinsically more dangerous when done over an open Wi-Fi link.  Well...it's apparent he heard about that, because today when a caller asked him outright about the issue, he demurred a bit before breaking down and suggesting (drum roll followed by a rimshot, please) that she purchase a pay-as-you-go cellular aircard for her upcoming trip!

And now, once again, a brief pause for the facts.

Yes, it's true that someone sitting with a Wi-Fi capable device and the appropriate software within range of an open router can capture the data passing between your device and that router-just as it's true that someone tapping any network cable or monitoring any server between you and any remote host you're connected to can do the same thing.  It's this last point that continues to escape the Wi-Fi naysayers.  Locking down the access point will only protect you from someone sitting within sight of you (remember, they have to be within range of the access point same as you).  It will, in other words protect you only between your device and the router; it will do absolutely nothing for you beyond that-which is where, of course, a sinister interception is most likely to happen.

The only thing that can protect you there is third-party encryption that starts at the remote site and ends at your device and will, therefore, render any intercepted traffic unreadable, regardless of where the interception occurs.  Either a website protected by Secure Sockets Layer encryption (and in the case of banking online it needs to be the whole website, not just the login page) or a properly configured virtual private network will accomplish this.  What Howard and Co. need to be telling their listeners is that they need to ensure they're on an SSL-protected page with current, valid certificates (in other words, a good lock icon showing in their browser and no error messages) or have their VPN up and running BEFORE they send or receive anything sensitive-and they need to do it no matter how they're connected (yes, Clark, your caller will need to do it even if she buys that overpriced aircard and access). 

And since I'd lay odds that no bank or retailer in America that offers online access still does so without SSL or with only partial protection instead of encrypting every page on their site that shows or receives sensitive information, we can probably lay this fear to rest once and for all.