(Sigh...)

It's like a religion, I tell you-this unshakable belief held by so many that open Wi-Fi is inherently dangerous to use for any sensitive purpose. As further evidence thereof, herewith this from a blogger over at Yahoo News recounting her baptism into the gospel of Thou Shalt Not Bank Whilst Thou Art Connected to a Router That Be Not Encrypted.

And now, once again, with apologies to ath64, A Brief Pause For the Facts.

As long as you are connected to a web page that properly implemets the Secure Sockets Layer protocol, it is perfectly safe for you to do anything you want on that particular page no matter how you're connected to it. In the case of an entire site such as that of a bank or credit card issuer, as long as all the pages on the site are so protected, you are too. The actual dangers the blogger saw demonstrated are, in fact, not specific to open Wi-Fi, but instead stem from two possible causes. The first is a website with an unencrypted login page (hard to imagine on a banking or other financial website in this day and age); the second is one whose owner either doesn't keep its certificates up to date (again hard to fathom for a truly responsible organization) or doesn't bother purchasing valid SSL certificates at all, opting instead to create its own self-signed ones.

Either of these last two situations should have given the author a browser warning about the certificates that she almost certainly ignored. SSL, after all, is designed to prevent man-in-the-middle attacks such as she described. But SSL, like any other security technology, isn't capable in most cases of protecting against what in less polite circles at least used to be referred to as a PEBCAK-a Problem that Exists Between the Computer And Keyboard.

And it is that sort of problem one must be the most on guard against. Once again, if the webpage you're logging into for any sensitive purpose has an URL that doesn't begin with "https://" don't log into it-on open Wi-Fi or anywhere else. If you still have an account with an institution whose website doesn't protect all of its pages with SSL, find another bank or take out someone else's credit card. How do you tell? Simple. Either look for "https://" at the start of the URL of each page or, better yet, set your browser to warn you when you're about to leave an encrypted page for one that isn't. If you see that warning when you shouldn't, take your business elsewhere and tell the institution you're leaving why.

Finally, do what ath64 famously reminded everyone to do-or more accurately, not to do-in this post some four years back decrying the KCK Public Library's then-closed network. If you get any message regarding a website's certificates, don't enter or access any sensitive information on that site afterward. Thankfully, you likely don't have to worry about anyone in an Afghan cave anymore, but the results of flouting this admonition could still be as bad as Guantanamo Bay-or worse.