Free Wifi has become a common thing today. When you head to the airport, or to a coffee shop, you have the option to connect to their free Wifi network. The advantage is you save bandwidth with your cellular data plan which can become quiet expensive if you go beyond your allocated monthly bandwidth. It is convenient.
However, as a result, you are browsing the web on a network you have no control over. And, you have no way of knowing what they will do with your data. "What data is that?" you might say. Well, all your browsing record and cookie information.
Let's say you were to log into you're favorite website, to read your messages or whatnot. Unless you are using a secure connection, you are broadcasting your credentials to the whole network. The provider of this free wifi may be logging this information for "Quality assurance" or whatever reasons and you will never know. In fact, anyone connected to the same network, can see this information. By analyzing your traffic data, they can see your cookies information and log into any of your accounts without even needing your credentials.
This vulnerability is called Man in the Middle Attack, (MITM). The most common way to prevent this sort of hack is by using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). This by default will eliminate the ability of others to eaves drop on your connection.
So if you were to connect on a website using SSL, all others can see is that you connected to the website. They can't see which page, your cookies, or the data payload.
As a programmer, I know of this information and I know that when building a website that shares data it is a basic requirement to have SSL enabled. I can use different services to validate that a website is secure. But most people, even those who are tech savvy but not web programmers have no way of knowing that a website is secure.
The most basic way to know if a website is transmitted over ssl is to check the url bar on the browser. For example:
http://www.amazon.com -> not secure
https://www.amazon.com -> secure
HTTPS is the protocol needed for a secure website. You can see it on the URL bar, or on most browsers there is the icon of a lock, a green lock to signal that the website is secure.
A secure connection over HTTPS
Unfortunately, most of people I asked about this lock, even those who are tech savvy but not web programmers, had no idea what the lock or https was for. It is not obvious that these symbols signals that a website is secure, therefore when they are not present no one notices.
There are two ways we can fix this issue. One is to educate the general population about the risks of using an open network. We can teach them to look for
https and the green lock on the address bar. If anyone visits a website like a bank, email or social network, they have to make sure that it secure first before doing anything. There are even tools like HTTP Everywhere that takes out the guess work and tries to connect you to a secure version of a website if there are any.
The second way is to let website owners take the matter into their own hands and secure their website. Make sure that their website is available over https by default. This way the user doesn't have to think about it.
The second option will be the better long term solution because it takes out the guess work and we can't expect every user to learn this. These days all big website like facebook, google, or youtube have https enabled by default. Amazon only recently started forcing https. Now it is time for every website, (including this blog) to have https serve by default and take all the guess work out of the users hands.