Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good time, but it could ruin your whole day. It's wise to assume that all hotspots harbor predators, and take appropriate precautions. [example] [more]
You'll be much safer at hotspots if you implement a robust security system. For example the one I've outlined in my blog. As part of your security, it is important keep Windows and your programs updated. But beware. Do not respond to warnings or notices that announce an update is needed. Go directly to the update source instead.
While you're out and about, don't forget about the physical security of your laptop.
Using a public computer at a library, Internet cafe, or hotel "business center" can be even more risky than using your laptop at a hotspot. [details and solutions]
Here's an excerpt from Microsoft's page about choosing "Public network" for best security at public locations:
Choose Public network for networks in public places (such as coffee shops or airports). This location is designed to keep your computer from being visible to other computers around you and to help protect your computer from any malicious software from the Internet. HomeGroup is not available on public networks, and network discovery is turned off. You should also choose this option if you're connected directly to the Internet without using a router, or if you have a mobile broadband connection.
If you know you won't need to share files or printers, the safest choice is Public network.
Some features of "Public network" is implemented via the Windows firewall. If you're using another firewall, you should consider how to configure it for similar protection.
You always face serious risk when using public Wifi hotspots, public broadband (Ethernet) connections, such as those at hotels or truck stops. It is even more risky to use public computers at libraries, Internet cafes, or hotel business centers.
And don't count on SSL (secure connections with https, and the padlock) to keep your information private. They may have fixed it by now, but as an example, it has been possible to "sidejack" the highly-regarded Gmail application by simply listening to traffic at a hotspot, using nothing more than a laptop and a little free software.
Personally, I'd never do online banking or any conduct other financial business at a public venue unless I used a VPN (virtual private network).There are just too many unknown factors.
VPNs offer a good way to avoid the threats at hotspots, hotel Internet connections, etc. VPNs use encryption to "tunnel" right through insecure connections. You can rent most VPNs by the month or by the year. The protocol(s) they offer are a prime considertion - I recommend the OpenVPN protocol. Here are some VPN services to consider:
VPNs are an important tool for privacy and security when using public computers - say at a library - as well as your own. Trouble is, public computers are usually locked down so that you can't install a VPN, even temporarily. You can though bring along a thumb drive that includes a protable VPN (and add a portable browser for good measure).
Wireless hotspot service providers -- e.g., TMobile Hotspot, Boingo Wireless, iPass -- provide a degree of enhanced security for cell phones and data. But they still recommend that you use a VPN [more].
Robert Graham, the CEO of errata security, has demonstrated that it's easy to intercept session-IDs (cookies or random strings in the session URL) from nearly all popular web applications, such as Gmail, Hotmail and Yahoo Mail, when you're using WiFi. Interception works even if you're using Secure Sockets Layer (SSL) [https://mail.google.com/mail (with the padlock closed icon)].
The web server does not use your password to authenticate each exchange during a session. It sets a cookie, or other session identifier, at the start and then interrogates the ID to validate subsequent transactions. All the attacker has to do is clone your cookie or other ID and he/she can also connect with your account. In fact you can both access your account at the same time. The attacker can then download all your email messages, and even send messages as you. :-(
Update: Gmail -- and possibly other web mail services -- does not drop back to non-encrypted http mode now if https isn't available.
The conclusion at this time is that you can't trust web mail. Not just current messages, but all stored messages are vulnerable. So, what's the solution? If you're going to use web mail, using Gmail can help, but it's not foolproof. Be sure you log off from Gmail each and every time when you finish using it. That prevents transmission of the unencrypted Gmail cookie before you log in at the next hotspot.
The solution is to use an email client such as Thunderbird, not Web mail, to connect with your email account. And make sure it's using SSL or TSL (Transport Layer Security, successor to Secure Sockets Layer (SSL).