Recently in Gmail Category

Rick Coca of the Daily News had a story on the cover today concerning an FBI warning about hackers who set up their own WiFi router with the same SSID name as the public WiFi router you wish to connect to, with the purpose being to steal vital passwords and other information during your wireless Internet session.

While the article was short and didn't go very deep into the security issues surrounding WiFi and Internet networking in general, and laptop computers in particular, users of WiFi in general and public WiFi in particular need to be aware of what they should and shouldn't do.

The article did say that it's a good idea to have your computer configured to CHOOSE the WiFi router to which you wish to connect, because the consequences could be, for lack of a better word, bad:

Once in, a hacker can steal passwords and credit-card information and install viruses, worms and other malware — malicious software — on a computer that can spread to other systems you run.

(FBI cybercrimes supervisor Bryan) Duchene recommends that Wi-Fi users change their settings so they have to manually input the Service Set Identifier (SSID) they want to log on to.

While free-access seekers spawned the "wardriving" phenomenon — Wi-Fi users drove around with GPS systems and Wi-Fi-seeking laptops, marking locations of unsecured, free Wi-Fi sites — that practice eventually piqued the interest of criminals, Duchene said.

While WiFi does increase the risk of "bad" things happening, and the lack of encryption on almost all public WiFi connections doesn't help matters, I'm pretty confident in saying that if you are entering logins, passwords and other "sensitive" information over a secure connection — one with https:// in the Web address instead of just plain http:// — you are pretty safe, even over public WiFi.

But in cases where your login or password is NOT sent via a secure, encrypted connection, or for regular Web browsing on non-secure connection, it's quite possible that others can see what you're doing on the Internet.

That may bother you, or it may not.

But especially when it comes to e-mail, make sure you are using a secure, encrypted connection, either through a Web-browser interface, or via the settings in your e-mail client, be it Microsoft Outlook, Mozilla Thunderbird, the Apple Mail program or whatever else you're running.

The worst thing you can do is send sensitive information -- or any personal or private information -- via unencrypted e-mail over an unencrypted WiFi connection. That's just too much of a risk.

I've often said that I wish all Internet traffic — e-mail, Web browsing, file transfers, etc. — took place over secure connections. I think we're headed in that direction.

So here's my quick guide on what to do and not do over a public WiFi connection:

E-mail: Only read and send e-mail via a secure encrypted connection. That means if you're using a Web interface, make sure the ENTIRE session, from login and password to composing and sending the e-mail and logging out -- takes place in a secure environment with the https:// in the address box.

For Gmail, you can choose a secure connection with https://gmail.com ... BUT the last time I read about it, your Google login and password is stored as a cookie on your computer for easy access, and it can be easily stolen over a public WiFi connection.

For Yahoo! Mail, your login and password is entered in a secure environment, but the rest of your e-mail session is unencrypted, so don't use Yahoo! Mail over a public WiFi connection.

If you have an office-provided e-mail service via a Web browser, look for the https:// instead of http:// and ask your system administrator about whether your connection is secure the whole way through.

If you use an e-mail client like Outlook or Thunderbird, make sure your e-mail server allows secure connections -- and make sure your client software is set up properly to use it.

There are e-mail services that offer more security. For the extremely paranoid, there's HushMail, but my favorite is Fastmail.fm. Just make sure you use the secure version. I'll also put in a plug for my ISP, DSL Extreme, which offers Web-accessible e-mail in a completely secure session.

Antivirus, antispyware, firewall protection: Whatever you do, and especially if you're using Microsoft Windows, make sure you have up-to-date antivirus and firewall programs. This excellent though aging Washington Post page has links to many vendors of these programs, some of which are available free. For the PC, I prefer Avast. Avast also runs on Linux, although with that operating system you're only likely to pass along a virus, because almost all malicious code is aimed at Windows computers, which are much easier targets.

Web: For Web browsing, if you are on an unsecured connection, it's easy for snoops to figure out the URLs of the Web pages you're visiting. And from there those snoops can see what's on those pages, too.

While it's not conducive to privacy, this might not be a problem, depending on where you're browsing.

But ... if you're entering any logins, passwords or other sensitive information, make sure you're on a secure connection before beginning. AND make sure your computer is NOT set up for file sharing.

To be more clear, if your computer is free of malicious software -- key-loggers that record every keystroke, spyware, etc. -- an encrypted connection should give you enough security over WiFi.

IM is a problem: Most instant-messaging traffic is unencrypted, so don't IM anything you don't want others to potentially see. The last time I checked, Yahoo! Instant Messenger, AOL's AIM and Microsoft's MSN Messenger are all unencrypted.

And do yourself a favor: NEVER, EVER, EVER NEVER, install any kind of software from an untrusted source, over WiFi or a wired Internet connection. That's when the bad stuff happens -- when malicious software makes its way onto your computer. It's easier by orders of magnitude to attack from the inside than from the outside.

WiFi at home and work: Wireless routers that you control at your home or workplace can be set up for encrypted connections only. Don't use WEP encryption because it can be easily cracked. Instead, use WPA or WPA2, which are much, much more secure and robust.

And like it says in the Daily News article, make sure you change the SSID name of your router to something other than the default (usually something like Linksys, Netgear, or the name of whatever company made the router), and also make sure you have your computers set to only connect with YOUR router.

For more on this subject, here are a few links:

• USA Today's Complete Guide to Wi-Fi Security (make sure you read ALL the pages)
• Ask Metafilter discussion on encrypted WiFi
• Coffeeshop WiFi for Dummies
• Using Public Wireless Networks More Safely (from Microsoft)

You think? That's one of the stories out there right now. Makes sense to me: Amazon could definitely use Yahoo as both partner and source of revenue. Amazon could also conceivably tap Yahoo's pool of developers to help bolster the Amazon cloud computing initiative.

And tamping down any mojo that Microsoft might gain in the SAAS (software as a service) and overall cloud computing sector only helps Amazon's own foray into what many people think is the future of computing (though others think it's much ado about little).

Clearly it's good business for Microsoft to buy Yahoo and entrench itself as a firm No. 2 in search advertising. And ... while I'm touting the alleged skills of Yahoo's developers, Yahoo itself is way behind Google when it comes to Web-based applications. Yahoo has nothing like Google Docs and Spreadsheets, nor does it seem to have a Google-like plan to leverage Docs, Gmail and network storage as a fee-based service for the enterprise.

I still think Yahoo Mail has an edge over Gmail, excepting the fact that Gmail can run a totally secure session (which, nevertheless can be hacked into through unencrypted cookies) and Yahoo Mail cannot, but to me Yahoo Mail keeps that edge with usability and functionality ... but ... Gmail offers free POP mail, Yahoo charges for it, and Gmail is also rolling out IMAP, with no similar plan for Yahoo that I know about.

On the other hand, the latest rendition of Yahoo Mail, if run on fast-enough hardware, does an admirable job of mimicking a stand-alone e-mail client. It's the kind of app that makes me think Yahoo can develop a credible alternative to Google Docs if they wanted to do so.

Anyhow, back to business. One of the perils of being a publicly traded company without huge mounds of cash on hand is that somebody like Microsoft can swoop in and buy you when your stock is tanking.

Yahoo is a valuable brand with good core technologies. Given the time, they can manage their way out of this mess. But in today's world, time is scarce.

There are two kinds of tech companies out there: those who would love to be bought by Microsoft, and those who loathe it. OK, there's a third kind: those likely to be threatened with legal action by Microsoft, but I'm getting off-track here.

Remember this, Yahooligans: The Web isn't set in stone. If Yahoo is assimilated, you can always cash out and start something newer and better.

As for Microsoft, the company has never been shy about acquiring the technology and market share it needs in order to survive and grow. They've got the money, so this acquisition is a no-brainer for them. The clash-of-culture thing could be a problem, but for most people, if the checks keep coming (and they don't make people move to Seattle) and they see some kind of mission in their work, many will keep going. If it doesn't go so well, Microsoft parts with cash to crush the No. 2 player in search advertising and effectively assumes that mantle itself.

But letting anybody else -- especially someone with the scale and ambition of Amazon -- get Yahoo, that would only hurt Microsoft's search-ad, networked-application and plain-craven-moneymaking mojo. What's a big load of cash good for when you can't use it to crush your rivals?

Unless Yahoo can somehow find someone, somewhere with a bigger load of ready money or pricey stock, it looks like Redmond will win this round.

And whether the merger succeeds or fails, if it happens at all, it's huge-upside time for the folks in Redmond.

I've blogged before on how Gmail has an advantage over Yahoo Mail -- and most other Web-based e-mail services -- because you can choose to run a totally secure session (by entering the URL https://gmail.com instead of plain ol' http://gmail.com) and feel safe when reading and writing e-mail over public WiFi connections.

Seems it isn't so. According the Zero Day blog at ZDNet, somebody monitoring the radio traffic of your wireless connection can figure out your password through the use of unencrypted cookies with a technique called "sidejacking":

Sidejacking is a term (Robert) Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password. By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application. Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo. The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available. This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything. At that point in time Gmail’s JavaScripts will attempt to communicate via unencrypted http mode and it’s game over if someone is capturing the data.

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode. Other applications like Microsoft’s MSN/Hotmail and Yahoo don’t even have SSL modes. The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

I don't use my DSL Extreme Web mail as often as I should. It has a secure connection the whole time, and it's primitive enough -- I hope -- not to have these same vulnerabilities. Fastmail.fm, on which I also have a free account, will also do a secure session if you choose "secure login" when signing on.

I'm far from a security expert, but it seems to me that we'd be in better shape if we had the option of running a Web browser in secure-server mode all the time.