A few years back I did a demonstration at KIPCUG on login security, and how I could capture someone’s login credentials using a Firefox plugin called Firesheep. In the demonstration I captured a Facebook users credentials and logged into their account. This was possible at the time because Facebook was not using any encryption in their login protocol. This has to do with the padlock in the address bar of your web-browser. TLS (commonly known as SSL, though this term is no long accurate.)

Research done by the security company Avast found, the only information that could be collected from a user logged into an open wireless access point was; the sites visited, but not what they did there. They could also can see the time you visited and what device you used to access it, and not much else. There was really no useful information that could be gleaned from their scans.

It has been my belief for quit some time that the use of strong inscription on most websites has made it has made wireless hotspots completely safe from man in the middle attacks. Use care when logging into sites that don’t have TLS.