Senator wants more secure Web sites for Wi-Fi use

Sen. Charles Schumer wants online companies to switch to a more secure protocol to better protect consumers who access Web sites via public Wi-Fi hot spots.

The New York Democrat yesterday issued a call to such companies as Amazon and Twitter to switch their default pages to HTTPS from HTTP to help prevent cybercriminals from stealing online passwords and credit card numbers over public Wi-Fi networks. In his request, Schumer said that programs such as Firesheep allow even hackers with no programming skills to easily capture usernames, passwords, browsing history, and other private information from unsuspecting users in spots with unsecure Wi-Fi.

"Free Wi-Fi networks provide hackers, identity thieves, and spammers alike with a smorgasbord of opportunities to steal private user information like passwords, usernames, and credit card information," said Schumer in a statement. "The quickest and easiest way to shut down this one-stop shop for identity theft is for major websites to switch to secure HTTPS web addresses instead of the less secure HTTP protocol, which has become a welcome mat for would-be hackers."

In a letter to Amazon, Twitter, and Yahoo sites urging them to adopt HTTPS by default, Schumer said that without the more secure protocol, hackers can view log-in information and passwords as well as items like purchase activity and the types of products someone shops for.

"I am therefore calling on you to make the switch to a default HTTPS protocol for all browsing on and interface with your site," Schumer wrote in his letter to the Web sites. "Many other companies have already made this change, and it would be in the public interest for you to do so as well."

A quick check of the three sites targeted by Schumer found that Amazon does use HTTPS for both logging in and purchasing items. Yahoo uses HTTPS for its log-in page, but Twitter does not. Facebook recently rolled out an option that lets users enable HTTPS when browsing the site, though that must be switched on manually.

Schumer acknowledged that some Web sites do initially encrypt user information, while others offer an option to turn on HTTPS, but none of them uses HTTPS as "the default for all use and browsing."

The HTTP protocol is typically used for Web pages that don't transmit secure data. In contrast, the stronger HTTPS protocol uses SSL (secure sockets layer) to encrypt sensitive information, such as passwords and financial data. Most reliable online merchants will use HTTPS to protect shoppers plugging in their payment information, but there's no hard and fast rule on when companies should use one protocol versus the other.

Many sites use HTTPS for their log-in pages; many don't. But Web sites typically don't encrypt all pages with SSL, as the senator seems to be advocating. Such a move is usually considered overkill and can exact a performance hit. However, the senator's point seems to be that without SSL on every page, a user's browsing history, cookies, and other data can still be captured.

Whether the Web sites in question respond to Schumer's request, here are a few pieces of advice always worth noting about security:

• Never conduct financial transactions over an unsecure Wi-Fi network.
• If you use a shared computer in a library or other public spot, be sure to clear the cache, cookies, and history after you've finished browsing.
• Finally, make sure your own home Wi-Fi network is protected with WPA or WPA2 security.