The National Association of Securities Dealers put out the wrong message in warning against Wi-Fi hotspots: They do say, keep software patched, use a firewall, only connect to secure sites for transactions, and a VPN is a good idea. But they suggest that sniffing and evil twins could intercept financial data. That's not correct.
Unless you aren't checking the URL to which you're connecting, there's no known way for an SSL certificate to be forged that would allow an evil twin to show you "https://www.etrade.com/" and have your browser do anything but balk. Likewise, sniffing can't intercept SSL or VPN encrypted data using any techniques currently available. Weak SSL, sure, but no reputable firm has run 40-bit SSL in years. Likewise, a VPN using PPTP with a weak passphrase is a problem, so choose long PPTP passphrases.
Update: Read the comment below. Apparently, there are ways for SSL root authority to be subverted! But it's not dependent on being in a hotspot.
Not quite. There are "web accelerators"
like MarketScore that load a new cert
onto your trusted list of CAs, and then
configure your brower to use their ssl proxy.
Which means, your browser won't balk,
yet the proxy can see your unencrypted traffic.
Aside from the fact that many people will ignore
ssl warnings and just "click ok".
Even with a SSL Proxy, the handshake is between the recepient and the sender. The proxy cannot see unencrypted data, except for the URL and some headers it needs to pass through the traffic.
[Editor's note: The previous commenter seems to be noting that software can poison the root certificates--gf]