I herd that someone can log into an account when you are using an open wifi.

Is it only while you are at a hotspot or can that person log in anytime after he gets your info?
Leo Laport said that a wifi that you have to log into with a password is ok.
How about the ones that you check to agree you will use their wifi properly. Is this ok?

You are talking about firesheep.

If a person clones your session, they are logged in as you for that session. Once the session becomes invalid they can no longer access your account. I don't know about any particulare site that you are talking about. However, many sites invalidate sessions when you click logout. Many also invalidate sessions when the IP address the session is been used from changes. Some invalidate sessions after a certian amount of time of inactivity.

The interesting thing is, some one using firesheep never actually logins as you, that is to say, they duplicate your sessions which has already been verified but never have your password and ins some cases don't get your username either.

I herd that someone can log into an account when you are using an open wifi.

Is it only while you are at a hotspot or can that person log in anytime after he gets your info?
Leo Laport said that a wifi that you have to log into with a password is ok.
How about the ones that you check to agree you will use their wifi properly. Is this ok?

Leo Laporte is correct, but that's an oversimplification, and it's generally a good idea to seek out better technical advice than his.

Firesheep is a program that lets you hijack someone's login on Facebook and many other sites. It uses cookies. Essentially it copies your session because your info is shared openly on an unencrypted wireless network.

If you log in to wireless that requires you to enter a password when you choose to connect to the network, your sessions are encrypted and other people can't see what you're doing on wifi. Some wifi requires you to "log in" in a web browser window after connecting. These networks are not necessarily secure.

Additionally, you can protect yourself by using HTTPS connections to your websites even if you're not on a secure network. Note the "S" at the end of HTTPS - it means the connection is secured, and data sent between your computer and that site is encrypted. When you go to facebook, log in, then look at your connection at the top: http://facebook.com/blah. Add an "s" to the end and boom, you're safe from this particular type of attack. Change your bookmarks to be for the https sites instead of the regular http sites. Better yet, download a browser plugin like HTTPS Everywhere and just let it do it's thing.

Adding s only works if there is actually an https site to be redirected to. Just adding s does nothing. But, if you are doing anything sensitive (banking, web based email, etc), then most of those should redirect you to the secured site.

https://www.eff.org/https-everywhere

and for sites not presently on that addons list, NoScript can be configured to force HTTPS for both domains and cookies.

Adding s only works if there is actually an https site to be redirected to. Just adding s does nothing. But, if you are doing anything sensitive (banking, web based email, etc), then most of those should redirect you to the secured site.

Good point. Hopefully there aren't that many sites that use logins but don't let you use https on their regular pages.

I was going to make a new topic about this, but I guess I don't have to. :)

People say that using VPN on an unsecured wireless hotspot can also give you protection. One of the free VPNs I found was OpenVPN, so I installed it earlier while I was at Starbucks. Then, after that, I was like, "now what?"

Do I need to do something else with the configuration on OpenVPN, or installing it and opening the program automatically secures your connection? I just have a feeling I need to do something else.

I would describe OpenVPN as awesome, yet, not for the novice user. OpenVPN requires that you setup a server running OpenVPN some where on the internet. It also requires that you understand the basics of network subnetting so as to make the right choice for your VPNs subnet.

So what kind of free VPN do you suggest for someone who doesn't know jack about VPNs (like me)? Or is HTTPS a good enough security in public hotspots?

So what kind of free VPN do you suggest for someone who doesn't know jack about VPNs (like me)? Or is HTTPS a good enough security in public hotspots?

VPN is a two part system. A VPN client connects to a VPN server on another network. It makes a secure tunnel between the two so you can filter your traffic through the server's network. I don't know of any free VPN providers who let people use their networks.

if your using http or even https/ ssl you can still get most information from te cilent. using powerfull tools in backtrack you can strip ssl you best off VPN or tunneling :D

SSL prevents sniffing of communication. SSL uses the same tecnologies allot of VPN's use.