Users may think that their personal data is safe when they use a secure login page online, but that's quite far from the truth. In fact, everything from the contents of your e-mail, who your friends and acquaintances are, and almost anything else you can think of could be easily exposed by hackers if browsed via WiFi network, security firm Errata Security pointed out in a recent paper presented at this year's Black Hat 2007 and seen by Ars Technica.

The method by which this data could become exposed is nothing new, but it is simpler than most "man-in-the-middle" attacks, says Errata. Many web services, such as Gmail, BlogSpot, Facebook, MySpace, LinkedIn, and Google Adsense use cookies to identify session information after the user has already logged in. Using a basic packet sniffer over a WiFi network and a proxy server to pass the information through, a determined hacker can easily "sidejack" the session information as his own by stealing session IDs straight out of the WiFi signal. He could then use that session ID to represent himself as the original user, says Errata, which would allow him to do things like make blog posts, unfriend all of your Facebook friends (*gasp*), and read or send e-mails.

Even though some sites, such as Gmail, offer secure, SSL-based login pages, things aren't quite so secure post-login. Unlike many bank web sites that offer a secure browsing experience for the entire duration of the session, most sites dump the user right back out into unsecured territory after logging in, thus exposing their personal data to anyone who wants to get at it. The report provides several examples of session data pulled from directly from Facebook, MySpace, Yahoo Mail, and BlogSpot sessions.

These concerns raise questions as to why some of these sites simply don't secure the entire session. In fact, some Gmail users have been asking why encrypted sessions are not not the default setting for years now (or at least an option that one can turn on in the preferences), but those requests appear to have fallen on deaf ears thus far. Errata says that most of today's Web 2.0 sites don't use SSL throughout the session because of costs involved. That doesn't answer the question as to why some sites don't offer it by default, however, even though such an option is already available. For example, Gmail sessions are not secured by default, but users can change the URL prefix to "https" while using Gmail in order to secure all of their data. However, Errata counters by pointing out that by the time users manually enter "https," they have already sent a session ID across the wire at least once.

Of course, there are several easy—if not inconvenient, at times—solutions to protect your data. The obvious answer would be to stick to secured WiFi networks that you know and trust (such as your home network) that would not have any strangers on it running packet sniffers. But if you do need to use public access points, avoid accessing web pages that might transmit personal information. Those who want to be extremely careful, however, will want to follow Errata's proposed solution: "[U]sers should never use a Wi-Fi hotspot unless they are using VPN (virtual private networking) or SSL (secure sockets layer) to access their accounts," the company says.