On the Soapbox

This NYT article was linked to on Slashdot. It's a good article, definitely worth a read for non-technical people simply because the average person knows so little about computer security. But as a technical person, I have some bones to pick with this article.

1. Shopping is probably one of the safest things that you can do when surfing from a public hotspot using your own computer. That's because almost all e-commerce websites require SSL for logins and credit card input, so the sensitive traffic is encrypted. There are some sites that don't use encryption during transactions (in which case, using your credit card on such a site in public would be very stupid), but people should not patronize such places even if they are not in public because the failure of an e-commerce site to provide (and require) SSL is a signal that they are probably not too careful with data security in other ways as well. With IE7 and Firefox both coloring the address bar for secure sites, instructing people on detecting SSL should be easy.
2. All the major services like Google, Yahoo!, and Windows Live require SSL for logins so that passwords can't be stolen. In addition, Google is pretty good about providing optional whole-session SSL for a number of their services including Gmail and Reader so that all traffic--not just your login information--is encrypted.
3. E-mail passwords for SMTP/POP3/IMAP are still generally insecure, but a lot of people are using webmail these days (which generally have secure logins), and the use of the proper e-mail protocols over SSL is increasing (e.g., Gmail requiring SSL for POP3/SMTP).
4. The best form of security is still better password control, which the article does not evangelize. People shouldn't use the same password everywhere. I use a weak easy-to-type password for unimportant accounts or accounts without encrypted logins (like my IMDb account). A much stronger password with mixed case, numbers, and non-alphanumeric characters is used for accounts with encrypted logins and sensitive personal information (financial sites, shopping sites with stored credit cards, Gmail, etc.). Finally, there is password for accounts with sensitive info but no secure logins (I try to avoid having such accounts whenever possible, and I wouldn't access such accounts from a public place). (I also have a fourth password administrative things like logging into my computer or SSHing into my home network from the outside, but there is really no reason why I couldn't use my other strong encrypted password for this.) This is a much more effective way to limit the scope of security lapses for the average user than instructing him or her on the use of VPN or SSH tunnels, and three different passwords shouldn't be that hard for people to remember. And it is easy to create secure non-alphanumeric passwords that are easy to remember, either; e.g., x*6=42=>x=7 or pass(42%)!=T are memorable, secure passwords with letters, numbers, and symbols.
5. The article broadly advocates VPNs without discussing the other ways to ensure security. VPNs are rather specialized in their purpose are generally not necessary. Oh well, what did you expect from the mainstream media?

I guess in a nutshell, the article is good because it highlights the security problems that most people are not aware of, but it then goes into a typical mainstream media overhype and proposed overcorrection. This problem is not new, and a nice solution--SSL--has existed for eons.