In surfing the various wireless-related forums on the web, when discussing the topic of wireless security, most conversations seem to focus on AP security (and rightly so, I suppose). What I am curious about is security on the client side of things.
There are a lot of places in my area that offer free wireless access to their customers (many coffeeshops, several bars, and even a few laundamats). Most of these places allow this access via a wide open (no WEP) AP.
My concern is that without at least WEP in the mix, what is there to stop some "31337 haX0r" from sitting in the corner sipping a cappuchino with a laptop running an 802.11b sniffer and having him grab, say, my POP3 password or my netstumbler.org forums password when i login?
The soulution I have come up with for now is to set up my Win2K box at home to recieve VPN connections, and then after establishing the 802.11b connection while at a free hotspot, I then create a secure tunnel through the VPN at my house. I then surf through that, but as you can imagine, there is quite a performance hit compared to simply connecting to the insecure AP and surfing.
So the questions I am posing to the community here are:
1) Is what I described above the best method of securing myself on the client side of things? When I say "best", I mean not only security-wise, but performance-wise (i understand that being more secure when using public APs will require some amount of performace loss (like VPNing) or inconvenience (changing firewall settings, etc...)
2) If not, what do you suggest? (I would love to know about some kind of software package that is designed to address wireless security on the client side of things, but maybe there is something else I am missing?
3) Am I being too "tinfoil" hattish (ie: am I making a mountain out of a mole hill in regards to worrying about someone sniffing traffic at free APs or am I misunderstnading the security risks)?