Question about connecting to unknown, and untrusted wireless networks: what can I do to avoid having passwords etc sniffed?

Obviously all http connections go in the clear, so anybody running the wireless network could easily see which urls are being requested and what is being returned. No problem. All https connections, on the other hand, I assume will be effectively impossible to decode, so if I type a password into a https page then the network owner couldn't sniff what I'm sending and record my username/password combos. And not just the passwords but also the contents of each page is encrypted too so they couldn't see the page contents either. Right?

Which leaves email - I connect to my email server from Thunderbird and the security settings say "TLS" - can I assume that the password exchange there is also done using encryption, so my wireless donator couldn't deduce my password either? But can I assume that the emails themselves are transmitted in the clear so if they did want to see what I'm writing and who to, then they could?

And finally ftp - I use ftp to update a website, and from what I understand ftp passwords are pretty much sent in the clear too - not great. I currently use Konqueror to send files via ftp, can I assume that's a bad idea? Are there any easy alternatives which provide a bit more password security? I don't care if people can see what I'm ftping, but I don't want them to be able to sniff my password and then update their own version up there... I've heard about scp but as far as I know I don't have that setup - do I need anything to be setup on the server side for that? Would I need to use the command line or are there simple guis?
I've tried Kbear, Kasablanca and Filezilla for ftping but hate them all. Konqueror is the best solution I've found so far but as far as I can tell it can't do any kind of "secure" ftping - am i wrong?

Obviously all the above considerations apply all the time whatever the internet connection, but I'm assuming that as soon as I connect to an untrusted wireless network then they potentially have guaranteed access to all my packets, whereas when I've got a wired connection any malicious sniffer would just have to go by chance whether they managed to intercept any of my packets or not...

I use sftp when using konqueror. The connection is an ssh connection.

If you can use it, VPN creates secure connections through remote computers. You would have to log in via VPN to another computer that you have access to. Then all the surfing would go through that other computer. This can work with a laptop connected via VPN over the internet to a home PC or a work computer. I have not used VPN myself. Only read a little about it.

http://en.wikipedia.org/wiki/Vpn#Security_and_Mobility

You can look for yourself if you like. Setup an unencrypted wireless network, and have a computer dumping all the packets using 'kismet'. On another computer, just go through a normal browsing session.

Once you're done, pull up wireshark and have a look at what kismet dumped. It's pretty interesting.

If you want peace of mind, setup a VPN, or go through an SSH tunnel to somewhere else.

Thanks for the sftp tip, I didn't know konq could do that! But maybe I need something on the server side too, I just getwhen I try to connect to my server. After a while though so maybe a timeout or nothing is listening to the port or something. That's with the url sftp://ftp.mywebsite.com, if I just use the ftp:// protocol then it works.

About the VPN, that would be ok if I had another server to connect through. But from what I understand that only controls the connection between my laptop and that server, anything between that server and the real server I'm connecting to is still in the clear like before, no?

Well, generally you have a VPN connection between your laptop and a server. This is secure because of VPN. That's server's connection to the internet is generally wired although it could be wireless. If that server is your home PC, then it would be as secure as your home PC is.

you need to enable ssh service on that server... that means, by default, it opens port 22(ssh) instead of port 21 (ftp) . ANd make sure, your firewall allowed access to port 22 from outside, you need to check also hosts.allow and hosts.deny if no entries for sshd