Let's start with the step so obvious I forgot to put it in the first version of this post ;) Turn on your laptop's firewall in OS X's Preferences --> Sharing --> Firewall, and also check that Stealth Mode is enabled by clicking the "Advanced..." button. Linux users can enable their firewall with ufw (Uncomplicated Firewall) or its GUI frontend, Gufw.
Back to encrypting all the things. The simplest and most basic thing you can do is install the Firefox add-on HTTPS Everywhere. This will enforce HTTPS encryption for all traffic on sites that support it and prevent those sites from reverting back to HTTP after you log in.
Got email to send? Encrypt it, or you don't send it. It's really that simple.
If you're chatting, use OTR (off the record) encryption. Pidgin and Adium support it. There's also a Firefox add-on called Cryptocat that in theory looks awesome but suffered a slight scandal recently when it was revealed it had a huge security hole caused by a rookie mistake by the developers. So you may want to avoid that.
As long as we're talking about Mozilla browsers, TenFourFox and Iceweasel users might want to take steps to protect their passwords because, locally anyway, they're, um, completely unprotected. In a fit of jealousy and envy at your beautiful PowerPC Mac, some miscreant could steal it and have access to all your passwords with a simple trip to the Preferences. So go into Preferences --> Security and set a master password. We don't want to make it that easy for 'em.
All that's well and good, but what if you want all your web traffic encrypted, not just HTTPS supported sites? Here's where things get cool. If you have an old Mac lying around not doing anything, you could turn it into a headless SSH server. Then you can set up a SOCKS proxy and tunnel all your web traffic at Starbucks through an encrypted connection to your home server and then on to its ultimate destination. Hackers locked out.
Setting up a server is as simple as it gets. On Debian Linux, if it's not already installed, just install openssh-server and it should automatically run as a daemon. On OS X, go to System Preferences --> Sharing and click the checkbox next to Remote Login. And that's it! Your computer's now a server. You may also need to forward a port on your router. Port 22, TCP only, is standard for SSH.
(UPDATE: I've also learned routers running on Tomato or DD-WRT firmware have their own SSH servers built in, so you don't even need another computer. Set up your router with instructions for Tomato or DD-WRT.)
Now that that's all set, let's open a tunnel from your obnoxiously chic coffee shop. In a terminal, enter:
ssh -CND 9999 firstname.lastname@example.org
where user is the username on the server machine and hostname.com is your server's ip address or a hostname you got from DynDNS or an alternative like No-IP or FreeDNS. You'll be prompted for the username's passphrase and you're in. It should be noted that for even better security, you can look into generating SSH public and private keys for passphrase-less login, but that's a bit beyond the scope here. Now leave the terminal window open and move on to configuring your browser.
Under Manual configuration, you'll want to set it to SOCKS host: 127.0.0.1, port 9999, SOCKS v5. Also, No Proxy For: localhost, 127.0.0.1. In TenFourFox, it looks like this (Preferences --> Advanced --> Network --> Settings):
(Note, to switch back click the "No proxy" or "Use system proxy settings" button.)
To also prevent DNS leaks, go into about:config and change
network.proxy.socks_remote_dnsto "true." That way your DNS requests are encrypted through your SSH tunnel as well. To plug DNS leaks in other applications, Privoxy is your best option.
In TenFourFox/Iceweasel, anyway, you're good to go. Or as hackers might see it, gvES R∆∂®456E Rkop∫∆®∂ßghZX∂ ≈ßƒ®∆∆kj lytudGFø πµ˜ç√ß∂ß®dfew∫µˆ∆†¥ ƒƒçFGESR˚∆ƒ©ß®ƒç∫∆ NMFGçƒ∆¬∆˚FXgfgdzdx ∫√∂ƒ≈∂ƒGFFDRGHY©√ƒ∂ƒ©g
Encryption humor. Then when you want to terminate the session, hit ctrl-c in the terminal and you're out. To keep from having to switch your browser preferences every time, you can create a separate user profile or look into an add-on like FoxyProxy.
That takes care of encrypted web browsing, but what about encrypting all your traffic, HTTP, NNTP, Bittorrent, everything? For that you need to connect to a VPN (Virtual Private Network). There are some free ones, but for anything good you have to pay. On the client side, Tunnelblick still supports Tiger and PowerPC, so go over and download that if you want to give VPNs a try. On Linux, openvpn is both a client and server package from the command line. And there's gadmin-openvpn-client for a GUI.
And for the truly adventurous, you can eschew VPN paid services and set up your own VPN server on that headless Mac we were talking about. I tried to do this with OpenVPN, but so far I've struck out. If your kung fu is better than mine, you can install openvpn with Tigerbrew or MacPorts (the port is called openvpn2) on OS X or with your package manager on Linux. I'll leave some links on the subject that may be helpful or may just pull you in deeper.
Some Mac-centric instructions:
Get easy-rsa here:
https://github.com/OpenVPN/easy-rsa (the instructions in the above first link show easy-rsa is installed with openvpn, but in newer versions you have to install easy-rsa separately)
How to solve a certain error message:
Alternately, you can set up a VPN server on your DD-WRT router:
Apparently there's some extra setup to get OpenVPN to really really tunnel all traffic through the server:
Finally, on the theme of security, Cameron Kaiser passed on word of a jaw dropping security hole involving sudo in OS X. Fortunately the fix is simple, and you can read in his comments section on how to use vi or nano to do it. Seriously, you'll want to fix this.