(Otherwise known as the “um, duh” category for technical types, natch.)
David Pogue over at the NYTimes has an illustrative bit up today (well, Thursday) about just exactly how insecure traffic is at a public wifi hotspot. Your computer itself may be secure, but the data you send out is pretty much open for perusal by anyone who can get on the network.
While this isn’t news to at least some of you Heathen, we figure it’s a big enough topic that we may as well cover it here. Go read Pogue, or follow along with our summary.
The Intarwub — a series of tubes, of course — is basically insecure. Mail and web traffic move all over the world in completely unencrypted packets. This wasn’t that big of a deal in the years before wireless, since getting access to a network involved plugging in an actual cable; sure, the guy in the cube next to you could read your incoming mail, but he’s probably got better stuff to do, and (furthermore) probably isn’t a nefarious identity thief.
Well, enter Wifi. Now every self-respecting coffeeshop, sandwich place, pizza joint, etc., has a $99 Linksys and a DSL connection, the better to attract customers with. This is great and all, but there’s a downside. All that traffic that was moving over a physical wire is now in the air, unencrypted, and anyone with a smattering of technical know-how can sniff the network and get access to everything you send or receive.
No, really.
This is actually a HUGE deal for business travellers, since lots of biz hotels use wifi instead of wired connections in the rooms — meaning a bad guy could just check into room 105 and leave his laptop running all night, merrily capturing packets for later analysis.
Scary, huh?
Some of you are now wondering “But Mr Heathen! My bank/webmail/dominatrix/catfish purveyor/whatever web site says they’re secure!” This may be true! There’s hope! Web browsers have, since forever, had the ability to negotiate a completely encrypted connection to a given server. This is what that little lock icon means (Firefox goes one better by turning the address bar yellow when the connection is secure). This technology is called “SSL” (for “secure sockets layer”), and it’s pretty robust. A network-sniffing goon could still get at your network packets, but he’d get only gibberish if the traffic was encrypted (and while SSL is breakable, few will go to the trouble when there are plenty of plaintext packets to sniff).
Gmail and, we think, several other webmail providers have an option to encrypt your mail session with SSL. So do most banks as well as any online retailer worth a damn (though they probably won’t offer it until you get to the part where you put in identifying details or credit card info). Also, some kinds of email can be sent over SSL as a matter of course, which is an excellent idea for road warriors (ask your sysadmin).
So, there are a few important takeaways here:
First, secure your home wifi. Use WPA encryption if you can, WEP if you can’t, and consider even applying a MAC filter. This “MAC” has nothing to do with Apple or cosmetics; every network device (wired or wireless) has a unique Media Access Control address; it’s a string of letters and numbers. All modern home routers have the ability to limit their service to a list of known-good MAC addresses (or, conversely, keep known-bad MACs off the network).
When you’re in Starbuck’s or whatever, be careful about how you read your mail and what you do online. Just reading the news? Don’t sweat it. Reading your email? Probably time to think about some countermeasures. Shopping or doing something sensitive for work? Go home, or get secure.
If your email provider offers an encrypted method of getting email, USE IT.
If you must do sensitive things on an open or near-open wireless connection, consider using any of the fine personal Virtual Private Networking tools mentioned in the comments to Pogue’s piece. We don’t use any of ’em, so we can’t tell you which one is better.
(What do we do? Something terribly geeky, but very effective. We use a technology called “SSH tunnels” to manage email and web browsing on the road, which sends all our traffic to our secure server in an encrypted “tunnel” before it goes out to the Internet at large. Sniff our coffeeshop packets all you want; we’re locked up tight. (This is sort of like a primitive VPN solution, but it’s quick and easy if you know what you’re doing, and even then nonsavvy can use it if a savvy type sets it up for them. (HDANCN?)))