Public Wi-Fi is problematic if you value your passwords and privacy
I've spent the early afternoon at Starbucks putting this week's print column together, and I did type in a few logins and passwords that weren't over encrypted connections.
Bad idea.
Banking Web sites don't have the "https://" in front of their URL for nothing. From a trusted source, that "s" means a secure, encrypted connection that even over Wi-Fi should be OK on which to log in to your account.
Here are some problem areas:
http://twitter.com/login is NOT secure.
But if you manually type (or better yet, bookmark) https://twitter.com/login, you'll be adding a great deal of security in the form of strong encryption to the transmission of your login and password over the network.
Adding the "s" for secure and encrypted to http:// works much of the time. Gmail has it. Yahoo Mail has a secure login, but the rest of your session is in the clear. That means a Wi-Fi snoop can potentially see the mail you're transmitting and receiving.
One of my e-mail providers, who shall remain nameless, offers neither a secure login or session.
For a couple of my personal e-mail accounts on my hosted server, I have encryption set up, and I use POP with the Thunderbird mail client software to securely receive and transmit the messages from my PC.
The morale of this story is that you shouldn't do anything too "sensitive" over a public Wi-Fi connection (or over any Wi-Fi connection without WPA encryption) unless you're absolutely sure you're connected to a secure server, in which the https:// appears before the URL ... and you trust the source NOT to be serving up an https:// address without the encryption (which has been known to happen).
Even so, I'm here at Starbucks using the WiFi because it's just so damn convenient. It's far from the ideal situation as far as security is concerned.
Summing up, it's a crazy world out there, and a little paranoia isn't the most unhealthy thing.
2 Comments
Leave a comment
About this blog
New ways to sign in to comment: I just added the ability for prospective commenters on this blog to sign in using their AOL, Yahoo! and Wordpress.com accounts (for the past 200 posts anyway ... more than that will take an extensive, middle-of-the-night rebuild). That's in addition to the other sign-in choices, which include starting a Movable Type account on this blog, Typekey, OpenID, Live Journal and Vox. If you have trouble getting your Movable Type account verified, or any of the other sign-in options are not working properly, please e-mail me. With these added ways of signing in, there's more reason than ever for you to make a comment (or several!).
Steven Rosenberg aims to learn what he does not know. He writes about it here.
Steven Rosenberg aims to learn what he does not know. He writes about it here.
Steven,
I completely agree that using an open wifi network to access any sensitive information is just asking for trouble. Here is what I do (and, in fact, am doing this now):
Once I connect to the open wifi network, I establish an SSH connection back home and include the -D switch like so:
$ ssh me@myhomeip.com -D 8080
Then, I use the FoxyProxy Firefox extension to create and maintain different proxy connections. I create a new proxy connection called "home" to create a SOCKS proxy with a host/ip address of "localhost" and port 8080. I then use this proxy connection to surf through the encrypted ssh tunnel. You can check the status of this connection by going to an IP site like ipchicken.com. I check my IP while on the wifi network before using the SSH tunnel and it will display an IP address from the wifi network. After connecting via SSH, and then switching over to the local proxy connection using FoxyProxy, my IP has changed to my home IP -- meaning I am now surfing through the encrypted tunnel. I still make sure I connect to my bank etc. using their https server, but now my entire traffic is encrypted over the SSH tunnel as well.
There are lots of posts and articles on the web that explain how to do this much better than I can. Here are a couple that I found after a quick google seach:
http://embraceubuntu.com/2006/12/08/ssh-tunnel-socks-proxy-forwarding-secure-browsing/
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
OpenSSH + Firefox + FoxyProxy = safe browsing
Good luck and I love your blog!
(I had a huge Chess Griffin bio here about all the things he does with podcasting and Slackware ... but something GNOMEish happened that zapped Firefox, and I lost it all ... this time I'll be brief)
Chess ... that sounds complicated, but it does solve the problem (and addresses my contention that the Web eventually move to an all-encryption-all-of-the-time way of doing things).
Look for Chess' blog in the blogroll on the right ... and with Linux Reality now ended, Chess is back in the podcasting game with the guys from The Linux Link Tech Show, available wherever podcasts are not sold but freely given away (iTunes, RSS, direct download).
That Chess can do stuff like this SSH/proxy thing is no surprise to me -- he's a Slackware master, even though he doesn't bill himself as such. The sbopkg project he's working on is bringing some great tools to users of the Slackbuilds scripts for adding apps to Slackware.