Professional Web Applications Themes

How safe is unencrypted WiFi? - Mac Networking

The local public library is promoting their new free WiFi hotspot, but it's not using WPA or even WEP. Just select their SSID, and you're in. Apparently their intention was make the network as simple as possible to use, but the lack of encryption has me wary. Isn't that traffic sniffable by anyone within range? I'm wondering whether it's safe to be using logins (mail, websites, remote servers, etc.) over an unencrypted network. -- CC...

  1. #1

    Default How safe is unencrypted WiFi?

    The local public library is promoting their new free WiFi hotspot, but it's
    not using WPA or even WEP. Just select their SSID, and you're in.
    Apparently their intention was make the network as simple as possible to
    use, but the lack of encryption has me wary. Isn't that traffic sniffable
    by anyone within range? I'm wondering whether it's safe to be using logins
    (mail, websites, remote servers, etc.) over an unencrypted network.

    --
    CC
    CC Guest

  2. #2

    Default Re: How safe is unencrypted WiFi?

    In article <comcast.net>,
    CC Zona <invalid> wrote:
     


    It depends on how they have there network configured. It's highly
    possible that even though they have WiFi, they probably have a router
    that the WiFi segment connects to. Using the router they can control
    the traffic and send it where they want it. Doing this will keep people
    out of there main network.

    M. Prindle
    M. Guest

  3. #3

    Default Re: How safe is unencrypted WiFi?

    On 2004-04-23 21:52:53 -0400, CC Zona <invalid> said:
     

    There's really no differnence in concern on a public WIFI or your
    private one at home, or even a wired connection. You should never send
    any passwords in the clear if you don't want others to learn your
    passwords. Period. Remote networks, if run by a competent admin, won't
    allow telnet logins, only SSH. Web pages should use SSL for login
    screens. For mail, either use SSL-based web mail, SSL logins, or tunnel
    through SSH.


    David Guest

  4. #4

    Default Re: How safe is unencrypted WiFi?

    In article
    <macintoshg3.Rem0veTh|east.earthlink.net>
    ,
    "M. Prindle" <macintoshg3.Rem0veTh|com> wrote:
     
    >
    >
    > It depends on how they have there network configured. It's highly
    > possible that even though they have WiFi, they probably have a router
    > that the WiFi segment connects to. Using the router they can control
    > the traffic and send it where they want it. Doing this will keep people
    > out of there main network.[/ref]

    I don't think he's concerned about the traffic after it reaches the
    router, but the traffic in the air on the way to the WiFi router.

    The solution is for you to encrypt the traffic end-to-end. Most web
    sites that require a login use SSL (look for "https:" at the beginning
    of the URL, and a padlock icon in the browser) to encrypt the entire
    session. And for remote logins, use SSH rather than TELNET.

    I believe there are ways to access mail via an encrypted channel as
    well, but I'm not familiar with the details. Mail.app has a "Use Secure
    Socket Layer" checkbox in the Server Settings dialogue, but I don't know
    how commonly this is supported.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  5. #5

    Default Re: How safe is unencrypted WiFi?

    In article <2004042411103727590%dturleypoboxNOTcom>,
    David Turley <com> wrote:
     
    >
    > There's really no differnence in concern on a public WIFI or your
    > private one at home, or even a wired connection.[/ref]

    Your private WiFi at home can be encrypted, so that others can't sniff
    the passwords out of the air.
     

    Most people are not able to arrange for the wiretaps that would be
    necessary to compromise traffic over wired connections. The danger of
    unencrypted traffic over the public Internet is highly overn. I'm
    not advocating ignoring it, and encryption technology is easy enough to
    use that there's no reason to avoid it. But crackers can get much more
    bang for their buck by trying to break into the servers and steal *all*
    the passwords than by sniffing traffic on the fly and hoping to catch a
    few passwords in transit.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  6. #6

    Default Re: How safe is unencrypted WiFi?

    In article <ash.giganews.com>,
    Barry Margolin <mit.edu> wrote:
     
    > >
    > > It depends on how they have there network configured. It's highly
    > > possible that even though they have WiFi, they probably have a router
    > > that the WiFi segment connects to. Using the router they can control
    > > the traffic and send it where they want it. Doing this will keep people
    > > out of there main network.[/ref]
    >
    > I don't think he's concerned about the traffic after it reaches the
    > router, but the traffic in the air on the way to the WiFi router.[/ref]

    Correct.
     

    Yes, I've already done as much of that as possible for myself (SSL isn't
    available on my host's mail server). But my concern is more of a general
    one, for all users. Librarians are noted for their commitment to free
    speech, including protecting the privacy of borrowing records from even
    government review (PATRIOT Act). So I'm surprised that this library is
    making their patrons' Internet usage open to snoopers. I wondered whether
    I misunderstood the risk, or whether it is the library which has apparently
    ignored it or is unaware of it.

    In the meantime, I do prefer to encrypt all my traffic across that network,
    if possible. Is there some way to do that, rather that trying to remember
    to find a secure method for each login (for plenty of sites SSL's not even
    an option)? I've heard VPNs mentioned for securing WiFi traffic, but I
    don't know how that works and whether that would be applicable to this
    situation. Any suggestions would be much appreciated.

    --
    CC
    CC Guest

  7. #7

    Default Re: How safe is unencrypted WiFi?

    In article <ash.giganews.com>,
    Barry Margolin <mit.edu> wrote:
     

    What is the encryption technology that I and the other library patrons
    should be using? We're not avoiding it, just ignorant of it. On my home
    network, I rely on WPA. When a hotspot provider chooses not to use WPA or
    even WEP, are there other technologies that can be implemented by the users
    to encrypt their overall traffic?

    --
    CC
    CC Guest

  8. #8

    Default Re: How safe is unencrypted WiFi?

    CC Zona <invalid> wrote:
     

    yes, it is; more or less like traffic on an unswitched ethernet is
    sniffable to anyone who has physical access.
     

    it's not safe, but it is not a problem as such, since you should use
    end-to-end encryption (e.g. ssh, ssl) for anything somewhat sensitive
    anyway.
    As long as they do not mind anyone using that hotspot, it's a valid
    approach not even to pretend there was any security provided by the
    network.

    --
    Georg Schwarz http://home.pages.de/~schwarz/
    de +49 177 8811442
    Georg Guest

  9. #9

    Default Re: How safe is unencrypted WiFi?

    CC Zona <invalid> wrote:
     

    the risk is not the network (which does not even attempt to make a claim
    of being safe), the risk is people not being aware of or being ignorant
    anout their traffic being openly-readable unless they themselves do
    something about it. They better should if they are on the Internet,
    anyway.
     

    for a VPN you need a VPN endpoint somewhere (connected to the Internet).
    Traffic between you and that endpoint is encrypted.

    --
    Georg Schwarz http://home.pages.de/~schwarz/
    de +49 177 8811442
    Georg Guest

  10. #10

    Default Re: How safe is unencrypted WiFi?

    CC Zona <invalid> wrote:
     

    yes, sure, SSL has been mentioned, then there is IPSEC or ssh for
    terminal logins.

    --
    Georg Schwarz http://home.pages.de/~schwarz/
    de +49 177 8811442
    Georg Guest

  11. #11

    Default Re: How safe is unencrypted WiFi?

    In article <comcast.net>,
    CC Zona <invalid> wrote:
     
    >
    > Yes, I've already done as much of that as possible for myself (SSL isn't
    > available on my host's mail server).[/ref]

    Mine either, but that doesn't stop me. Maybe your ISP allows SSH
    connections on a different server than the mail server? My ISP has a
    command line that I can ssh in to. And SSH can do "port forwarding".
    So I do something like this:

    ssh -N -v -L9143:[my ISP's mail server]:143 [my ISP's shell system]

    Then I tell Mail.app that my mail server is localhost, on port 9143.
    SSH then creates a "tunnel". The result is that all of my traffic is
    encrypted between my Powerbook and my ISP's command-line system, giving
    me an encrypted link for email even though the mail server doesn't do
    SSL.

    This has a nice benefit beyond encryption. My ISP doesn't allow SMTP
    (outgoing) mail connections from outside its own dialup and DSL lines.
    But since I also run SMTP over an SSH tunnel, their mail server always
    sees me as local. So no matter where I connect from, I can still use my
    ISP's SMTP server.
     

    Well, for most sites, SSL's not relevant. I don't care if, for example,
    someone knows I'm reading slashdot.org. You can always use SSH to set
    up a local SOCKS proxy if it's important to you.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 2.0: Delocalize, Repair Permissions, lots more.
    See http://www.atomicbird.com/
    Tom Guest

  12. #12

    Default Re: How safe is unencrypted WiFi?

    > The local public library is promoting their new free WiFi hotspot, but it's 

    AFAIK, things like WEP and WPA only protect people on the wireless-net from
    those who are not allowed to access it. I.e. even if they were using WEP,
    anyone who has access to it would be able to snoop all the packets of all
    the machines accessing this hotspot.

    It doesn't make any sense to use WEP or WPA if the key is made basically
    public (which is necessary to allow access to the public).


    Stefan
    Stefan Guest

  13. #13

    Default Re: How safe is unencrypted WiFi?

    In article <net.eu.org>,
    de (Georg Schwarz) wrote:
     
    >
    > yes, sure, SSL has been mentioned, then there is IPSEC or ssh for
    > terminal logins.[/ref]

    I know SSL can be used to encrypt communication between a web server that's
    implemented is, or a mail server that's implemented it. That's the limit
    of my knowledge on the subject. It sounds like you're saying there is also
    a way to use SSL to encrypt all of a client machine's traffic regardless of
    which protocol, domain, etc. is being accessed. If so, cool! Could you
    point me in the direction of a layman's explanation of how to use that, or
    an appropriate set of search terms? (No luck so far with Googling.)

    --
    CC
    CC Guest

  14. #14

    Default Re: How safe is unencrypted WiFi?

    In article <comcast.net>,
    CC Zona <invalid> wrote:
     
    > >
    > > yes, sure, SSL has been mentioned, then there is IPSEC or ssh for
    > > terminal logins.[/ref]
    >
    > I know SSL can be used to encrypt communication between a web server that's
    > implemented is, or a mail server that's implemented it. That's the limit
    > of my knowledge on the subject. It sounds like you're saying there is also
    > a way to use SSL to encrypt all of a client machine's traffic regardless of
    > which protocol, domain, etc. is being accessed. If so, cool! Could you
    > point me in the direction of a layman's explanation of how to use that, or
    > an appropriate set of search terms? (No luck so far with Googling.)[/ref]

    Wireless networks can use WEP, which I assume stands for Wireless
    Encryption Protocol; it encrypts the traffic in the air between your PC
    and the wireless access point. The problem is that it requires that the
    client machines be configured with a key that they share with the access
    point. This is fine for home or office networks, where you can set
    things up on all the machines in advance. It's not appropriate for a
    public access point, like you find in an airport or this library.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  15. #15

    Default Re: How safe is unencrypted WiFi?

    In article <ash.giganews.com>,
    Barry Margolin <mit.edu> wrote:
     
    > >
    > > I know SSL can be used to encrypt communication between a web server that's
    > > implemented is, or a mail server that's implemented it. That's the limit
    > > of my knowledge on the subject. It sounds like you're saying there is also
    > > a way to use SSL to encrypt all of a client machine's traffic regardless of
    > > which protocol, domain, etc. is being accessed. If so, cool! Could you
    > > point me in the direction of a layman's explanation of how to use that, or
    > > an appropriate set of search terms? (No luck so far with Googling.)[/ref]
    >
    > Wireless networks can use WEP, which I assume stands for Wireless
    > Encryption Protocol;[/ref]
    Wired Equivalent Privacy 

    --
    Tom Stiller

    PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
    7BDA 71ED 6496 99C0 C7CF

    Support the 2004 Million Mom March on Washington DC
    Mother's Day, May 9, 2004
    visit <http://www.mmm2004.org/>
    Tom Guest

  16. #16

    Default Re: How safe is unencrypted WiFi?

    In article <jwvoephcfvb.fsf-monnier+org>,
    Stefan Monnier <umontreal.ca> wrote:
     
    >
    > AFAIK, things like WEP and WPA only protect people on the wireless-net from
    > those who are not allowed to access it. I.e. even if they were using WEP,
    > anyone who has access to it would be able to snoop all the packets of all
    > the machines accessing this hotspot.
    >
    > It doesn't make any sense to use WEP or WPA if the key is made basically
    > public (which is necessary to allow access to the public).
    >
    >
    > Stefan[/ref]

    Bingo! Stefan is correct.

    And if you are going to tell all the library patrons the key, it just
    makes more work for the librarians or it means less patrons can figure
    out how to connect, etc... And if goal is to have a free public hot
    spot, then no WEP or WPA encryption makes sense.

    Oh yea, as most other have said, be careful of what you send/receive at
    a public hot spot, regardless of whether it is an unencrypted free hot
    spot, or one that you pay for like T-Mobile, etc... They can all be
    sniffed.

    Bob Harris
    Bob Guest

  17. #17

    Default Re: How safe is unencrypted WiFi?

    CC Zona <invalid> wrote:
     

    GOOD!

    So you'll make sure your laptop has:

    - firewall on and working
    - recent SSH to access your remote services
    - https:// access to your remote web logins
    - SCP for file transfers
    - PGP for other attachments and notes to friends and family
     

    WEP is fairly easy to break but I haven't read much about WPA.
     

    Learn to love your SSH. BTW, SSH can setup a local, secure tunnel to a
    remote system. Of course it won't do much good if the end delivery is to
    another open WiFi hotspot.

    Bob Wilson
    Bob Guest

  18. #18

    Default Re: How safe is unencrypted WiFi?

    On Sat, 24 Apr 2004 12:03:43 -0400, Barry Margolin <mit.edu> did write: 

    Yes, they are. More precisely, "wiretaps" are not needed - if you
    are "close by" on the network, all the other guy's packets are
    hitting your machine and you can see them just by running a program.
    Even if the library had a wired network then anyone using a public computer
    in the library could most likely see the data traveling to and from
    any of the other public computers. This is why the advice to use
    encrypted channels became widespread long before wireless networks
    became popular.
    Lee Guest

  19. #19

    Default Re: How safe is unencrypted WiFi?

    In article <lcp.nrl.navy.mil>,
    Lee Phillips <org.invalid> wrote:
     
    >
    > Yes, they are. More precisely, "wiretaps" are not needed - if you
    > are "close by" on the network, all the other guy's packets are
    > hitting your machine and you can see them just by running a program.
    > Even if the library had a wired network then anyone using a public computer
    > in the library could most likely see the data traveling to and from
    > any of the other public computers. This is why the advice to use
    > encrypted channels became widespread long before wireless networks
    > became popular.[/ref]

    If they are using hubs yes. If they are using switching then the only
    traffic you could sniff is broadcasts which would tell you zilch. If
    the set up is anything like recent then it will be switches.

    To wiretap a switched network you need a hub (of appropriate speed) to
    tap in your sniffer machine. So it can be done but it would require
    physical access.

    --
    Clark Martin
    Redwood City, CA, USA Macintosh / Internet Consulting

    "I'm a designated driver on the Information Super Highway"
    Clark Guest

  20. #20

    Default Re: How safe is unencrypted WiFi?

    In article <lcp.nrl.navy.mil>,
    Lee Phillips <org.invalid> wrote:
     
    >
    > Yes, they are. More precisely, "wiretaps" are not needed - if you
    > are "close by" on the network, all the other guy's packets are
    > hitting your machine and you can see them just by running a program.
    > Even if the library had a wired network then anyone using a public computer
    > in the library could most likely see the data traveling to and from
    > any of the other public computers. This is why the advice to use
    > encrypted channels became widespread long before wireless networks
    > became popular.[/ref]

    That was true in the old days of thick- and thin-ethernet, which were
    implemented as a bus. Modern twisted-pair ethernet networks are usually
    switched in a star topology, and a device on one switch port won't see
    traffic intended for devices on the other ports.

    Unencrypted WiFi networks are more like the old bus networks.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. wifi help needed
    By Frank in forum Ubuntu
    Replies: 11
    Last Post: October 12th, 03:43 PM
  2. Replies: 10
    Last Post: January 2nd, 12:58 PM
  3. Replies: 2
    Last Post: December 6th, 08:45 PM
  4. $SAFE = 5 and Safe Ruby Misleading?
    By kirindave@lensmen.net in forum Ruby
    Replies: 9
    Last Post: August 13th, 03:31 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139