Sending passwords over open public wifi connections
March 25, 2009 7:26 PM
Lately I've been spending time at our public library studying and I find myself needing to connect to their open (passwordless) wifi network with my laptop. My computer is fully patched and I have a firewall so that's seems ok for general internet, however I need to log into some non-https websites and I don't want my passwords to be sniffed (especially my school email account). Is there a (/free/) way I can safely/securely log into non-https websites from an open wifi network like this? Thanks for your help.
There isn't, in general, any secure way to log on to non-secure websites, which is why the vast bulk of web logons are done via https. But if you want to guard specifically against snooping that might happen in the last hop between your laptop and the cloud (including an open wifi network), you can run all your browsing through a secure tunnel to a server you trust to be less easily monitored.
Here's one way to do that.
posted by flabdablet's sock puppet at 7:44 PM on March 25, 2009
Here's one way to do that.
posted by flabdablet's sock puppet at 7:44 PM on March 25, 2009
Also: if you're getting at your school email account via POP3, then web browsing via a tunnel won't help you - POP3 is independent of the Web, and it often is configured to transfer passwords in plain text. If that's what you're trying to prevent being sniffed, I recommend using Gmail as an intermediary.
Set up a Gmail account, which you will get at via HTTPS using your web browser. Tell your Gmail account to fetch mails from your school account via POP3. Now the only place your school mail password could possibly appear on a wire in plain text is between Google's mail server and your school's mail server, which puts it safely out of reach of wifi snoopers.
Of course, if you are using POP3 to get to your mail, that's probably because you prefer using a local email client to using webmail. Gmail lets you do that, too. After making Gmail pull mails from your school account via POP3, configure your local email client to get to your Gmail account via IMAP; then, mark your Inbox and Sent folders as available for offline viewing; then, copy all the existing mails from your school account's Inbox and Sent folders to the Gmail equivalents (this will upload all those mails into your Gmail mailbox, allowing you to get at them via the Gmail web interface as well, if you want).
posted by flabdablet's sock puppet at 8:00 PM on March 25, 2009
Set up a Gmail account, which you will get at via HTTPS using your web browser. Tell your Gmail account to fetch mails from your school account via POP3. Now the only place your school mail password could possibly appear on a wire in plain text is between Google's mail server and your school's mail server, which puts it safely out of reach of wifi snoopers.
Of course, if you are using POP3 to get to your mail, that's probably because you prefer using a local email client to using webmail. Gmail lets you do that, too. After making Gmail pull mails from your school account via POP3, configure your local email client to get to your Gmail account via IMAP; then, mark your Inbox and Sent folders as available for offline viewing; then, copy all the existing mails from your school account's Inbox and Sent folders to the Gmail equivalents (this will upload all those mails into your Gmail mailbox, allowing you to get at them via the Gmail web interface as well, if you want).
posted by flabdablet's sock puppet at 8:00 PM on March 25, 2009
flabdablet's sock puppet, I haven't had a chance to look at the link in your first post, but I wanted to ask a question about your second post. I don't really understand all you said, so let me ask you about my situation. I use Outlook 2003 to get POP3 mail from gmail. It automatically retrieves mail every x minutes. Is it sending my password over the library's wifi? That's bad.
posted by atm at 8:19 PM on March 25, 2009
posted by atm at 8:19 PM on March 25, 2009
flabdablet's sock puppet, I may have answered my own question. According to this page: http://office.microsoft.com/en-us/outlook/HA011488981033.aspx gmail automatically uses an SSL connection for POP3. So I guess that means all is well with Outlook/gmail over a public wifi?
posted by atm at 8:37 PM on March 25, 2009
posted by atm at 8:37 PM on March 25, 2009
ATM, I believe Google's POP3 uses SSL or TLS for POP and SMTP passwords, which means they're sent encrypted.
posted by zippy at 8:38 PM on March 25, 2009
posted by zippy at 8:38 PM on March 25, 2009
POP3 has logon methods that don't involve sending plaintext passwords over the wire, but most POP3 clients are not configured to use those. For that reason, Google's POP3 and IMAP servers both require SSL-encrypted connections. Most ISP mail servers and far too many corporate mail servers don't.
I'd strongly suggest that you reconfigure your Outlook to get at your Gmail account via IMAP instead of POP3. This will keep the read/unread status and the folder structure in sync between Outlook and the web interface, which is increasingly nice the more you use it. It also allows you to upload mails from other accounts to folders/labels in your Gmail account, just by dragging and dropping them in Outlook. POP3, in my opinion, is the mailbox access protocol of last resort.
posted by flabdablet's sock puppet at 11:56 PM on March 25, 2009
I'd strongly suggest that you reconfigure your Outlook to get at your Gmail account via IMAP instead of POP3. This will keep the read/unread status and the folder structure in sync between Outlook and the web interface, which is increasingly nice the more you use it. It also allows you to upload mails from other accounts to folders/labels in your Gmail account, just by dragging and dropping them in Outlook. POP3, in my opinion, is the mailbox access protocol of last resort.
posted by flabdablet's sock puppet at 11:56 PM on March 25, 2009
POP3 has some advantages; you're storing the email locally, and not leaving it hanging around your mail provider - on a laptop, that means you can access it even when off the internet, though you run the risk of losing it all if the machine goes bang. Personally, I like the 'access from any machine' aspect of IMAP, but it's not always the best answer. Yes, there's offline cacheing for IMAP, but I've never found it terribly reliable.
Anyway, you're right to be worried about unencrypted traffic sent over a non-passworded wifi point - anyone in range can pluck that info out of the air at will, including logins and passwords. GMail's POP3 is encrypted, but many aren't.
One option is a VPN, as suggested - if your school doesn't offer one (which is BAD when combined with open wifi) - you can rent one - secureix.com is one example, there are a few in the US. Basically, you connect from your computer to their VPN server on the internet using software on your computer. That establishes an encrypted tunnel that can't be listened in on at the wifi point. All the connections you make go via their network, and then out onto the internet. If you visit unencrypted websites, they will go unencrypted from secureix's servers to the website, but the links going that way are a lot less vulnerable to be listened in on. The downside is everything goes via that tunnel, so if you try to access private resources only available inside the school network, such as file servers, it won't work while connected to the VPN.
Another option is buying service from socksify.com. Similar principle, but different technology, tied into the browser rather than the network connection. You'll get a private encrypted channel for browsing via their servers, and other apps that support a socks proxy. Outlook does, I believe, and some p2p apps, but many don't. On the plus side, since it's an application level secure proxy, you'd still be able to access local file shares and network printers.
posted by ArkhanJG at 3:56 AM on March 26, 2009
Anyway, you're right to be worried about unencrypted traffic sent over a non-passworded wifi point - anyone in range can pluck that info out of the air at will, including logins and passwords. GMail's POP3 is encrypted, but many aren't.
One option is a VPN, as suggested - if your school doesn't offer one (which is BAD when combined with open wifi) - you can rent one - secureix.com is one example, there are a few in the US. Basically, you connect from your computer to their VPN server on the internet using software on your computer. That establishes an encrypted tunnel that can't be listened in on at the wifi point. All the connections you make go via their network, and then out onto the internet. If you visit unencrypted websites, they will go unencrypted from secureix's servers to the website, but the links going that way are a lot less vulnerable to be listened in on. The downside is everything goes via that tunnel, so if you try to access private resources only available inside the school network, such as file servers, it won't work while connected to the VPN.
Another option is buying service from socksify.com. Similar principle, but different technology, tied into the browser rather than the network connection. You'll get a private encrypted channel for browsing via their servers, and other apps that support a socks proxy. Outlook does, I believe, and some p2p apps, but many don't. On the plus side, since it's an application level secure proxy, you'd still be able to access local file shares and network printers.
posted by ArkhanJG at 3:56 AM on March 26, 2009
Hmm, secureix.com appears to be down. vpngates.com is another provider offering the same service, that I've heard pretty decent things about.
posted by ArkhanJG at 3:59 AM on March 26, 2009
posted by ArkhanJG at 3:59 AM on March 26, 2009
I apologise. I just saw that you needed a free way. That's trickier. The simplest would be to use an SSL based web-based proxy, like https://proxify.com or sites linked from http://www.peacefire.org/
You go there, and put in your website. They retrieve it for you, and show it with some added adverts. The plus side is it's free, and it encrypts the hop over the wifi, because the proxy site is https. The downside is the ads, you're relying on unknown generous people to give you bandwidth and not log your traffic, and because such sites are often used to troll online forums anonymously, you may get blocked by the normal site you're trying to visit.
Yer pays yer money and yer takes your choice...
posted by ArkhanJG at 4:06 AM on March 26, 2009
You go there, and put in your website. They retrieve it for you, and show it with some added adverts. The plus side is it's free, and it encrypts the hop over the wifi, because the proxy site is https. The downside is the ads, you're relying on unknown generous people to give you bandwidth and not log your traffic, and because such sites are often used to troll online forums anonymously, you may get blocked by the normal site you're trying to visit.
Yer pays yer money and yer takes your choice...
posted by ArkhanJG at 4:06 AM on March 26, 2009
Does your school library offer a proxy service? Many do, to allow access to school resources from off-campus. If so, using the proxy over open wireless connections should make your browsing more secure.
If you have a friend with a Linux box and a static IP address, who is willing to give you a logon name and password, you can use Bitvise Tunnelier (free) to create a SOCKS proxy on your own computer, then run HTTP connections through the proxy. All your web traffic will be encrypted and sent through a secure SSH tunnel to the Linux box, which handles the rest.
posted by caution live frogs at 6:19 AM on March 26, 2009
If you have a friend with a Linux box and a static IP address, who is willing to give you a logon name and password, you can use Bitvise Tunnelier (free) to create a SOCKS proxy on your own computer, then run HTTP connections through the proxy. All your web traffic will be encrypted and sent through a secure SSH tunnel to the Linux box, which handles the rest.
posted by caution live frogs at 6:19 AM on March 26, 2009
OP here, I think I may have been unclear. The public library I'm at is our city's library, not my school's. One website I need to log into is my college's portal for online classes, but I'm not comfortable logging into any website without some protection. Also, I considered both imap and pop3, and I am happy with my choice of pop3 for gmail, but thanks for the info. Mainly, of course, I'm looking for safety solutions for the open public wifi. (I just got sidetracked by the Outlook/Gmail scare, but that seems to be settled.) Unfortunately I only have one computer and none of my friends or relatives have a computer available to connect to. If I had another at home I'd use LogMeIn's free Himachi VPN. Too bad I can't.
ArkhanJG, I guess that's what I need. I don't like the downside you mentioned, but if that's the best choice then what can you do? I'll keep reading here hoping to find other options too.
posted by atm at 8:25 AM on March 26, 2009
ArkhanJG, I guess that's what I need. I don't like the downside you mentioned, but if that's the best choice then what can you do? I'll keep reading here hoping to find other options too.
posted by atm at 8:25 AM on March 26, 2009
Have you suggested to your college's IT people, or via the student union or the like, that the online course login (or ideally the entire site) should be converted to https? It's not a trivial operation to change over, but it's not *that* hard to do, and you're right to be uncomfortable sending sensitive info such as your login and password over an unencrypted channel - especially if that login is also used for very sensitive systems such as your college email account.
As an IT admin, I wouldn't implement a system like that without making the login at least go over https, so I'd hope they have a damn good reason why it isn't setup that way.
posted by ArkhanJG at 12:49 PM on March 26, 2009
As an IT admin, I wouldn't implement a system like that without making the login at least go over https, so I'd hope they have a damn good reason why it isn't setup that way.
posted by ArkhanJG at 12:49 PM on March 26, 2009
Unfortunately I only have one computer and none of my friends or relatives have a computer available to connect to
Anybody who can pay 10 cents per operating hour plus 17 cents per gigabyte transferred can have an Amazon EC2 virtual computer to play with for as long as they want, which is the basis of the method I linked to earlier. Granted, this isn't quite free.
posted by flabdablet's sock puppet at 3:23 PM on March 26, 2009
Anybody who can pay 10 cents per operating hour plus 17 cents per gigabyte transferred can have an Amazon EC2 virtual computer to play with for as long as they want, which is the basis of the method I linked to earlier. Granted, this isn't quite free.
posted by flabdablet's sock puppet at 3:23 PM on March 26, 2009
This thread is closed to new comments.
posted by bitdamaged at 7:43 PM on March 25, 2009