WiFi safety question -- what's safe to look at?
November 27, 2004 12:57 PM   Subscribe

If you are using an SSL connection then your traffic is encrypted point (your computer) to point (the shopping site) and you should be fine. Without SSL, then its all just plaintext which anyone could snoop in on, if they cared.

By the way, if you use Gmail, you can set your url from http to https and have it use an SSL connection instead. I do this when I'm in an office environment to write and send personal emails.
posted by vacapinta at 1:01 PM on November 27, 2004

If your mail provider doesn't support secure POP, you're better off checking through a web interface, which is likely to be encrypted. If they do support secure POP, use it.
posted by jjg at 1:24 PM on November 27, 2004

It all depends on how paranoid you are. It's frighteningly easy for someone to pick up your POP password if it's not using SSL. The odds that someone is there and listening is probably relatively low. I still wouldn't risk it, but that's just me.

Mail2Web allows you to check your POP mailbox online using SSL (be sure to use the 'secure login" option), but then, you'd have to trust them with your password.

Mail2Web is what I use when I'm on an unsecure wireless network.
posted by mrgavins at 1:29 PM on November 27, 2004

Your DSL is actually much more secure. There isn't any feasible way for anbody to snoop on your transactions unless they have access to your ISP, or one of the hops between your ISP and the destination website. Its still possible, but much more difficult than snooping on your wireless connection. To snoop on your wireless connection, they just have to be somewhere in the airport with a wireless card.

If any of the wireless encryption schemes were worthwhile (WEP, EAP, etc.) they would be used, however the lack of ease of deployment for them, and the lack of adoption of these for public access wireless have made them useless.

As others have said, only trust the sites that you can access using SSL. If you have the ability to use a VPN to get back into your corporate network, or other known location, that will also be secure.
posted by stovenator at 2:03 PM on November 27, 2004

40-bit WEP is trivial and even 128-bit WEP is easily cracked due to theoretical flaws in the design algorithm.

So make sure that anything passing over such a network is enshrouded in SSL or something else that is sound, and you should be all right.

Incidentally, you're trusting your online bank/merchant to get this right - if they don't, you're no safer over DSL than WiFi. Most any internet packet travels over a computer that you don't own, and unless that packet has strong encryption, the owner of the computer could look at it and do what she likes with it.
posted by ikkyu2 at 3:25 PM on November 27, 2004

What you're going to want to do is use SSH's port forwarding capabilities, so that all of the traffic that you generate is encrypted with something stronger than WEP. Google returned quite a few entries for tutorials, but I don't know what operating system that you're using to narrow the search nor do I know how extensive a tutorial that you're going to require. Also, please note that you'll have to have an account that has SSH enabled on another computer connected to the Internet to forward the requests through.
posted by jperkins at 4:45 PM on November 27, 2004

And to actually answer your question: account and passwords (and servers) used via POP are going to be potentially exposed if the wireless encryption isn't set or has been cracked. As noted, it's considered trivial to crack WEP 48 (takes about 30 minutes of traffic to discover the key) - WEP 128 is more difficult (takes ~8 hours of traffic to discover the key). See my previous post for another solution. Sorry for the Jeopardy style posting.
posted by jperkins at 5:05 PM on November 27, 2004

At a location like that I wouldn't type in any passwords that you didn't want people to have. Yes, the contents of your connection with Amazon or your bank will be secure, but logging in (your username and password...) will be sent in plaintext and someone could sniff it. With that said, I wouldn't recommend buying anything, trading any stocks, transfering funds from your bank, doing anything with PayPal, but feel free to do anything else.

I would look into getting some sort of VPN connection if you could to make yourself super safe. I don't do that yet, but I'm planning on doing it soon. My new router, along with an unauthorized firmware upgrade will allow me (or you...) to connect securely over the internet to my home network where things are safer.
posted by pwb503 at 6:59 PM on November 27, 2004

No, your username and password are not sent in plain text. Not unless the site designer was a moron. If it is an https page it is safe. Otherwise assume someone is listening. Snooping on wifi is shockingly easy.
posted by aspo at 7:25 PM on November 27, 2004

I wouldn't.
posted by cribcage at 12:11 AM on November 28, 2004

The POP protocol sends your password without encryption. Not fun.

Both buying and banking would be okay, but do you really need to?

HTTPS is pretty secure, but it can be sniffed. The same goes for SSH forwarding, if you're not careful/paying attention.

ettercap is a sniffer that can do man-in-the-middle attacks (i.e. attacker's computer: "I'm the server you want to talk to, not amazon.com.") for HTTPS and SSH1.

That said, the probability of someone using ettercap near you is abysmally low.
posted by easyasy3k at 10:29 AM on November 29, 2004

This thread is closed to new comments.