Security over a public wireless network
February 15, 2011 10:48 AM

How can you know if someone is capturing information that you are sending over a public wireless network?

My dad recently used the public library's wireless (presumably not secure) to import bank account information to Mint.com, which required him to type in his accounts' online access username and password. Mint then imported information like transaction history, balances, etc. He also entered credit card information to make a purchase on Amazon. The firewall connection on his Mac was off.

Could someone have conceivably captured all that information, and how can we know? He doesn't have internet at home, so in the future, what can he do to protect his data while using a public network (is subscribing to a VPN the only way), and is there some way for him to tell whether anyone on the network is collecting his data? Would simply checking his email be just as risky?
posted by dancesquad to Technology (14 answers total) 5 users marked this as a favorite
As long as it was over https (which mint is - and you can make email https) I don't think there'd be an issue even if they were. Once your info is in mint theres almost no chance your info would get stolen as account info is not available through the main site (only the transactions and balances.)
posted by jourman2 at 10:53 AM on February 15, 2011


I can't answer the specific question, but here are a few things to keep in mind:

1) If the connection is encrypted (using HTTPS) then all of his data and passwords should be protected, as far as I know. People are not going to be able to sniff this out. But if passwords are not sent encrypted over the networked, doesn't matter if it is a wired or wireless network he is on: it is insanely easy to sniff data from raw packets using something like wireshark.

2) Firewalls have nothing to do with the kind of security you are talking about. Firewalls prevent access from point A to point B, from one network device to another, generally speaking. The type of attack you are talking about, however, does not rely on any connection to your computer but just intercepting the packets between your device and another. I actually don't really understand the obsession with firewalls on consumer devices; they are relatively pointless if you don't have services up and running on your machine (security experts please correct me if I'm offbase here), although I guess a lot of software installs a lot of garbage by default which these can block. I guess they can prevent things from calling out if they have been maliciously installed on your computer, but at that point...
posted by dubitable at 10:56 AM on February 15, 2011


Yeah, https is the key here. Sure, someone could have captured everything, but it's encrypted. This is how you have peace of mind with security and encryption, being confident that if you are in hostile territory you don't have to worry. To answer your question, just like with eavesdropping and spying in general, there's no way to know how far your communications have propagated. You don't see everybody who can hear you speak in your day to day life.
posted by rhizome at 10:57 AM on February 15, 2011


Basically, if your connection to a given web site is over SSL (also known as HTTPS) then the data was encrypted and no one could have eavesdropped on it. Mint and Amazon both use SSL, so you should have nothing to worry about in this case. If the URL in your address bar begins with https:// then the site you are connecting to is secure. (There are nuances to all of this, but for the most part that is all you typically need to worry about.)

Email can be riskier, depending on how you connect to and retrieve it from your email provider. Gmail, for example, enforces SSL on its web interface, so if you use that then you are secure. If you are using regular old POP or IMAP mail with an ISP-provided email account, then chances are it's insecure.
posted by Nothlit at 10:57 AM on February 15, 2011


Your bank almost certainly uses Secure Sockets Layer (SSL) for its online banking site. (Check to make sure the URI says https:// at the beginning while in the online banking service. If it does not, get a new bank.) Nothing he sees there would be accessible over wireless.

Most e-mail providers support SSL as well, not only for their Web mail service but also for POP/IMAP/SMTP access using a non-browser e-mail client. This is usually just a checkbox in the client that says "use secure access" or something of the sort. If this is enabled, e-mail access is essentially secure.

Other sites may or may not be secure. Facebook, for example, recently implemented a setting to let you run everything over SSL, but it is not activated by default. Other sites (MetaFilter is one) do not offer SSL at all. Your login to MetaFilter can then be "sniffed" by anyone on the same open wireless network.

You can mitigate the danger of this by using different passwords for everything, but a better solution is, as you note, a VPN service. One free VPN service is called Hotspot Shield. Of course, you have to trust the company that runs the VPN service, because your traffic will be unencrypted as it leaves their network to go to the Internet, and they can easily sniff it at that point.

If you are not using SSL or a VPN, and the wireless network is not using WPA with a strong password (but is instead open, uses WEP, or uses WPA with a short password), then you should assume that your traffic is being sniffed. There is no way to tell if someone is doing this. Even if the wireless network is using WPA with a good password, the person running the wireless network could still be sniffing, so unless you know and trust that person, a VPN is still usually a good idea.
posted by kindall at 11:01 AM on February 15, 2011


EFF has created a Firefox add-on called HTTPS Everywhere after the Firesheep debacle. This will ensure that if you are using a site with an HTTPS option, it will default to that. Only works for a handful of major sites, but it's a good start.
posted by jessamyn at 11:02 AM on February 15, 2011


If you really want piece of mind, go into the browser and verify the list of certificate authorities (CAs) matches that of a stock browser. TLS (nee SSL) is only as secure as the trusted certificates installed in the browser, and one way of attacking it is to surreptitiously install a signing cert in the user's browser which then lets you intercept their secured traffic by generating a fake session certificate and signing it with the CA, such that you successfully impersonate the website at the other end without setting of browser warnings. This brings up another issue, namely that TLS is also only as secure as the user who actually heeds the security warning that says that the certificate does not match the website and maybe you shouldn't proceed. This does happen from time to time if a website is configured incorrectly or if it's using an expired cert, and many naive computer users are just to just clicking on OK when a box of technobabble is presented to them, and so that is a habit that must be broken if you want to use unsecured wireness networks.
posted by Rhomboid at 11:12 AM on February 15, 2011


Security depends in part on your threat model. You're asking if it's possible for someone to simply listen for banking information, the answer to that is no. HTTPS is a good shield against this, and mint.com has it enabled for login forms and authenticated browsing (the comms between your bank and mint are also encrypted).

If you allow your attackers a bit more freedom to actually communicate with you surreptitiously, it's a whole different ballgame. Most of the attacks involve tricking you into not using SSL. When you type mint.com into a browser, by default it tries HTTP first; a hacker could fake the initial mint.com to never include SSL, redirect your browser to a MITM or redirect the browser to say, mlnt.com with a valid cert. This is why I bookmark HTTPS versions of all login urls, delete non-HTTPS versions from my browser history (autocomplete), and prefer HTTPS Everywhere which tries HTTPS first.

Finally, HTTPS is DNS based--it's possible, given that you trust DNS from untrusted free public wifi, that someone could attack that angle. I'm not sure how yet, so this is hand waving on my part. Probably it involves chained certificates or tricking users into accepting a new CA cert "for library wifi". The big DNS exploit a while back revolved around something similar but my mind has fuzzed the details.

The firewall thing is irrelevant; it only prevents people from attacking you on ports that most people don't use / have on anyways. It does nothing to stop HTTP impersonation attacks.
posted by pwnguin at 11:36 AM on February 15, 2011


You have to assume that everything you do on a public wireless connection is being captured by someone. there is no way to tell when this is happening.

In addition to the measures suggested above (particularly HTTPS Everywhere), the first thing I would do is change my bank, Mint.com, and email passwords before proceeding.
posted by ErikaB at 11:39 AM on February 15, 2011


Please be aware that SSL, the secure socket layer is hackable and take precautions, which are outlined in the bottom part of the cited article. This is a classic example of the "Man In The Middle" attack, which we were taught about in Network Security Class.
posted by Lynsey at 12:04 PM on February 15, 2011


Or, on preview, what Rhomboid said....
posted by Lynsey at 12:04 PM on February 15, 2011


There's no easy way to tell if someone is sniffing your connection & copying your sessions. There are ways but they're definitely not simple & they're not foolproof. They involve messing about with false MAC addresses, DNS spoofing, these sorts of things. So you can cross that right off your list. Sorry.
posted by scalefree at 6:38 PM on February 15, 2011


Everything to answer your question has already been said, but I wanted to share something useful I found recently. It's called Sidestep. Basically, you set up a proxy via ssh tunnel, and if it detects your mac is connected to an open wifi network (e.g. public library), it'll automatically activate the tunnel and everything will be sent securely to your proxy server.
posted by Tu13es at 7:01 AM on February 16, 2011


I realized my last post sounded kind of like an ad. I'm not associated with the developer or anything. It's just a really handy app!
posted by Tu13es at 7:02 AM on February 16, 2011


« Older High Quality Super Short Run Printing in New York   |   Limited form of regirlfriending? Newer »
This thread is closed to new comments.