Tags:






How do I use public WiFi networking securely?
June 10, 2004 6:50 PM   RSS feed for this thread Subscribe

Secure WiFi: given one's ability to find free wifi access in any reasonable downtown core, how does one go about using said access securely?

I don't much want my email password sniffed, f'rinstance, nor do I really relish the idea of my actual email contents being easily read by any savvy access owner.

I poked around at the Putty collection of tools. It looks like it should let me to have an SSH tunnel. It isn't obvious to me how to set it up, nor does it look automated enough; indeed, I think it's going to want me to log in via telnet first.

And I'm not sure a tunnel is what I need. I don't care about the authorization part of things so much: I just want my data encrypted between keyboard and mailserver.

Really, it wouldn't hurt my feelings any if all my dataflow from source to destination were encrypted all the way. I don't see why this post, f'rinstance, should be transmitted plaintext to AskMe. (And perhaps it isn't; maybe TCP/IP is doing some de/compression at either end, though it wouldn't be secure.)

I currently use Opera's M2 email, mainly for the kick of trying something a little different. I can swing back to Pegasus in a heartbeat. I can access my email using a website, too, but I really don't like that.
posted by five fresh fish to computers & internet (12 comments total)
VPN is the way to go. I use HotSpotVPN (how it works) whenver I'm on a free network in a strange place to protect everything I do.
posted by mathowie at 6:59 PM on June 10, 2004


"I'm not sure a tunnel is what I need....I just want my data encrypted between keyboard and mailserver."

Sounds to me like what you want is exactly a tunnel. The problem with tunnels is that they have two ends. You need somewhere to tunnel to! Services like that one Matt mentions -- providing a tunnel endpoint for a fee -- are a pretty fair idea but only so long as you actually trust them. I wouldn't, but that's a personal problem.

Me, I just tunnel home and connect from there. I take a bit of a performance hit, but I'm going to a trusted endpoint. When a tunnel's too much effort or I just need to take care of something quickly, I use a webmail client over SSL for email and an SSL-based web proxy for browsing.

If you're just talking about email, here, you'll find that you can do that over SSL. Most POP and IMAP software supports connectivity via SSL, and it's not terribly hard to find an SMTP server that'll do it. Of course, that implies you have some power of selection over who provides your email and how, or that you run your own services.
posted by majick at 7:32 PM on June 10, 2004


See if your email provider has ssl-smtp and ssl-pop/ssl-imap.

If you want to encrypt everything, go with some VPN service like Matt mentioned.

If you have the skills you can setup a web proxy on your home pc, install an ssh server and make all port 80 requests go through the ssh tunnel.
posted by skallas at 8:34 PM on June 10, 2004


My email is provided through Simon Fraser University (www.sfu.ca). They have some instruction for SSL, but I don't grok it completely.

I'd like this to be a TSR or Win2k service type of program, so that once it's set up I don't have to jump through hoops to get my email. And if my email client can be completely blind to what's going on, that'd be a bonus: it'd let my simple little taskbar notifier keep ticking along.

What does "SSL web proxy" mean? Hell, for that matter, what's a proxy? (I know: it's a go-between; but how?)

I'm probably being far too dumb about this. I know a lot, I probably just have to spend a couple hours firming up that knowledge and experimenting. It's just that I don't want to: I just want to get back to work...
posted by five fresh fish at 8:46 PM on June 10, 2004


Say... I do have a BSD boxen that I could very likely use as a proxy...
posted by five fresh fish at 8:47 PM on June 10, 2004


>And if my email client can be completely blind to what's going on, that'd be a bonus

That's what ssl-pop is. Here's the deal. Someone took POP (or IMAP) and put encryption on it. So you tell outlook express (or whatever you use) to use SSL when you configure it to use your mail server.

You can try it right now. Change the settings and see if it will allow you to use SSL. If your university supports it, then your mailer will just use it transparently.

See these screenshots? Click on the SSL button. Ideally, you want both POP and SMTP to be using SSL. No one will be able to sniff your email or password then.

SSL = Secure Socket Layer. Fancy talk for encryption.

No need for tunnels or anything if your school supports it.
posted by skallas at 10:14 PM on June 10, 2004


Related question...

What if one runs a software firewall ala ZA on their machine when using said free wireless hotspot? Surely that offers a modicum of protection. No?
posted by damnitkage at 12:37 AM on June 11, 2004


A firewall serves a different purpose. It regulates the traffic coming in and out of it. It protects against intruders. But it has nothing to do with encryption. The rest of the Internet is still on the outside of your firewall, and while your traffic is traveling on that side of the firewall it's wide open to snoopers unless you add encryption.
posted by nakedcodemonkey at 1:22 AM on June 11, 2004


Opera has the following applicable options:

[x] Secure Connection (TLS)

Authentication [Auto [v]] -- which includes:
AUTH CRAM-MD5
APOP
AUTH LOGIN
Plaintext
None

I'm guessing I want TLS turned on, and authentication set to CRAM-MD5?
posted by five fresh fish at 10:39 AM on June 11, 2004


Which, alas, results in "TLS is not available on this server. To get mail from this server you need to disable the secure connection. [Server response:-ERR Command not enabled]"

Poop.
posted by five fresh fish at 10:40 AM on June 11, 2004


Whoohoo! It worked!

Pegasus Mail helpfile had the key I needed: set the port to 995.

So it looks like I'm using POP3 SSL/TLS on port 995, have accepted a certificate from the SFU server, and I *think* I can use the AUTH CRAM-MD5 authentication.

What I want now is assurance that what I've got going is, indeed, secure: encrypted password and data transfer, such that they aren't readable/decodeable by the system I'm stealing WiFi service from.

(Alas, looks like I'll lose the traybased mailchecker; it doesn't do SSL.)
posted by five fresh fish at 10:58 AM on June 11, 2004


Now you should try to secure SMTP (your outgoing mail) with ssl-smtp.

You can use a sniffer like ethereal to look at the packets on your computer. You should look up documentation on how to sniff your own connection.
posted by skallas at 4:16 PM on June 11, 2004


« Older I recall an application for th...   |   I am trying to download Proces... Newer »
This thread is closed to new comments.