I'm being sniffed!
June 19, 2008 6:54 AM Subscribe
Should I worry about a WiFi access point owner spying on me?
When using a public Wifi access point, should I assume that the owner of it could be viewing all of my traffic as it passes through? If so, does viewing encrypted content (e.g. https pages) help at all?
When using a public Wifi access point, should I assume that the owner of it could be viewing all of my traffic as it passes through? If so, does viewing encrypted content (e.g. https pages) help at all?
Oh, and I believe https pages are as secure as https pages usually are, although maybe someone else knows differently.
posted by the dief at 7:07 AM on June 19, 2008
posted by the dief at 7:07 AM on June 19, 2008
Yes, you should assume that they are viewing all your traffic. Although they probably lack the desire, they certainly have the ability to do so.
Viewing sites that use encryption (SSL/HTTPS) will help a good deal but it is not a perfect solution in all cases. Bear in mind that the URL (address) of the site you visit is itself not encrypted. You may or may not be concerned that the access point owner knows what sites you visit, but more importantly, poorly-designed sites sometimes pass sensitive information (passwords, credit card numbers) in the URL itself and will therefore be visible.
posted by tomwheeler at 7:12 AM on June 19, 2008
Viewing sites that use encryption (SSL/HTTPS) will help a good deal but it is not a perfect solution in all cases. Bear in mind that the URL (address) of the site you visit is itself not encrypted. You may or may not be concerned that the access point owner knows what sites you visit, but more importantly, poorly-designed sites sometimes pass sensitive information (passwords, credit card numbers) in the URL itself and will therefore be visible.
posted by tomwheeler at 7:12 AM on June 19, 2008
poorly-designed sites sometimes pass sensitive information (passwords, credit card numbers) in the URL itself and will therefore be visible.
Absurdly poorly designed...I have never actually come across a website so foolish as to pass a credit card number in the URL.
The access point is just one more hop in what is a chain of people who can view your traffic as it passes through. I might be more afraid of AT&T than Jim-Bob's Coffee Hut.
posted by Bokononist at 7:23 AM on June 19, 2008
Absurdly poorly designed...I have never actually come across a website so foolish as to pass a credit card number in the URL.
The access point is just one more hop in what is a chain of people who can view your traffic as it passes through. I might be more afraid of AT&T than Jim-Bob's Coffee Hut.
posted by Bokononist at 7:23 AM on June 19, 2008
Best answer: Viewing sites that use encryption (SSL/HTTPS) will help a good deal but it is not a perfect solution in all cases. Bear in mind that the URL (address) of the site you visit is itself not encrypted. You may or may not be concerned that the access point owner knows what sites you visit, but more importantly, poorly-designed sites sometimes pass sensitive information (passwords, credit card numbers) in the URL itself and will therefore be visible.
This isn't true. With HTTPS the query string is encrypted, so even if a (rather irresponsible) site passed sensitive information, it couldn't be easily plucked from the request. They could see the host name and that's it.
There are risks with using an open WiFi, even if connecting to a secure site, but they are much less than connecting to an insecure site.
See algo:
http://ask.metafilter.com/64929/How-safe-is-public-wifi-and-how-to-make-it-safer
posted by justkevin at 7:24 AM on June 19, 2008
This isn't true. With HTTPS the query string is encrypted, so even if a (rather irresponsible) site passed sensitive information, it couldn't be easily plucked from the request. They could see the host name and that's it.
There are risks with using an open WiFi, even if connecting to a secure site, but they are much less than connecting to an insecure site.
See algo:
http://ask.metafilter.com/64929/How-safe-is-public-wifi-and-how-to-make-it-safer
posted by justkevin at 7:24 AM on June 19, 2008
Best answer: For the most part all your https traffic is safe. Everything else is fair game. You can use something like a vpn or ssh tunnel (or anything that supports SOCKS) to encrypt your web traffic.
Also the owner of WAP can see what DNS requests you make. So even if he cant see the contents he knows what list of sites you went to. Off the top of my head Im not sure if SOCKS uses local or remote DNS by default. Most VPN solutions use the local DNS.
Also because he has control of your DNS he might be able to fool your browser into thinking ebay.com exists somewhere else. You might not even notice that there's no https authentication until after you've typed in your password. The same is true for your banking site. Now he has your username and password.
On top of it all, he can manipulate the traffic any way he likes. Sometimes maliciously, sometimes humorously.
I dont usually surf in public without going through a remote encrypted SOCKS proxy. I consider that the minimum to be remotely safe.
posted by damn dirty ape at 7:28 AM on June 19, 2008 [1 favorite]
Also the owner of WAP can see what DNS requests you make. So even if he cant see the contents he knows what list of sites you went to. Off the top of my head Im not sure if SOCKS uses local or remote DNS by default. Most VPN solutions use the local DNS.
Also because he has control of your DNS he might be able to fool your browser into thinking ebay.com exists somewhere else. You might not even notice that there's no https authentication until after you've typed in your password. The same is true for your banking site. Now he has your username and password.
On top of it all, he can manipulate the traffic any way he likes. Sometimes maliciously, sometimes humorously.
I dont usually surf in public without going through a remote encrypted SOCKS proxy. I consider that the minimum to be remotely safe.
posted by damn dirty ape at 7:28 AM on June 19, 2008 [1 favorite]
The risk isn't just from the router's owner. You're broadcasting your traffic and even passing robots can listen in.
Setting up a VPN on your home machine and connecting to it (or just SSH tunneling your web traffic if you're just doing web stuff) takes the risk out of using public wifi -- the wifi admin can see that you're pumping however many megabytes of encrypted traffic to your home box, but can't know anything about its content or real destination. (This becomes equivalent to surfing at home; as Bokononist notes, this has its own risks.)
posted by Zed_Lopez at 7:58 AM on June 19, 2008
Setting up a VPN on your home machine and connecting to it (or just SSH tunneling your web traffic if you're just doing web stuff) takes the risk out of using public wifi -- the wifi admin can see that you're pumping however many megabytes of encrypted traffic to your home box, but can't know anything about its content or real destination. (This becomes equivalent to surfing at home; as Bokononist notes, this has its own risks.)
posted by Zed_Lopez at 7:58 AM on June 19, 2008
Not just the owner - your traffic is sent out unencrypted in all directions. Anybody within WiFi range of you laptop can also pick up all your traffic.
HTTPS will keep you safe as long as you're cautious. It's still possible for people to fool your computer into connecting to a phony HTTPS server, but you'll receive a pop-up error telling you the certificate doesn't match, so if you see errors like that, watch out. Also, people who are trying to intercept your traffic can block and break your HTTPS connections and try to force you to get frustrated and switch to HTTP.
posted by pocams at 7:59 AM on June 19, 2008
HTTPS will keep you safe as long as you're cautious. It's still possible for people to fool your computer into connecting to a phony HTTPS server, but you'll receive a pop-up error telling you the certificate doesn't match, so if you see errors like that, watch out. Also, people who are trying to intercept your traffic can block and break your HTTPS connections and try to force you to get frustrated and switch to HTTP.
posted by pocams at 7:59 AM on June 19, 2008
In addition to the networking side which everyone above me has covered well, there's also the social side. Unless you're quite paranoid (/security-conscious), a public access point designated by a provider (aka starbucks, airport, municipality...) should probably be worry-free. These people can gain a lot more money by not sniffing passwords.
It's only the random home networks that are open which should cause concern. And let's be honest, 90% of those are due to poor configuration by users, and 50% of the remainder are people like me who think of leaving open wifi as good karma.
(it's easy enough to secure the admin / port&rate-limit any computer that isn't yours - just put up a splash-screen saying 'no illegal crap' for them, and let 'em browse)
posted by Lemurrhea at 8:01 AM on June 19, 2008
It's only the random home networks that are open which should cause concern. And let's be honest, 90% of those are due to poor configuration by users, and 50% of the remainder are people like me who think of leaving open wifi as good karma.
(it's easy enough to secure the admin / port&rate-limit any computer that isn't yours - just put up a splash-screen saying 'no illegal crap' for them, and let 'em browse)
posted by Lemurrhea at 8:01 AM on June 19, 2008
Lemurrhea: "In addition to the networking side which everyone above me has covered well, there's also the social side. Unless you're quite paranoid (/security-conscious), a public access point designated by a provider (aka starbucks, airport, municipality...) should probably be worry-free. These people can gain a lot more money by not sniffing passwords.
"
actually, I'm going to go the other way on that one. No, of course starbucks isn't really going to sniff your passwords. But if I was an evil hacker who wanted to sniff passwords, I'd go to a starbucks wifi point because there'd be so many targets.
posted by sharkfu at 8:10 AM on June 19, 2008
"
actually, I'm going to go the other way on that one. No, of course starbucks isn't really going to sniff your passwords. But if I was an evil hacker who wanted to sniff passwords, I'd go to a starbucks wifi point because there'd be so many targets.
posted by sharkfu at 8:10 AM on June 19, 2008
the dief: "Should you assume this? Yes, absolutely. Will they be? Probably not.
If you're really paranoid about it, consider installing Tor."
Just a heads up that Tor is private but not secure, as the embassies of several countries learned when using Tor for security. Tor is good for surfing websites your country might not approve of (say a political site when you're in China) or for surfing sites that are actively blocked by a country firewall. It's not good for logging in to private accounts that aren't protected by SSL. Even then, there were (unconfirmed) reports of a Tor exit node doing MITM attacks on SSL.
posted by sharkfu at 8:14 AM on June 19, 2008
If you're really paranoid about it, consider installing Tor."
Just a heads up that Tor is private but not secure, as the embassies of several countries learned when using Tor for security. Tor is good for surfing websites your country might not approve of (say a political site when you're in China) or for surfing sites that are actively blocked by a country firewall. It's not good for logging in to private accounts that aren't protected by SSL. Even then, there were (unconfirmed) reports of a Tor exit node doing MITM attacks on SSL.
posted by sharkfu at 8:14 AM on June 19, 2008
It's much more likely that other wireless users in the area are viewing your traffic than the owner of the network.
Ditto. I remember sitting at a hotel conference and firing up Ethereal. I was able to "view" what everyone was doing online. It was boring because Ethereal doesn't really serve up the packets into meaningful forms like web pages, but it clued me in on how serious I should take my own security at public spots.
posted by crapmatic at 8:47 AM on June 19, 2008 [1 favorite]
Ditto. I remember sitting at a hotel conference and firing up Ethereal. I was able to "view" what everyone was doing online. It was boring because Ethereal doesn't really serve up the packets into meaningful forms like web pages, but it clued me in on how serious I should take my own security at public spots.
posted by crapmatic at 8:47 AM on June 19, 2008 [1 favorite]
Best answer: Yes, you should be assuming that all your traffic is monitored. It's trivially easy to fire up a packet sniffer, put your WiFi card into promiscuous mode, and suck down all the traffic going to a WiFi AP.
If you are doing anything even the least bit sensitive (setting aside whether you should be using public AP's at all), you should be encrypting all your communications. Make sure you're connecting to your email servers using SSL, or use webmail via https:// instead of plain old http://.
If you want to get a little fancier, you can do what I do: get an old computer and set it up at home, running Linux, and give it a dynamic hostname, and turn on SSH access. Then install an SSH client on your travel computer. Whenever you connect to a public AP, immediately use the SSH client to connect to your server at home with the "SOCKS Forwarding" option. Then tell all your applications (Firefox, AIM, etc.) to use the localhost's SOCKS proxy.
This pushes all your traffic through an encrypted pipe to your computer at home, where it's then dumped onto the public 'net. It adds some overhead to web browsing (it will lengthen the roundtrip ping significantly, depending on where you are in relation to your house), but if you have a decent broadband connect at home it's not bad. Just don't use it for big file transfers, or you'll max out your transfer at home.
posted by Kadin2048 at 10:17 AM on June 19, 2008
If you are doing anything even the least bit sensitive (setting aside whether you should be using public AP's at all), you should be encrypting all your communications. Make sure you're connecting to your email servers using SSL, or use webmail via https:// instead of plain old http://.
If you want to get a little fancier, you can do what I do: get an old computer and set it up at home, running Linux, and give it a dynamic hostname, and turn on SSH access. Then install an SSH client on your travel computer. Whenever you connect to a public AP, immediately use the SSH client to connect to your server at home with the "SOCKS Forwarding" option. Then tell all your applications (Firefox, AIM, etc.) to use the localhost's SOCKS proxy.
This pushes all your traffic through an encrypted pipe to your computer at home, where it's then dumped onto the public 'net. It adds some overhead to web browsing (it will lengthen the roundtrip ping significantly, depending on where you are in relation to your house), but if you have a decent broadband connect at home it's not bad. Just don't use it for big file transfers, or you'll max out your transfer at home.
posted by Kadin2048 at 10:17 AM on June 19, 2008
Best answer: Using public WiFi is equivalent to being in a crowded room and shouting to your friend across the room. In general most people don't care about what you're saying, but imagine each one of them has a tape recorder, and a camera. Now would you be more careful about what you shout?
posted by blue_beetle at 11:35 AM on June 19, 2008 [2 favorites]
posted by blue_beetle at 11:35 AM on June 19, 2008 [2 favorites]
Echoing the sentiments of many others in the thread, you are probably much more at risk from other people on the network than the access point owner.
Like crapmatic, I was playing with Ethereal a few years ago, and I accidentally got way more information about my co-workers than I wanted. Passwords, bits of instant message traffic, web addresses, all sorts of stuff. And I only let it scan for about ten or fifteen minutes.
Knowing this, when I'm on a public network, I'm extremely cautious about going anywhere I wouldn't want everyone in the room to know I'm visiting.
posted by quin at 3:03 PM on June 19, 2008
Like crapmatic, I was playing with Ethereal a few years ago, and I accidentally got way more information about my co-workers than I wanted. Passwords, bits of instant message traffic, web addresses, all sorts of stuff. And I only let it scan for about ten or fifteen minutes.
Knowing this, when I'm on a public network, I'm extremely cautious about going anywhere I wouldn't want everyone in the room to know I'm visiting.
posted by quin at 3:03 PM on June 19, 2008
I have Hamachi on my laptop and my Web/mail server at home. The home machine is running an HTTP proxy (squid) and a SOCKS proxy (antinat). All my apps on the laptop are configured to go through that machine over Hamachi.
I do keep one Web browser that's not configured to use the proxy so I can get past the portal screen on certain access points. Currently I use Safari for that. If you use IE, run it using SandboxIE.
posted by kindall at 3:39 PM on June 19, 2008
I do keep one Web browser that's not configured to use the proxy so I can get past the portal screen on certain access points. Currently I use Safari for that. If you use IE, run it using SandboxIE.
posted by kindall at 3:39 PM on June 19, 2008
This thread is closed to new comments.
If you're really paranoid about it, consider installing Tor.
posted by the dief at 7:06 AM on June 19, 2008