How do I use public WiFi networking securely?
June 10, 2004 6:50 PM Subscribe
Secure WiFi: given one's ability to find free wifi access in any reasonable downtown core, how does one go about using said access securely?
I don't much want my email password sniffed, f'rinstance, nor do I really relish the idea of my actual email contents being easily read by any savvy access owner.
I poked around at the Putty collection of tools. It looks like it should let me to have an SSH tunnel. It isn't obvious to me how to set it up, nor does it look automated enough; indeed, I think it's going to want me to log in via telnet first.
And I'm not sure a tunnel is what I need. I don't care about the authorization part of things so much: I just want my data encrypted between keyboard and mailserver.
Really, it wouldn't hurt my feelings any if all my dataflow from source to destination were encrypted all the way. I don't see why this post, f'rinstance, should be transmitted plaintext to AskMe. (And perhaps it isn't; maybe TCP/IP is doing some de/compression at either end, though it wouldn't be secure.)
I currently use Opera's M2 email, mainly for the kick of trying something a little different. I can swing back to Pegasus in a heartbeat. I can access my email using a website, too, but I really don't like that.
I don't much want my email password sniffed, f'rinstance, nor do I really relish the idea of my actual email contents being easily read by any savvy access owner.
I poked around at the Putty collection of tools. It looks like it should let me to have an SSH tunnel. It isn't obvious to me how to set it up, nor does it look automated enough; indeed, I think it's going to want me to log in via telnet first.
And I'm not sure a tunnel is what I need. I don't care about the authorization part of things so much: I just want my data encrypted between keyboard and mailserver.
Really, it wouldn't hurt my feelings any if all my dataflow from source to destination were encrypted all the way. I don't see why this post, f'rinstance, should be transmitted plaintext to AskMe. (And perhaps it isn't; maybe TCP/IP is doing some de/compression at either end, though it wouldn't be secure.)
I currently use Opera's M2 email, mainly for the kick of trying something a little different. I can swing back to Pegasus in a heartbeat. I can access my email using a website, too, but I really don't like that.
"I'm not sure a tunnel is what I need....I just want my data encrypted between keyboard and mailserver."
Sounds to me like what you want is exactly a tunnel. The problem with tunnels is that they have two ends. You need somewhere to tunnel to! Services like that one Matt mentions -- providing a tunnel endpoint for a fee -- are a pretty fair idea but only so long as you actually trust them. I wouldn't, but that's a personal problem.
Me, I just tunnel home and connect from there. I take a bit of a performance hit, but I'm going to a trusted endpoint. When a tunnel's too much effort or I just need to take care of something quickly, I use a webmail client over SSL for email and an SSL-based web proxy for browsing.
If you're just talking about email, here, you'll find that you can do that over SSL. Most POP and IMAP software supports connectivity via SSL, and it's not terribly hard to find an SMTP server that'll do it. Of course, that implies you have some power of selection over who provides your email and how, or that you run your own services.
posted by majick at 7:32 PM on June 10, 2004
Sounds to me like what you want is exactly a tunnel. The problem with tunnels is that they have two ends. You need somewhere to tunnel to! Services like that one Matt mentions -- providing a tunnel endpoint for a fee -- are a pretty fair idea but only so long as you actually trust them. I wouldn't, but that's a personal problem.
Me, I just tunnel home and connect from there. I take a bit of a performance hit, but I'm going to a trusted endpoint. When a tunnel's too much effort or I just need to take care of something quickly, I use a webmail client over SSL for email and an SSL-based web proxy for browsing.
If you're just talking about email, here, you'll find that you can do that over SSL. Most POP and IMAP software supports connectivity via SSL, and it's not terribly hard to find an SMTP server that'll do it. Of course, that implies you have some power of selection over who provides your email and how, or that you run your own services.
posted by majick at 7:32 PM on June 10, 2004
Response by poster: My email is provided through Simon Fraser University (www.sfu.ca). They have some instruction for SSL, but I don't grok it completely.
I'd like this to be a TSR or Win2k service type of program, so that once it's set up I don't have to jump through hoops to get my email. And if my email client can be completely blind to what's going on, that'd be a bonus: it'd let my simple little taskbar notifier keep ticking along.
What does "SSL web proxy" mean? Hell, for that matter, what's a proxy? (I know: it's a go-between; but how?)
I'm probably being far too dumb about this. I know a lot, I probably just have to spend a couple hours firming up that knowledge and experimenting. It's just that I don't want to: I just want to get back to work...
posted by five fresh fish at 8:46 PM on June 10, 2004
I'd like this to be a TSR or Win2k service type of program, so that once it's set up I don't have to jump through hoops to get my email. And if my email client can be completely blind to what's going on, that'd be a bonus: it'd let my simple little taskbar notifier keep ticking along.
What does "SSL web proxy" mean? Hell, for that matter, what's a proxy? (I know: it's a go-between; but how?)
I'm probably being far too dumb about this. I know a lot, I probably just have to spend a couple hours firming up that knowledge and experimenting. It's just that I don't want to: I just want to get back to work...
posted by five fresh fish at 8:46 PM on June 10, 2004
Response by poster: Say... I do have a BSD boxen that I could very likely use as a proxy...
posted by five fresh fish at 8:47 PM on June 10, 2004
posted by five fresh fish at 8:47 PM on June 10, 2004
Related question...
What if one runs a software firewall ala ZA on their machine when using said free wireless hotspot? Surely that offers a modicum of protection. No?
posted by damnitkage at 12:37 AM on June 11, 2004
What if one runs a software firewall ala ZA on their machine when using said free wireless hotspot? Surely that offers a modicum of protection. No?
posted by damnitkage at 12:37 AM on June 11, 2004
A firewall serves a different purpose. It regulates the traffic coming in and out of it. It protects against intruders. But it has nothing to do with encryption. The rest of the Internet is still on the outside of your firewall, and while your traffic is traveling on that side of the firewall it's wide open to snoopers unless you add encryption.
posted by nakedcodemonkey at 1:22 AM on June 11, 2004
posted by nakedcodemonkey at 1:22 AM on June 11, 2004
Response by poster: Opera has the following applicable options:
[x] Secure Connection (TLS)
Authentication [Auto [v]] -- which includes:
AUTH CRAM-MD5
APOP
AUTH LOGIN
Plaintext
None
I'm guessing I want TLS turned on, and authentication set to CRAM-MD5?
posted by five fresh fish at 10:39 AM on June 11, 2004
[x] Secure Connection (TLS)
Authentication [Auto [v]] -- which includes:
AUTH CRAM-MD5
APOP
AUTH LOGIN
Plaintext
None
I'm guessing I want TLS turned on, and authentication set to CRAM-MD5?
posted by five fresh fish at 10:39 AM on June 11, 2004
Response by poster: Which, alas, results in "TLS is not available on this server. To get mail from this server you need to disable the secure connection. [Server response:-ERR Command not enabled]"
Poop.
posted by five fresh fish at 10:40 AM on June 11, 2004
Poop.
posted by five fresh fish at 10:40 AM on June 11, 2004
Response by poster: Whoohoo! It worked!
Pegasus Mail helpfile had the key I needed: set the port to 995.
So it looks like I'm using POP3 SSL/TLS on port 995, have accepted a certificate from the SFU server, and I *think* I can use the AUTH CRAM-MD5 authentication.
What I want now is assurance that what I've got going is, indeed, secure: encrypted password and data transfer, such that they aren't readable/decodeable by the system I'm stealing WiFi service from.
(Alas, looks like I'll lose the traybased mailchecker; it doesn't do SSL.)
posted by five fresh fish at 10:58 AM on June 11, 2004
Pegasus Mail helpfile had the key I needed: set the port to 995.
So it looks like I'm using POP3 SSL/TLS on port 995, have accepted a certificate from the SFU server, and I *think* I can use the AUTH CRAM-MD5 authentication.
What I want now is assurance that what I've got going is, indeed, secure: encrypted password and data transfer, such that they aren't readable/decodeable by the system I'm stealing WiFi service from.
(Alas, looks like I'll lose the traybased mailchecker; it doesn't do SSL.)
posted by five fresh fish at 10:58 AM on June 11, 2004
« Older What was the Treo application for photos on the... | Where else can I download Processing? Newer »
This thread is closed to new comments.
posted by mathowie at 6:59 PM on June 10, 2004