Secure Wireless Internet
September 30, 2006 1:14 PM   Subscribe

How can I make a wireless internet connection as secure as possible? This question is actually for my father, whose practice is set up in a building that offers free wireless access to its tenants.

His computer already has a wireless modem, so he's set up to use the service, but he feels very uncomfortable about it. He needs his messages to be VERY secure. He does evaluations for social security and the interviews he does are generally packed with lots of personal information. He'd like to be able to email things back and forth from his work computer and his home computer, but is uncomfortable with the idea of broadcasting other peoples troubles in a fashion that might be in any way accessible to the unscrupulous or nosy. Help me make my dad's life easier!
posted by Sara Anne to Computers & Internet (12 answers total) 2 users marked this as a favorite
If the wireless access point supplying his Internet connection is not providing WEP or WPA type encryption (or something similar like LEAP), he won't be able to automatically encrypt packets over the air, of the wireless network. He could use something like SSH or SSL to create securely encrypted tunnels over the wireless network and Internet, to appropriately configured servers on the Internet. In that case, his packets could still be "read" by anyone else with access to the wireless network, but their data contents, being strongly encrypted, would still be meaningless to anyone without the SSH or SSL cryptography keys.
posted by paulsc at 1:35 PM on September 30, 2006

WPA2 is the safest commercially available level of security for wireless networking.

The military use VPN technology to encrypt at the application level — this is similar to running a SSH tunnel between the laptop and a central network.

Does the IT service at SSA provide a VPN your dad can connect to with his laptop, to access the SSA email service?
posted by Blazecock Pileon at 1:44 PM on September 30, 2006

This question is actually for my father, whose practice is set up in a building that offers free wireless access to its tenants

I'm a little unclear about how he's getting his Internet and\or wireless.

His computer already has a wireless modem...

If his building is supplying the connection why does he need a modem? Do you actually mean a wireless network card?

Is his building supplying a wired connection and he's using his own wireless router or is he connecting directly to the building's wireless network? If it's the latter, there's not much he can do. When you connect to someone else's network your traffic is only as secure as thier network. There are a handful of more advanced things he could do like paulsc suggested, but it doesn't sound like he's technical enough to set them up properly.
posted by bda1972 at 1:48 PM on September 30, 2006

As others have said, securing the network is a losing game. Presumably he's using some ISP to send these mails anyways and that will go out unencrypted across the Internets.

He'd like to be able to email things back and forth from his work computer and his home computer, but is uncomfortable with the idea of broadcasting other peoples troubles in a fashion that might be in any way accessible to the unscrupulous or nosy.

If that is the real issue - moving stuff back and forth between two computers then...

1) Setup a secure account somewhere where he can upload/download stuff that is accessible from both computers. Using ssh or equivalent for the transfer. Dont use email for this.

2) Get him a small USB flash drive so he can physically carry the documents he needs to work on back and forth.
posted by vacapinta at 1:59 PM on September 30, 2006

Personally, I would just encrypt the data, then you wouldn't need to worry about the connection. There are plenty of ways to do that, and it might be easier in the long run.
posted by -t at 2:11 PM on September 30, 2006

Whew, this thread ranks right up there for confusion-to-newbie factor, and I may have contributed to that, right off the bat. Let me try, again.

If the building is supplying the kind of open access WiFi network commonly found in Internet cafes and bookstores, they are probably not requiring passwords, and their WiFi access points provide no encryption of network packets. Most commercial landlords, if they offer WiFi, do it this way, because setting up a secured WiFi network results in lots of tech support calls from people with older, perhaps incompatible WiFi cards or software. And frankly, the older version of WEP have proven so poor, that supposedly "secure" WEP connections can be snooped by strangers in about 5 minutes. So, there's that, contributing to your Dad's reasonable concern. In such cases of unsecured WiFi networks, since your Dad doesn't own or manage the equipment that is providing his WiFi access, he can't "turn on" its encryption features to work with his card's compatible encryption features, and hence, there is no way he can count on his over the air WiFi packets not being snooped. (Both ends of an encrypted connection have to cooperate in operation, to keep a secured connection secure).

However, if they've given your Dad a passphrase and encryption method, or specified clearly the WiFi cards likely to work with their network, they may be providing encryption. I doubt this is what they are doing, but it is possible, if fairly rare. It's likely he'd also have been given a toll-free support number for asking questions about getting his WiFi connection working, since a secured network can deny connection attempts from unauthorized people. But, it's also possible, though even rarer in my experience, that your Dad's landlord is supplying both unsecured public access WiFi network connectivity as a convenience to tenants and their visitors, and secured WiFi access to the Internet, which would require the passphrase and setup previously mentioned.

But even if your Dad could count on a local WiFi network encrypting his wireless connection, that encryption is only good for the portion of the journey packets take from remote Internet servers, to your Dad's computer, that happens within his building's WiFi network zone. It does nothing to protect the sanctity of that information as it traverses the larger Internet. For that, the SSH and SSL tools I mentioned above are needed, as they provide end to end encryption of information from your Dad's machine to the trusted server with which he is communicating.

Blazecock Pileon is suggesting in his comment upthread, that your Dad find out if he can send his communication to the Social Security Administration using servers they have operating with SSL or SSH security tools, and I agree that this would be the likely best way to accomplish your Dad's goals for security and privacy. Any secure Web site they operate with SSL protection will automatically and painlessly establish securely encrypted session communication with your Dad's Web browser, which he can verify by seeing the "padlock" icon in the browser status bar. Of course, if they don't have such a server operating for the information he needs to send or file, that will be problematic. There is nothing he can do unilaterally, by common public key encryption methods, that will encrypt information to the SSA, that they can then use. So, he'll have to contact them for recommendations.

posted by paulsc at 3:07 PM on September 30, 2006 [1 favorite]

It is doubtful that he will be able to do anything to add security to the wireless network himself. Additionally, if the emails are too sensitive to go over a wireless network, they are probably too sensitive to travel over the internet unencrypted. To encrypt his emails he could use something like Enigmail for Thunderbird. Also, he might be interested in using something like truecrypt to encrypt files on his computer.
posted by joelr at 6:01 PM on September 30, 2006

To move sensitive information from one computer to another over the Internet, you absolutely need some kind of end-to-end encryption so that data sniffed en route is useless to the sniffer.

If he's not already using encrypted email, he should be just as concerned about any mails he sends from home as he is about mails he sends from his office. So, seconding paulsc's suggestion about contacting the Social Security Administration's IT people.

If all he wants to do is move stuff between home and office computers without making it available to sniffers en route, the simplest and most foolproof way I can think of is to add both those computers to a virtual private network using Hamachi.
posted by flabdablet at 6:10 PM on September 30, 2006

I think flabdablet is right. If your dad is really handling information as sensitive as he says, then the SSA guys should already have some system in place--or maybe your dad shouldn't be taking this information home??

To answer the question you asked, the wireless network should at a minimum use WPA--preferably WPA2--with a long-ass password.

From the Wikipedia entry on WPA:

However, the weak passphrases users typically employ are vulnerable to password cracking attack. Password cracking can be defeated by using a passphrase of at least 5 Diceware words or 14 completely random letters with WPA and WPA2. For maximum strength, 8 Diceware words or 22 random characters should be employed.

posted by Brian James at 6:18 PM on September 30, 2006

By the way: even without Enigmail, Thunderbird has an encryption facility built in. It's based on the S/MIME standard and may have a better chance of interoperating with corporate mail clients than the tree-hugging hippie communist GPG-based Enigmail does.

Here's how I found out how to use it.
posted by flabdablet at 6:20 PM on September 30, 2006

Use pgp to move data via email. This is the best way. Make sure the laptop is locked down with a software firewall (zonealarm is good for that). Make sure any important information he transmits over the internet is via secure sites (if it's not previously encrypted via pgp).
With information this important the "last leg" of wireless to the laptop is inconsequential, as you have to assume the entire internet is unsecure.
posted by defcom1 at 7:19 PM on September 30, 2006

Good luck getting anyone at SSA to set up S/MIME or any public key cryptography app, for use with any mail client. They do super just to get my brother's disability check direct deposited every month.

Any encryption solution, by definition, only works if the parties on both ends cooperate in the complimentary steps of encryption and decryption. So, find out first what the SSA supports, and how to use it. They handle personally identifiable information all the time, and they certianly have preferred ways of moving it. He may not have to "do" anything, if the services to which her father is supplying information are already set up with Web servers and SSL, and he has any recent browser.
posted by paulsc at 7:56 PM on September 30, 2006

« Older Ajax design tips   |   How to access broadband from rural locations in... Newer »
This thread is closed to new comments.