Thursday, March 13, 2008

Regarding BusinessWeek's: "Public Wi-Fi: Be Very Paranoid"

Okay people... Just because a wireless network is encrypted, does not mean it is secure.

Long story short: use public wi-fi, but use it with the security technologies that you should be using on the Internet anyway.

If you are on a network and not using encryption for your communications (SSL/HTTPS for web browsing or a VPN to your corporate network... or SSH to communicate with a server), everybody on that same network can view every one of your packets. NONE of it is secure with your network neighbors!

In the column Public Wi-Fi: Be Very Paranoid on BusinessWeek.com, Mr. Wildstrom points out that many public networks use no encryption methods. They don't use WEP, they don't use WPA, they don't use WPA2. He points this out as a liability in using these networks, saying that if you're using an unencrypted network that you shouldn't use any unsecured service (don't use HTTP for instance, but you can use HTTPS). Let's break this down... What is the point of encrypting a network connection? The idea behind WEP and its brethren is to prevent prying eyes that don't have access to the network from viewing the traffic. This is the extent that it protects you. If you are able to stroll into an airport and get encrypted access to the network, so can a thief. Encryption on a wireless network is no more secure than agreeing with a friend that you're going to write emails in double pig-latin (okay, its a bit more secure than that... but not much more).

Mr. Wildstrom then goes on to say, "So don't send or even read messages unless you are prepared to share them with the world." Truth be told ... Email is insecure regardless of the type of network that you are on because all of the transit of messages between SMTP servers is done with unencrypted plain-text transactions. So if you have private information in your email, that you haven't encrypted, you're open for a heap of trouble anyway.

When you share information on a public network (whether it is "encrypted" with WEP/WPA/WPA2 or not) you share it with everyone else who is on the network at that time. That's because your information is encrypted with the same key that everyone else's information is encrypted with.

To say that a public network with encryption is secure is like saying that as long as you have a deadbolt on your front door you're secure. You may say, "well, sure, I'd say that." Simple fact is that, in this analogy, everybody has the same deadbolt key. Feel safe still?

If you want security, you need to use security tools (VPN, SSL/HTTPS, SSH, etc). If you don't use these tools, you're not secure, regardless of whether the network is unencrypted or using WPA2.

0 Comments:

Post a Comment

<< Home