The average user has no idea of the risks associated with public Wi-Fi hotspots. Here are some very simple tips to keep network access secure.
My friend Philip is an expert at community activism and is a cracker-jack financial advisor as well. One thing he is not, however - and he would be the first to admit this - is a knowledgeable computer user. Oh sure, he can send emails and cruise the web, and use Word and Excel, but he doesn't really grok his computer. And one thing he especially doesn't know much about is security. He knows there are bad guys out there, and he knows that he should try to practice safe computing, but he just doesn't know how.
Recently we were talking during a financial meeting, and he remarked that he always felt nervous using his laptop at one of the many coffee shops here in St Louis that provide free wireless access. After I assured him that he should in fact be very nervous, I reassured him by saying that there were things he could do to protect himself in the local Panera or Kayak's. When he asked me what those things were, I told him I would write a SecurityFocus column that would answer that question. This column, therefore, is written for Philip and all the other average computer users out there who use Wi-Fi without understanding its inherent risks.
WEP and WPA
Most people know by now that they should connect to a wireless connection using one of two encryption technologies: either WEP or WPA. Sure, WPA is a heck of a lot better than WEP, but even WEP is better than nothing. However, that's what most coffee shops use: nothing. Free wireless is an add-on, so they want to keep costs low. WEP or WPA would add additional complications and expense, and additional customer support where none would be available, so most coffee shops just run their wireless wide open. That means that unless you're specifically given a WEP or WPA key to enter, assume that everything your computer is sending or receiving is sent in the clear. Meaning, anyone who knows what they're doing can see many of your passwords once you type them in. To use that wireless connection securely, then, you need to worry about the programs you're using to access the net. By and large, people do three things online: use the web, send and receive email, and IM friends and associates. Sure, lots of programs use the net in some way, but the three I just mentioned are the biggies, so let's focus on those.
When it comes to web browsers at the coffee shop, there's one big piece of advice you should follow: don't use Internet Explorer! Yes, Microsoft has released a preview of the beta of the forthcoming IE7, and it does look better in a lot of ways (although holes were found almost immediately upon its release, but hey, it's a preview of a beta), but that final release is still a long ways off. For now, use IE 6 only if you are absolutely forced to. So what should you use instead? Firefox, Opera - or Safari if you're a Mac user. All three are free, powerful, yet easy to use, and all are safer than Internet Explorer. I'm partial to Firefox (heck, I wrote a book about it), but you should be interested in Firefox for its excellent security record (especially when compared to Internet Explorer's truly abysmal security problems) and the extensions that help you secure the browser and your internet usage even more.
Once you have your browser open, use your head. Avoid we sites in which you're viewing or entering user names, passwords, account numbers, credit card numbers, social security numbers, and other sensitive data ... unless those sites use https instead of http. If you have to log in somewhere, but the web page's URL begins with https, then it's using a technology called SSL, and it's OK; if the URL begins with http, be careful. If you're just reading the news or sports scores, don't worry about it, but if you're working with sensitive data, do not view or enter information on those types of pages. If your company provides you with VPN access on your laptop, use it. That's a sure fire way to ensure that everything you send and receive is encrypted, and it makes your surfing much safer.
You can check your email in two ways: using a web browser, or using an email program running on your computer (like Outlook, Outlook Express, Apple Mail, Thunderbird, Eudora, and others). Let's talk about each of those in turn.
Email via Web Browser
There are companies that provide email primarily through web browsers, like Hotmail, Gmail, and Yahoo! Mail, but most ISPs who allow people to download their email using programs also provide access to that same email using web browsers. Most every web mail out there provides a secure (https) page for logging in to check your email, but that's it. Your password will be safe, but none of your emails. Reading and writing emails is done using plain ol' http, which means that everything is sent in the clear. Not good. I like Gmail a lot, but Gmail doesn't use https for reading emails (it does use it for logging in, though). To get around that, I installed the Customize Google extension for Firefox (and it only works in Firefox). Once the extension is installed, go to Tools, CustomizeGoogle Options. Go to the Gmail tab and make sure that "Secure (switch to https)" is checked. Press OK to close the window, and you're done. Now you'll log in to Gmail on an https page, and you'll read and send mail on https pages as well. I like this solution because you don't have to think about it again. All that said, you can switch to https once you're in Gmail by simply clicking in your address bar, changing the http to https, and then loading the page. Now everything is secure ... as long as you don't close your browser. If you do, you need to manually change to https again, and again. The Customize Google extension does this automatically, so it's a better solution.
Hotmail offers a "secure mode" that uses SSL, but by default you login at an insecure http page, just like you do with Yahoo! - which isn't good. For either service you can click on the tiny "Sign in using enhanced security" or "Submit over SSL" link that most people will never see, but why should anyone have to? C'mon, that should be the default, and http shouldn't even be an option! Worse than that, all other email actions - reading and writing - are strictly http only, with no possibility for https. That's pretty terrible. If you access mail through a web interface provided by your ISP, you need to look and see if it supports SSL. If you're not sure, call and ask them. If they support it, use it; if not, use something else. Personally, I'm very happy with Gmail. And hey, it's free!
Email via a program
Basically, you're vulnerable during two processes: when you're checking email (using something called POP3 or IMAP), and when you're sending it (using something called SMTP). If those connections aren't protected, then a bad guy can see your actual emails, which may contain sensitive or even just personal information, and he can also view the usernames and passwords you're using to log in to check or send email as well. You want to wrap both those processes in a secure wrapper like SSL (the same technology that protects your credit cards on https web sites) so that someone listening in gets gibberish and nothing else.
For instance, my email is through Pair, and they allow me to check it using SSL to encrypt both my username and password, and any email I download (one of the many reasons I recommend Pair to folks looking for a mail host). That means you need to call the company that manages your email - AOL, SBC, Earthlink, your cable company, etc, and ask them if they support secure POP3 (or secure IMAP). You can also try a Google search for "[your email company] secure pop3 email". Doing that, I found several different pages of instructions for AOL, for instance. If your email provider doesn't offer secure POP3 or IMAP, well, that's pretty close to unacceptable nowadays. I'd seriously consider moving to someone else. Or only use a web mail service like Gmail that does work with SSL when you're at the coffee shop. When it comes to sending email from a coffee shop, things get a bit more complicated. Many coffee shops, due to the way they've set up their networks, only allow you to send email using their ISP. Some of those ISPs might offer secure SMTP, but it's a sure bet that the guys and gals behind the counter making your coffee won't have the slightest clue what settings you should use. So what to do?
If you're really lucky, your ISP allows for secure SMTP and you can use that from the coffee shop. This probably won't work, though. In my case, Gmail to the rescue again. Yes, Gmail is a web-based email service, but you can configure your email program to send email securely using Gmail, which is fantastic. The Gmail Help Center has several pages devoted to showing you how to set up a wide variety of email programs so that they can send email securely using Gmail. In my experience, I have yet to be stymied when using this service. Give it a try.
AOL Instant Messenger (AIM) is the most popular IM program in the world. Unfortunately, all messages are sent completely wide open, so that anyone can read them. Not good at all. But MSN Messenger is the same. And so is Yahoo! Messenger. You could use Skype, which encrypts all IM messages, although that program - and its parent company - has its share of unanswered security questions. Not to mention, Skype is a totally closed system, so anyone you wish to IM with must also use Skype. The Gizmo Project is another contender (like Skype, it features its ability to make phone calls over the Net, but it will also IM), and the company claims that it offers secure IM, but its answers to questions about security are completely unacceptable, bordering on ignorant.
If you want to encrypt your IM conversations, there are many solutions out there. Most cost money, though some are free. Search Google for "im encryption" and you'll find plenty of things to check out. A solution I can recommend, however, is to use free IM software that supports encryption such as GAIM, an open source software project. GAIM runs on all the major operating systems, it's free, it's powerful, and, even better, it supports all the big IM networks. This means that you can use GAIM to talk to AIM users, MSN Messenger users, Yahoo! Messenger users, Google Talk users, and even more. Best of all, it supports protected messaging through the Gaim-Encryption plugin. Install that, and you can chat with other encrypted IM users, through whatever network you like, and the conversation will be secure. Other uses don't need to be using GAIM either, just a similar IM application that supports the same encryption. In a similar vein, Off-the-Record Messaging is another plugin for GAIM that will also encrypt IMs, no matter what network you're using. Either way, you're safe.
It's possible to use your laptop safely in a coffee shop, but you have to take a bit of responsibility for that security. You'll need to use your common sense, change a few habits, and perhaps install and use some new software. I know that this is a lot for most people, but aren't your private data and conversations worth it? And if you have any questions, you know who you can call. If you're a security professional reading this column, why not show it to the Philips in your life and offer your help; if you're a Philip, try the advice in this column, and feel free to ask the computer person in your life for aid. I know they'll be glad to help.See you at the coffee house!
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus