There are, of course, privacy and security risks
involved in using Wi-Fi on public wireless networks, such as the
hotspots found in many airports or cafes. While the convenience is a
blessing, it can also be a curse. It’s important to keep your guard up,
even if you’re relaxing on vacation, bored out of your mind on a
layover, or trying to maximize your productivity on a business trip.
Should you use the Wi-Fi at the airport or at a hotel? First, consider
these points.
Any data transferred between a user and a Website using an HTTPS address (note the “s” at the end of “http”) and SSL encryption, such as online banking sites, is just as secure on a hotspot as it would be on a private secured network. Wi-Fi hackers or eavesdroppers sitting around the hotspot cannot capture a user’s login credentials or see any information from these secured sites.
However, eavesdroppers can capture Web traffic on other sites that use the unsecured HTTP address. For most people this isn't a problem. If you’re just passively viewing sites--checking the news or sports scores, for instance—you’re fine. Your risks increase, however, if you must login to sites that aren’t secured. Even if the site isn't all that sensitive, such as a discussion forum, eavesdroppers can capture your login credentials, which they may also use for other more important sites. That’s why it’s important to use unique usernames and passwords for every site.
Since e-mail is the thing we are most often inclined to check from our Wi-Fi-enabled devices, it’s important to realize that Web-based e-mail providers, such as Google and Yahoo, do not use HTTPS/SSL encryption for e-mail access by default (although Google recently announced plans to do so). This means that Wi-Fi eavesdroppers can potentially capture your log in details, as well as see your e-mail messages.
In addition to Web browsing, other services including POP3 or IMAP e-mail and FTP file transfers are vulnerable to Wi-Fi eavesdroppers. Services like these transfer their data in clear-text, including the login credentials. Most of these services can be secured with SSL encryption, which would mean they were protected from Wi-Fi snooping; however, most users do not secure their data, which leaves the login credentials and messages vulnerable to eavesdroppers when accessed via a POP3/IMAP e-mail client, such as Microsoft Outlook, over an unsecured network.
In addition to eavesdroppers being able to capture the traffic transferred over the airwaves, they could also potentially connect to a user’s laptop or other Wi-Fi device. Windows XP users, for instance, are vulnerable if they have configured their system to share any folders because those folders will also be shared on public networks, where other hotspot users can access them if they aren't password-protected.
Using the personal PSK mode of WPA/WPA2 would require that the encryption key to the network be made public, thus essentially making it just as insecure as an unencrypted network. However, the Enterprise mode can use usernames and passwords for controlling network access thereby hiding the encryption keys to the network.
Since usernames and passwords, however, must be created and managed for the Enterprise mode, it doesn't make the mode all that practical for free, public networks. Even for hotspots that do require user accounts, each user would then also have to configure the 802.1X login settings themselves. This would create an unwieldy support issue for the hotspot owner. Additionally, the hotspot owner would have to setup an authentication (RADIUS) server to provide the 802.1X capability.
To make WPA/WPA2-Enterprise with 802.1X a real viable option, the hotspot owner would have to craft a custom solution. One of the few hotspot providers to provide this level of protection is T-Mobile, which uses multiple SSIDs, a captive portal, and client software to make a user-friendly solution.
Even with encryption on the network, though, user devices and their shared files can still be vulnerable to other devices within range. Fortunately, it's easy for most hotspot owners to provide the necessary protection. Hotspot gateways and even most normal wireless routers or access points (APs) have a feature that can be enabled to block communication between hotspot users. That way, users can’t access the file shares from people who forgot—or didn’t know—to disable them while on the public network. There are many names for this feature, such as “WLAN partition,” “Layer-2 isolation,” and “AP isolation.”
Once you’ve chosen a VPN client, the next step is to ensure that other users can't connect to your laptop or access any shared folders on your Wi-Fi-enabled device. Windows Vista or Windows 7 users can simply select the Public network type after connecting and Windows will automatically disable sharing. However, Windows XP users must manually disable sharing via the Network Connection Properties window. Users should also ensure they have a personal firewall utility, such as Windows Firewall, enabled to block any hacking attempts.
Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, including Wi-Fi Hotspots: Setting Up Public Wireless Internet Access (Cisco Press).
What are the real security risks?
To make a sound choice, it’s important to understand what's really at stake when using public wireless networks. Can eavesdroppers see your banking details? E-mails? Usernames and passwords? The answer is…it depends.Any data transferred between a user and a Website using an HTTPS address (note the “s” at the end of “http”) and SSL encryption, such as online banking sites, is just as secure on a hotspot as it would be on a private secured network. Wi-Fi hackers or eavesdroppers sitting around the hotspot cannot capture a user’s login credentials or see any information from these secured sites.
However, eavesdroppers can capture Web traffic on other sites that use the unsecured HTTP address. For most people this isn't a problem. If you’re just passively viewing sites--checking the news or sports scores, for instance—you’re fine. Your risks increase, however, if you must login to sites that aren’t secured. Even if the site isn't all that sensitive, such as a discussion forum, eavesdroppers can capture your login credentials, which they may also use for other more important sites. That’s why it’s important to use unique usernames and passwords for every site.
Since e-mail is the thing we are most often inclined to check from our Wi-Fi-enabled devices, it’s important to realize that Web-based e-mail providers, such as Google and Yahoo, do not use HTTPS/SSL encryption for e-mail access by default (although Google recently announced plans to do so). This means that Wi-Fi eavesdroppers can potentially capture your log in details, as well as see your e-mail messages.
In addition to Web browsing, other services including POP3 or IMAP e-mail and FTP file transfers are vulnerable to Wi-Fi eavesdroppers. Services like these transfer their data in clear-text, including the login credentials. Most of these services can be secured with SSL encryption, which would mean they were protected from Wi-Fi snooping; however, most users do not secure their data, which leaves the login credentials and messages vulnerable to eavesdroppers when accessed via a POP3/IMAP e-mail client, such as Microsoft Outlook, over an unsecured network.
In addition to eavesdroppers being able to capture the traffic transferred over the airwaves, they could also potentially connect to a user’s laptop or other Wi-Fi device. Windows XP users, for instance, are vulnerable if they have configured their system to share any folders because those folders will also be shared on public networks, where other hotspot users can access them if they aren't password-protected.
How can hotspot owners help?
To protect the Internet traffic of users on hotspots, hotspot owners could implement encryption on their public Wi-Fi network. Though the Personal or Pre-Shared Key (PSK) mode of Wi-Fi Protected Access (WPA/WPA2) encryption typically used in home networks isn't feasible for hotspots, the Enterprise mode can be.Using the personal PSK mode of WPA/WPA2 would require that the encryption key to the network be made public, thus essentially making it just as insecure as an unencrypted network. However, the Enterprise mode can use usernames and passwords for controlling network access thereby hiding the encryption keys to the network.
Since usernames and passwords, however, must be created and managed for the Enterprise mode, it doesn't make the mode all that practical for free, public networks. Even for hotspots that do require user accounts, each user would then also have to configure the 802.1X login settings themselves. This would create an unwieldy support issue for the hotspot owner. Additionally, the hotspot owner would have to setup an authentication (RADIUS) server to provide the 802.1X capability.
To make WPA/WPA2-Enterprise with 802.1X a real viable option, the hotspot owner would have to craft a custom solution. One of the few hotspot providers to provide this level of protection is T-Mobile, which uses multiple SSIDs, a captive portal, and client software to make a user-friendly solution.
Even with encryption on the network, though, user devices and their shared files can still be vulnerable to other devices within range. Fortunately, it's easy for most hotspot owners to provide the necessary protection. Hotspot gateways and even most normal wireless routers or access points (APs) have a feature that can be enabled to block communication between hotspot users. That way, users can’t access the file shares from people who forgot—or didn’t know—to disable them while on the public network. There are many names for this feature, such as “WLAN partition,” “Layer-2 isolation,” and “AP isolation.”
How can you protect yourself?
To secure any unencrypted Internet traffic that's sensitive (such as e-mail) on hotspots, the most simple, affordable solution is to implement a Virtual Private Network (VPN). Connecting to a VPN server or service would encrypt all of your Internet traffic, so local Wi-Fi eavesdroppers can’t capture it. One good free solution is AnchorFree's Hotspot Shield.Once you’ve chosen a VPN client, the next step is to ensure that other users can't connect to your laptop or access any shared folders on your Wi-Fi-enabled device. Windows Vista or Windows 7 users can simply select the Public network type after connecting and Windows will automatically disable sharing. However, Windows XP users must manually disable sharing via the Network Connection Properties window. Users should also ensure they have a personal firewall utility, such as Windows Firewall, enabled to block any hacking attempts.
It's up to you
Remember, when hotspot users are visiting secured sites (indicated by https) at hotspots, credit card and other sensitive information is completely safe from eavesdroppers. Users should be the most concerned about the security of their e-mail. Since it takes so much more effort for hotspot owners to encrypt their Wi-Fi networks, it makes the most sense for hotspot users to practice defensive computing: use a VPN, vary your usernames and passwords, learn how to adjust the sharing and privacy settings on your device, and don’t enter login information if you’re unprotected at a public hotspot.Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, including Wi-Fi Hotspots: Setting Up Public Wireless Internet Access (Cisco Press).
No comments:
Post a Comment