WiFi Bleg!

I gotta question for y’all!

My current laptop is WiFi enabled, which allowes me to connect to take it to a large number of places and connect it to a large number of wireless networks. (Meaning: I don’t have to plug it into an ordinary modem in order to connect to the Internet. I can just sit in a Starbucks–or wherever–and blog or check my e-mail from there.)

When I’ve used this feature, however, I have often gotten messages telling me that the WiFi networks that are in range are "unsecured," and warnings appear telling me that data I send over the networks may be observed by others.

But I get similar warnings when I use normal, modem-based networks. (These are also generally observable except for unique, encoded transactions where I submit my passwords. Thus a snooper may observe what I am buying from Amazon.Com, but my password *itself* is in a uniquely encrypted bit of the transaction.)

So my question is: WHAT LEVEL OF SECURITY IS PROVIDED BY SUCH WIFI NETWORKS?

FOR EXAMPLE: If I type in my password for my e-mail account on a WiFi network, can other folks see that? Or is it like a normal web-based account where snoopers could see my e-mail but not the password I send?

Or can *anything* (password or not) be seen by a snooper. (In which case, why would ANYONE use an unsecured network to do ANYTHING?).

I’d appreciate whatever light on this question folks can shed.

If possible, PLEASE INCLUDE LINKS to where I can read more about the security processes in question!

Thanks much, folks!

Author: Jimmy Akin

Jimmy was born in Texas, grew up nominally Protestant, but at age 20 experienced a profound conversion to Christ. Planning on becoming a Protestant seminary professor, he started an intensive study of the Bible. But the more he immersed himself in Scripture the more he found to support the Catholic faith, and in 1992 he entered the Catholic Church. His conversion story, "A Triumph and a Tragedy," is published in Surprised by Truth. Besides being an author, Jimmy is the Senior Apologist at Catholic Answers, a contributing editor to Catholic Answers Magazine, and a weekly guest on "Catholic Answers Live."

19 thoughts on “WiFi Bleg!”

  1. Unsecure wireless networks have no security (encryption) added except data which is explicitly encrypted before it is sent through.
    Imagine being connected with a regular network cable. If someone were able to tap into the cable between your computer and your router, he would be able to see all the data you send. It is likewise if someone intercepts your unsecured wireless signals.
    But I wouldn’t worry about any of the passwords you enter. It is definitely standard practice to encrypt passwords in client server applications. You can feel safe that any major email app will encrypt the password before sending it to the server, otherwise it would not only be unsafe through a wifi connection but also through a regular wired connection because the data will likely pass through many machines on the internet before reaching your mail server anyway.

  2. While we’re on this topic– what are the proper moral standards regarding the use of WiFi hot spots you’re not paying for? Obviously if it’s being provided as a public service you’re within your rights to use it– but what if it’s a private business’s network? What if it’s your neighbor’s network? The network of the guy in the dorm room upstairs? Or just some network that you really don’t know where it’s coming from?
    At what point do we start having to worry about theft? Which I guess is another way of saying– how do we ascertain whether it would be reasonable for the owner of the network to deny us access? Maybe someone with a little more technical knowledge could shed some light on this.

  3. The short answer to your questions are: There’s not much security offered by most wireless networks, and yes, your email password is probably being sent in the clear where anybody else with a wireless laptop nearby could potentially see it.
    Depends upon your email protocol, though. If you’re using an old fashioned POP server to download your mail, then yes, your password is being sent in the clear. If you’re using IMAP then it’s being sent in the clear. However, there are such things as “Secure POP” or “POP through SSL” and same goes for “Secure IMAP” aka “IMAPS” or “IMAP through SSL”.
    If you are using old fashioned POP or IMAP, you should contact your internet service provider to see if they offer a “secure” version of the protocol. Basically they “tunnel” the traffic through SSL, the same encryption scheme used by secure websites like amazon.com, only with websites they “tunnel” ordinary http through the SSL scheme.
    When IEEE released the wireless standard, it included an encryption mechanism known as WEP. Unfortunately WEP is irreparably broken, so most wireless networks don’t even bother. After all, if you enable WEP encryption, it won’t be but a matter of minutes before a dedicated attacker can use an automated tool to view the wireless network traffic in the clear.
    An update to WEP known as WPA fixes these problems. Almost all wireless hardware and software now support WPA, but the problem is that it’s never enabled by default and older hardware typically won’t work with WPA.
    Most wireless hotspots don’t bother with WPA becuase it would mean that each wireless user would have to know a password. Actually, most people who setup wireless hotspots don’t even know about WPA. Indeed, for maximum compatibility, the wireless hotspots are left unsecure.
    So I do disagree with commenter Giacinto somewhat. Your network traffic is definitely insecure (sent in the clear) but “any major email app will encrypt the passwword before sending it to the server”? No. Depends on whether the server supports it or not. Many, if not most, ISP email server still use vanilla POP, although more ISPs are now offering a “Secure/SSL POP” option, which you can enable in your account setup in your email program, and then sleep safely knowing your password isn’t being sent in the clear.

  4. Perhaps my previous post wasn’t clear.
    IF your applications encrypt traffic, THEN you’re fine, even over an insecure wireless network. You gave the example of purchasing something from amazon.com. That transaction is secure.
    IF your applications do not encrypt traffic, THEN you have to assume that everybody on the wireless network is watching every piece of data sent to and from your computer through the wireless network card.
    Many email protocols fall into that latter category, but due to recent developments (such as insecure wireless hotspots), most email programs offer support for “secure” versions of those same “insecure” protocols. In thise case, the protocol is the same, but encryption is established between the two communicating ends before the protocol is “spoken”, so to anybody listening in between, all they see is gibberish.
    But even if your email program supports these “secure” versions of email protocols, it doesn’t amount to a hill of beans if your email server doesn’t support them. This is why you should contact your ISP to discover whether they offer these services.
    Alternatively you could just try to enable the “secure”/SSL options on your email client and see if it works.
    IF your ISP has such services available, THEN you won’t have any problems checking your email from an insecure wireless network.
    IF your ISP does not have such services available, THEN you have many options.
    – Don’t check your email from wireless hotspots.
    – Switch an ISP that does support these options.
    – Setup a home computer to check your email, and then setup your laptop to securely connect to that home computer, which you of course setup to use encryption such as SSL. In other words, your home desktop computer would now be an email server and since it’s in your control, you can enable whatever protocols you want.
    – Forward your email to a “webmail” service like gmail.google.com and check your email from there.
    – And many more…

  5. Re: Morality of using unsecured networks.
    Interesting question. Wireless is much like a mini radio station, one would think that if you could pick up the signal, you ought to be able to use it. But what if it’s available simply due to ignorance? I think this would be comperable to someone not realizing you should keep your door unlocked and put out a welcome sign for everyone (which is effectively what an unsecured network is).
    I recently got into WiFi (within the last month or so) and when I was helping my sister get set up, I detected two other networks, one of which was unsecured.
    I secured mine and my sister’s by putting specific MAC addresses (which are unique to network cards) into the “allowed list”.
    But should we take advantage of a brother’s ignorance, and how do we know it *is* ignorance and not a desire to help out all his mobile neighbors? 🙂

  6. Are you using Firefox? If your URL bar goes yellow when you’re at a site, then everything you’re looking at and sending is encrypted (including e-mail you’re viewing.) If not Firefox, then look for a little lock icon somewhere (probably near the bottom of the screen) that is in a locked state.
    As far as wi-fi I have two questions:
    a) isn’t WPA not perfect?
    b) if you’re on a secure network at a coffee shop, and someone else is on the same secure network, can’t they sniff packets from where they’re at, or does it not work that way?

  7. “Wireless is like a mini-radio station.”
    Does this mean that a wireless network is what economists would call a “non-rival good”– that use of a network by one party won’t limit the quantity or quality of the network access available to others? If so, then it’s not really like the leaving-your-front-door-unlocked example, is it? Seems like under such circumstances it would never be reasonable for a network owner to refuse access– unless of course you were engaging in activity the he found immoral or offensive in some way.

  9. I have a lot of security experience and what Nathan says is accurate. Since there is no security in the wireless network itself, you’ll have to ensure that everything you want encrypted is done so by the software on your laptop. Also, standard e-mail is NOT SECURE despite what Giacino states. To re-iterate:
    -Secure websites using SSL are secure (check the beginning of the URL, it will have a https://).
    -Regular websites are NOT secure (http://).
    -Normal e-mail is NOT secure (POP, IMAP, but not webmail, see above for that).
    -There are newer e-mail standards that most e-mail clients and servers support that are secure (Nathan listed them) but they are usually not used by default.
    Really, the only difference between a wired connection and a wireless connection is that the snooper needs better physical access (i.e. having a network connection on the same networking hardware that you do) to the networking equipment to snoop with a wired connection. With a wireless connection the snooper can be sitting outside your house or on the other side of the coffee shop and snoop. I guess the other difference is that it is harder, if not impossible, to trace who snooped on a wireless network because the snooper need not be linked to the network to snoop and hence the logs to determine who was connected at the time of the snoop are meaningless.

  10. Some user friendly info on wifi networks can be found at http://www.wi-fi.org
    Security in Public Spaces ( http://www.wi-fi.org/OpenSection/secure.asp?TID=2#public )
    Wireless networks in public areas and “HotSpots” like Internet cafes may not provide any security. Although some service providers do provide this with their custom software, many HotSpots leave all security turned off to make it easier to access and get on the network in the first place. If security is important to you the best way to achieve this when you are connecting back to your office is to use a VPN. If you do not have access to a VPN and security is important, you may want to limit your wireless network use in these areas to non-critical e-mail and basic Internet surfing.
    The good news is that many HotSpot providers and Wi-Fi manufacturers are implementing improved security technologies to protect Wi-Fi users against interception and eavesdropping in public HotSpots.
    To learn about preventing Evil Twin / Wiphishing, review http://www.wi-fi.org/getfile.asp?f=Wiphishing_For_Web_2.pdf

  11. Okay, so lemme see if I’ve got this right:
    If I log into Gmail from a wi-fi zone then when I’m at the https:// sign-in screeen then my username/password combo is safe.
    BUT
    When I get past that screen and am reading and sending e-mail from an http:// page THEN someone can snoop on what I’m doing.
    ‘Zat right?
    Another question someone may be able to help with: Once you log into Gmail, the URL is a huge long string with tons of gobbledygook in it. If that string isn’t secure and someone accesses it, what can they do with it? Would simply pasting that string into their browser give them access to my e-mail account?
    Or would that be prevented–e.g., by them not having the right cookie on their box to match the string, causing them to get booted to the log-in screen?

  12. Gmail provides POP access to your email by email client programs like Outlook that support the POP and SMTP protocols over SSL. You can send and receive your Gmail emails using Outlook or Outlook Express, for example, with the data transfer between your computer and Gmail being fully SSL encrypted.

  13. Okay.
    I’m hoping to avoid using a secondary client. I just want to log into my e-mail via my web browser.
    I don’t really care if a snooper can see an individual e-mail going to or from me. (They’re not that sensitive.) I just don’t want someone having access to my whole account.

  14. Jimmy,
    If you’re using gmail with a web browser, you’re fine. Even if you’re checking your mail from an insecure wireless hotspot.
    Google’s gmail web servers use encryption, therefore your web browser uses it, so all the traffic between your computer and google’s computers is encrypted.

  15. If somebody were to paste that huge long string in the URL bar into a different web browser, they would likely not be able to access your gmail account.
    Gmail would treat the third party’s connection as a new connection and establish a https / SSL link with them. However, their computer wouldn’t be able to supply the “remember my stuff” cookie and they’d be prompted for your password. Only if they knew your password could they get in.
    There are some poorly-written web sites which do have the security hole in which you describe, but the big guys (yahoo, google, and ebay for example) are hardened against these kinds of attacks.
    The practice of imitating somebody else’s web session is often called “session hijacking”.

  16. Thanks! Y’all are right!
    I logged into Gmail from work, saved the string, and retrieved it when I came home for lunch. Then I logged out and pasted in the string. It asked for my password.
    I don’t think that the entire session is encrypted. Only the login page seems to be, but the system seems to protect against session hijacking.
    Thanks!

  17. Francis-
    Wireless access is not a “non-rival good.” There is a limited amount of bandwidth which can be used at any given time. How much bandwidth there is depends on the type of connection that is going into the network. For instance if it’s a modem then the bandwidth is limited to the speed of the modem. By having more people on the network more of them are using the bandwidth and there’s less left in the avaiable amount. For something like Starbucks this isn’t much of an issue as they have a fast connection so a large amoutn of bandwidth. However, if you are there you will be able to notice a speed difference in loading webpages and other things as the room fills up with more people as there is no longer as much bandwidth to go around.
    Hope that helps.

  18. Do not steal your neighbor’s bandwidth.
    Just because there is a second computer on the network doesn’t mean both computers will have a separate connection to the ISP, each with the same amount of bandwidth. No, the bandwidth is shared, with two computers competing for it, sharing the same external IP address. It’s bad, but doubly bad if the thief is doing a lot of browsing and downloading. (I share bandwidth with my husband and yes, there is a large decrease in performance sometimes, such that one of us has to give up uploading or downloading so that the other can do something else. Besides, you never know whether your neighbor can afford the extra bandwidth–not all DSL packages are the same speed, and not all cable connections are the same quality.)
    ISPs in general do have policies against stealing a neighbor’s bandwidth, and in some cases, they even have policies against sharing bandwidth with others who are not under their contract, and require extra packages even for families to have more than one computer on the network. You don’t know what the policy is of your neighbor’s ISP.
    The owner of the bandwidth is also responsible for any event in which illegal content is accessed through the router. How would you like someone to park outside of your house and download kiddy porn using your IP address?
    It’s the neighbor, not the thief, who owns the IP address, and this IP address is the address that goes shuffling around and logged all over servers on the Internet, whenever someone sneaks and steals his bandwidth. So stealing also constitutes a privacy issue.
    A free open network is not a liberty which is licit to take.

Comments are closed.