I’m gonna cut to the chase, and since this is a blog read by primarily non-technical people,1 I’ll lay this whole thing out in a non-technical way: Using your laptop, phone, or iPad with free WiFi is dangerous as hell.
I know, you love your free wifi. You love being able to post your whereabouts on Facebook, and constantly connect to your email. Trust me, I do to. But all this free wifi comes with a cost- and it’s not one of those vague “you might forget to smell a flower” costs, either.
When you use free wifi, you give everyone around you access to many accounts that you use. They don’t need a password, they don’t even need to know where you are. They could be in the building next door and not know you’re sitting in the coffee shop. The fact remains that while you’re sitting there on Facebook posting videos about your cat- they can be on your Facebook account- logged in as you.
Wifi and Security
Why is this true? You ask.
Let me explain using an analogy. Think about a wired network- where you have a physical cable running to your computer- sort of like a telephone. People around you might hear what you’re saying (unless you whisper) but your conversation is pretty much safe from them. Others can tap the phone, but they have to actually connect to the wires you are using. It’s a pretty unlikely scenario, realistically, so you can be fairly confident that no-one really cares that much about your cat videos to go through the trouble of going to your building, breaking into your phone box, and wiring up a listening device.
Now, think about a wireless network sort of like shouting to your friend. You scream all of the details about what’s going on to your friend, and your friend screams back. The communication is not confined to a cable- it’s out there in the air. In fact, it’s actually out there in the air in a way that everyone else almost can’t help but hear it.
The “Don’t Tempt A Thief” Analogy
It’s a subtle distinction, but it’s basically the difference between an iPod sitting in a glovebox of a locked car and an iPod sitting on the seat of a convertible with the top down. Someone might not care enough to break into the car and search for a possible iPod in the first case- but there’s a heck of a lot less of the “care” part needed to steal that iPod on the car seat.
The same is true of your information. You’re probably not important enough for someone to find your house and physically tap your DSL network in order to find out your passwords, account details, etc. But if you sit there in a coffee shop and scream out your passwords to anyone around you, well, there’s a lot less of the “care” part needed for someone to steal your accounts.
Passwords don’t protect you
Okay, technically, you are not shouting your password. Whenever (let’s hope) you log into a site, the login is encrypted so that no-one can actually see your username and password information. That’s a good thing. Whenever you see the site’s address start with “https” instead of “http,” you are safe. The “s” is the tasty bit that stands for “secure.” Your password details are pretty safe. But, and here’s the main problem with wireless security today, that’s the end of the encrypted part.
You see, when you go to Facebook and login, you get the https connection for the login process, but the rest is done with “sessions.” When you login, a tiny piece of information is created and that information is shared between the site and your computer. It’s basically a receipt for the login process- or maybe even like a hand stamp at a bar. The site says “Let’s go to over here, I’ll look at your ID, then you can come and go as you please through the public door. Just show me your stamp.”
After you have that stamp, the site drops the “https” part of the process and goes back to plain old “http,” because it knows who you are now. It does this because https is more expensive, so why use it when you don’t have to. Here’s the problem: That handstamp is not a physical piece of paper or something attached to your body. It’s just a number.
And on a wireless network, that number is shouted out into the air.
So, here you are, sitting in the coffee shop playing around on Facebook, or your email, and your computer is shouting your receipt number out to anyone who cares to listen. And anyone with that receipt number can get in the front door. That means anyone sitting around you can read your email- and there’s not much of the “care” part needed to do so.
Firesheep: No “care” part needed
That can’t be true! Why haven’t I heard about it before?
Because there actually “was” a bit of care needed. In order to listen to wireless network traffic, a person has to be able to pull non-direct (to his/her computer) traffic from the air and analyze and decode it. It’s a process known as “sniffing” and involved a wee bit of sophistication. Nothing beyond many techie people, but it took effort. Someone had to make the decision that they were going to go through the effort, and there were simply not that many people- so your overall chances of being “sniffed” were, well, relatively low.
Until last week.
Now, before you freak out in anger, I want to say that I’m glad he wrote this, and I support him writing it. He did it publicly, and vocally. He did it because the majority of sites out there are lying to themselves and to you, they are putting you, everyone, at risk- and they are doing it, basically, out of laziness.
He wrote it because he wants it to stop.
The story is that if it’s easy- if anyone can do it- then companies will soon find it necessary to stop lying to themselves- and to you. This is A Good Thing™.
However, that doesn’t make it safe. Now, if you are on an unsecured wireless network, anyone with Firefox can press a button and connect to your email, your Facebook account, whatever site you visit that requires a login and does not force a secure connection.
You are an iPod, sitting on the seat of a convertible, and the top is down, baby.
What to do about wireless security?
Fret not. All is not lost. There are steps you can take to prevent people from stealing your email account. Here are a bunch of possibilities:
- Don’t ever use free wireless. Yeah, I know- me neither. It’s just not gonna happen. Let’s be serious.2
- Force a secure https connection. I do this with my Google Apps accounts. I can login to the administration interface and force the system to use https for everything. That way, whenever I connect to my email, calendar, documents, anything that is on my Google Apps account, it is automatically secure. Still, this is not possible for many sites. Facebook doesn’t have an option for “enforce a secure connection.”
- Various technical solutions. I’m writing this on a non-tech blog, and so terms like “ssh tunnel” are going to be lost on most readers. Still, since these posts are often syndicated, I’ll point the more geeky users to other posts.
- Pay someone to save your bacon. This is, arguably, the best solution. For a small annual fee, you can download a bit of software and basically never worry about all of this again. This is a solution called a Virtual Private Network, or VPN.
Personal VPN: Security in an Insecure World
You can think about a VPN as something of “a network inside a network,” and it’s kind of like having a lawyer sitting next to you in a trial. Someone asks you a question, and you whisper in the lawyer’s ear, he whispers back in your ear, and then the lawyer answers the question for you.
The information between you and the lawyer is secret. And the lawyer interfaces with the world to protect you.
Remember that it takes a lot of effort for someone to connect to a wired network, find your traffic, and get your information. It takes a lot MORE effort if that wired network is not even a network that you’re ON. They’re trying to listen to you, but your lawyer is the one talking.
So, you create an encrypted connection to a VPN server somewhere. Then everything between you and that VPN is encrypted. Your computer only talks to that VPN server. That VPN server then goes out to the site, talks to it, and sends information back to you. The information between the site and the VPN server might be unsafe- but everything between the VPN server and YOU is encrypted- which means your not shouting anything out on that free wireless connection.
Witopia: Security heaven
Normally, VPNs are a bit difficult to set up. However, lucky for you, there are companies that make this mindlessly easy. One such company is Witopia.3
Witopia is a company that lets you download a little bit of software that allows connection to their VPN. The great thing about this company is that you have to do very little to be very secure, and it’s dirt cheap. For $40/year, you can go to any coffee shop, airport, or strip club anywhere in the world, and browse to your heart’s content. They have VPN servers all over the world. Plus, they’ve got things figured out for nearly any device you’d use- including the wonderous iPad.
Yes, I know. You don’t want to spend $40. That’s a lot of money, blah blah.
Let me ask you something: How many times per year do you actually go to a coffee shop and use the free wifi? Is it free? Don’t you, well, buy coffee? How about if someone suddenly took over your email account, changed the password so you couldn’t get in- or even just downloaded all of your email to read at their leisure- how much would that be worth to you? If someone got into your Facebook account and read your private messages? How about if they locked you out?
I’m not a salesman for Witopia, but I do think that saying something like “eh, $40 is too much, I’ll just risk it” is stupid, at least it is now. Because we’ve reached the point that it’s just too easy. There’s too little “care” needed.
Whether you opt for no-free-wifi, Witopia, or another option, I hope you do something. Things are way too easy now. You’re an iPod sitting in a convertable. You are going to get stolen.
Now, it’s just a matter of when.
- Although it is syndicated on my very technical blog: http://mettadore.com [↩]
- However, I do notice that taking the time to ask yourself “Do I really need to check my email that I just checked a half hour ago?” Is a good question. Not only am I more mindful about being online- I find that the majority of the time, it’s honestly not necessary- and that gives me more time to stare off into space… or at the legs of that really gorgeous red-head that just walke– [↩]
- Note: There are many others. Some of them are maybe better. Witopia is the one that I chose, because it was fast, easy, cheap, and works with everything I use. [↩]