(See our other tips here)
This is another topic seen frequently on the forums where people are concerned about the security of borrowing open WiFi connections or indeed public hotspots. Are they safe to use? What about banking? Surely an Internet Cafe is safer?? Especially now since so many of us access wifi over a long distance (see here)
The problem is that there is a lot of misinformation around and the terminology of two technologies (Secure, Open, Unsecured, Encypted blah blah) are the same and people get mixed up or don’t actually understand how things work.
In this FAQ I’ll try and explain all without getting too technical, as if you already understood the techie bits you’d not be interested in this FAQ!
What is the worry?
People worry because if they see OPEN or UNSECURED WiFi hotspots then they are concerned over the security of the link. Even Windows warns you it is unsecure. So if it is unsecure, then surely it isn’t safe to use. Right? Not really….
Difference between Secure and Unsecured WiFi
The only real difference is that the information transmitted between your laptop and the ACCESS POINT is encrypted or not. That is it. Beyond the access point, even the cable coming out of the access point, then the data is back to normal. So in effect, whether the connection to the WiFi link is secure or not simply protects you against fairly local people listening in.
Anything transmitting usernames/passwords in clear text can be easily intercepted on Unsecured WiFi connections. But regardless of the connection type beyond the access point anything you send/receive can be intercepted/read by any device you go through – which can be 10-100 or so as you get to your website!
So basically, what I’m saying is, regadless of connection method (wifi, 3G or whatever), the same applies.
Eek! What is Clear Text Passwords?
Clear Text passwords are ones where they are not encrypted by your web browser or other progam before they are sent over the Internet. Such examples can include web forums, chat rooms, and most “simple” websites you register on. It all depends on how THEY implement the password routine over which you have no control.
What about Banking Sites etc?
Most business sites and professional sites, such as banking, eBay, and a lot of (if not the majority of) commercial sites use a technology which encrypts the data between your WEB BROWSER and THEM. You can tell if this is the case by, for example if there is a PADOCK on the browser, the website is HTTPS (note the S at the end), and/or the address bar is green as per the pictures.
If the above is true, then any data sent to that website from your browser is encrypted before it is sent and can only be decrypted by them.
As such, who cares if it is read along the way by anyone who can tap into the airwaves or wires? All they would see is encrypted garbage and they would not be able to decrypt it.
So, whether a website is safe to enter username/password or not is completely independent of whether your wifi connection is secure or not.
Do note not all secure websites “turn green”, but all secure websites should show the https bit at the front and also the padlock.
What about Internet Cafes?
Personally, I’d never use an Internet Cafe machine for banking or email. If their computer has a program that records the screen images, and the keyboard strokes, then regardless of if the connection between you and the website is encrypted, then the internet cafe owner can see exactly what you type into which box….
Using your OWN laptop on an Internet Cafe network though is fine as, as above.
Security of your machine
You MUST of course ensure your machine is safe of viruses and anything nasty!!! Some viruses do record key strokes and send them to a hacker which of course makes anything you type readable and makes any website insecure. So just keep up to date with Antivirus software (I’m happy with and recommend the FREE Microsoft Security Essentials). If you are concerned you have a virus or malware then don’t use your laptop for anything secure!
Certain services, like POP/SMTP (which are used for email) as well as the lesser used TELNET and FTP are very very old technologies and all of these send passwords in clear text. So if you use POP/SMTP for eMail then you may be transmitting your password in clear text. This is quite a concern and is very common indeed though is starting to be phased out.
If you only access email from a web page, then just check that when you log on the browser shows HTTPS or a PADLOCK as per images above.
If you access from, for example, Outlook, or Windows Mail, then check the following. Go into TOOLS–>ACCOUNTS (or ACCOUNT SETTINGS) or similar!
You should see the accounts on the system. On mine it says POP/SMTP (eek! But not always a worry). Go into the account setting (or change), then advanced. As you can see, mine is set to “This Server Requires an Encrypted Connection (SSL)”, and set to use an TLS encrypted connection.
This means, my email is encrypted between my Outlook program and the eMail server (in this case gMail).
If Your box for “This Server Requires an Encrypted Connection (SSL)” is unticked, I would recommend you contact your eMail provider for SSL details. (Googlemail is http://mail.google.com/support/bin/answer.py?answer=13287 )
As such, my email is secure 🙂