The Problems of Web Surfing in Public Places

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"

Glaring technical errors

Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.

Who wrote this crap?

Re:Glaring technical errors

[Achromatic1978]

Agreed. I was thinking that. "Don't do {any one of a number of tasks that are almost definitely encrypted}, but right ahead and do {any one of a number of tasks that almost definitely aren't}".

Mind you, I SSL protect my webmail, too.

Re:Glaring technical errors

[lars_boegild_thomsen]

Who told you ssl is safe? Any computer on the same lan segment - a bit of arp poisoning and you got an efficient man-in-the-middle attach. Then you present the client with a fake ssl certificate made on the fly to look like the original server certificate. No - it will not have the proper signatures by any cert authorities, but honestly - how often do YOU read all the details of a certificate presented to you before you say "Accept"?

Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.

So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.

Re:Auto-login anybody?

[daranz]

Ideally, a web browser on a public computer would be set up not to save any personal data, such as cookies, passwords, form entries, etc. Of course, in most cases it is not so, and such browser save cookies, and even passwords from the users... Fortunatelly, some browsers, like FF, have a convenient menu item that clears all personal data recorded by the user, and so it's possible to ensure that you leave no cookies or form entries behind, even if the browser is setup to allow them... Worst thing if the public computer runs IE, or some other browser where you have to dig in options screens to clear all your data. In many cases, such meddling with the browser is frowned upon by whoever is supposed to be watching over the computers.

More reason to listen to the End-to-End Argument

[ToastyKen]

That's all the more reason to listen to The End-to-End Argument [PDF]. (Wiki link if you don't want a PDF.)

Never trust the network!

Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..

Re:I read your traffic

[Bios_Hakr]

You are thinking of it in terms of watching a TV. That's not the problem. Like you say, most people have nothing to say.

However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords. Once they nail a CC#, they can examine the surrounding packets to find expiration dates, names and addresses, and that stupid "security code". MMO passwords can be used to empty a user's inventory for real money.

How many people shop from Starbucks? I dunno. I bet quite a few do. How many play WoW at Starbucks? Probably some.

Re:I read your traffic

[Vellmont]

However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords.

While this is somewhat of a concern, the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent. That would make any sniffing attempts useless.

Hell, even Yahoo has a secure login for email these days.

Re:I read your traffic

[daranz]

Some banks actually issue scratch-off cards, that contain a bunch of authentication numbers. Each of those can be used only once, and they have to be used in order they are listed on the card. That way, even if the login data is stolen, no transaction can be done without intercepting the physical card... Sort of a one time pad scheme for transaction authentication. It's simple, cheap, but effective.

As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...