The Problems of Web Surfing in Public Places

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"

Reading sensitive information in public places?

[SillyNickName4me]

Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer

Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.

Re:Reading sensitive information in public places?

[SillyNickName4me]

But solving that problem is a few dollars away in the form of a screen protector.

Which solves only half of the problem of course, people can still easily observe and record your typing.

For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise.

True.

What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of military orders in the dumpster at my former Air Force Base. Some people are clueless.

Well, my point was that working with sensitive data in public places is usually a hard to miss sign of such cluelessness for reasons much simpler then that a wireless network might be sniffed.

Re:Reading sensitive information in public places?

[ms1234]

Does anyone else than me find it funny that when lcd screen were new people would bitch and moan about the angles from which the screen could be seen was bad and now when you have an almost 180 degree field of vision on the damn things people bitch and moan that others can see whats on their screens and are buying screen protectors?

Re:Reading sensitive information in public places?

[Single+GNU+Theory]

Yes! Absolutely.

I also find it highly amusing that people used to complain about glare from a screen until suitable anti-reflective coatings were developed. Now they pay extra for the Sony X-brite screens (or whatever it's called these days) that look great but reflect a lot.

Auto-login anybody?

[minuszero]

How many websites you use have a "log me in automatically" checkbox, ticked by default?

Bet it's most.

How many average users do you suppose won't bother/remember to uncheck it?

Re:security in internet cafees

If you can't trust the browser, how can you trust a java applet delivered through that browser?

Re:Man-In-The-Middle Attacks

[Vellmont]

Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect.

That's why SSL certificates are signed. As long as the certificate issuers are doing their jobs and only giving out signed certificates for www.myURLNameHere.com to the actual owner of www.myURLNameHere.com, and people actually don't complete transactions when a warning of a self-signed certificate comes up, you're fine. The cert issuers are pretty good (I haven't heard of any real problems). Some people do ignore cert warnings, but that's the risk they take. I know to take cert warnings seriously when entering in secure information, so the risks to me are minimal.

Not just the owner

[grahamsz]

Anyone with a laptop on the same segment or WAP can run their own DHCP server. That way when you connect, there's a very good chance that they can send you connection details first.

That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.

Re:Man-In-The-Middle Attacks

[RobertLTux]

the big problem can be said in 2 words

Keystroke Recorder
You could have a 42 layer vpn/xyz/hypercryption tunnel but if the keystrokes are being logged then you are Foxtrot Uniform Charley Kilo Echo Delta #Bang #Bang

Re:When used properly

[asuffield]

It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning

Um, excuse me? All the workstations in the net cafe will have the cafe owner's CA certificate installed, which will validate all the MIM attack certificates for them (assuming that they didn't just have a modified version of firefox installed that lied about the SSL status). SSL is completely and totally worthless when the attacker controls the workstation you are using.

The only thing SSL does is to ensure that communication between two secure endpoints cannot be accessed by somebody who merely controls the channel between them. It cannot be of any use to you if your endpoint is not secure.

Technically unaware on slashdot?

[grrowl]

I wasn't aware the technically uninformed read "News for Nerds" Slashdot.

Re:Just wondering...

[fm6]

Why this obsession with HTTPS?

They same reason people buy car alarms that will be ignored when they go off, or guns that they don't have the training to use. People want some technological solution to their security problems. They don't want to go through the hassle of doing a real security strategy. The real purpose of most security technology is not to provide security, but to provide the feeling of security.

Re:Glaring technical errors

[NMerriam]

When I worked the help desk for an ISP, I got complaints from folks because we didn't support SSL connections to our email servers. That would be like using an armed courier to send a package to someone, then having the courier leave the package on the doorstep!

I wasn't aware that every email I send and receive has my account password attached to it. Oh, they don't? Then I should probably use SSL to connect to my email server. SSL isn't about protecting the message, it's about protecting the client login.

Open WiFi Cafe' - opinion

[deviceb]

I recently setup my girlfriend's cafe with a speedy little router. The Cafe's WiFi is open, not WEP enabled (for ease of use)
The Cafe has one 1 public PC for the use of anybody (also on wireless network)
What i told her is to never do anything critical on the public PC. Then i showed her from my flash drive how fast i could install Cain+Able (or similar) and extract protected passwords to a .txt, uninstall C&A and nobody would know the difference.
I would never abuse patron's info, because it is bad for business! But others might not be as honorable. (i would make some edits on a myspace in a instant if left open ;)

Besides a disclaimer to patrons (watch your shti!) What really can you do to prevent an open WiFI spot from being abused?
**without making things a pain in the arse for customers