For many domainers, travel goes with the territory. Whether it’s attending conferences, or reaping the rewards of a big domain sale (aka holidaying) – travel is often a “luxury” afforded by the nature of our industry.
When traveling, the occasional email check at an internet cafe or via wifi hotspots is something many of us have turned to – some more regularly then others. Emergencies may have forced some of us to access our domain management consoles via hotspots too.
Guess what?
The following information may scare some of you – the only reason I am writing about this is because the bad guys already know about these issues while many domainers don’t.
Every time you use a public WiFi network, you might be shouting your usernames, passwords and even credit card info to the world.
You will be surprised how many public WiFi networks are left unencrypted as encryption requires each user to log on to the network with a set of credentials. More importantly, even encrypted WiFi connections can be broken into with widely available software.
Many users connecting to the net via a WiFi card installed on their laptops or via their WiFi-enabled mobile phones are completely unaware that they are transmitting information over the air which can be easily viewed by others. A WiFi router broadcasts all “conversations” taking place between itself and connected users. If 5 users of a hotspot browse the web, 5 “conversations” are being broadcast within the hotspot range. Others within range can use widely available tools to eavesdrop on those “conversations”, trapping and analyzing data packets – which in case of unencrypted WiFi networks or unsecured website usage, means trapping unencrypted usernames and passwords!
Although encrypted WiFi networks are safer, they still remain vulnerable to what is called session hijacking. Many websites secure your initial login but fail to secure the subsequently used “cookies”, leaving you – the website user – vulnerable. If prying eyes are logged onto a WiFi network, they can get a hold of your unsecured cookie and hijack your session on that particular site – literally impersonating you and being able to do everything you are able to do during that session on that website (change your personal data, post status updates etc).
Session hijacking is a widely known problem within security circles yet numerous popular websites fail to protect their users from session hijacking attacks. This issue is most easily illustrated by the usage of a Firefox plugin called Firesheep. By running Firesheep on a WiFi network, the user can easily view and abuse hijackable sessions.
The only effective way to avoid session hijacking and unencrypted data transmission is to use full end-to-end encryption, known as the HTTPS or SSL (Secure socket layer) when transmitting any sensitive information – yet popular websites like Facebook and Twitter still don’t use SSL by default. More importantly, while Gmail and Yahoo protect their users with SSL, many custom email solutions don’t. Your custom blog or website installation does not either – unless you use SSL.
What can you do to protected yourself from WiFi vulnerabilities?
Avoid transmitting any personal information over public WiFi networks (i.e. avoid logging into anything of importance). On occasions however, this is simply not an option. If you must use a WiFi network to transmit personal information (i.e. log into your websites or email), make sure you are accessing only websites that provide full end-to-end encryption (SSL) – meaning their website address starts with https.
What else should I know about?
Home WiFi networks can be equally dangerous. Unsecured and unencrypted WiFi networks are a disaster waiting to happen. Criminals, pornographers and even terrorists can latch onto your connection and transmit illegal information impersonating you – literally labeling you as the source of said illegal information.
It is alleged the attackers in the recent Mumbai bombings used the unsecured WiFi networks of individuals and institutes in Mumbai to communicate and plan their attacks (source: Dangers of Wi-Fi by MSSG).
Scared yet?
An alternative is to use a VPN: it will automatically encrypt ALL your traffic. You can get a decent VPN for around $5/month, a small price to pay for your privacy and security.
Anyone who would fail to encrypt their secure emails/web browsing is ALREADY placing their assets in DANGER!!! REGARDLESS of whether it’s via an unprotected wifi or over a lan cable/secured wifi. ALWAYS encrypt secure internet usage ALWAYS! The messages and browsing must themselves be encrypted for security when security is needed.
Phil