Shmuel Metz asks: >Are you still using Wired Equivalent Privacy (WEP) or something more >modern, e.g., Wi-Fi Protected Access (WPA)?
Of course I use the latter, but a few points: 1. Wi-fi encryption only handles the hop between your wireless device and the wireless router/access point. Beyond that almost everything Yahoo! Mail's Web UI transmits (and receives) is in the clear via HTTP not HTTPS. 2. I specifically mentioned coffee shops. Most coffee shops, hotels, etc. still don't use encrypted wi-fi.(*) 3. The Internet is a public, untrusted network. It is not a private, secured network. Everything you send and receive via Yahoo! Mail's Web UI flows in the clear with the exception of your login credentials which are checked (by default) only once every 7 days. Anybody between you and Yahoo! can intercept that unencrypted traffic -- the hotel, the coffee shop, the ISPs, governments, an employer, etc., etc. Spammers are already sifting through that unencrypted data to capture e-mail addresses and other information. Your inbox, every e-mail you read, every e-mail you write, and your entire address book are all wide open to anyone who can intercept the Web UI network traffic at any point. 4. It's a big problem when practically everybody in the security community criticizes Yahoo! for their intransigence in fixing the problem. It's an even bigger problem when my own mother suffered from Yahoo's decade plus long failure to turn on HTTPS. (*) It would certainly help if the wi-fi industry adopted a "Public WPA2" (a.k.a. "coffee shop") addition to their standards, requiring adoption and compliance among manufacturers. Such an amendment would be similar to HTTPS, allowing simple "walk up" encryption of wi-fi connections. Hopefully it would also have reputation-based client evaluation of wi-fi hotspots to reduce spoofing risk. Oddly, wi-fi doesn't yet have a great, easy-to-use security solution for the coffee shop/hotel scenarios where wi-fi is so popular. Maybe Apple will figure this out. -------------------------------------------------------------------------------------------------------- Timothy Sipples Resident Enterprise Architect (Based in Singapore) E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
