> Hi, whats the best way to use an unsecured network? Thanks for this question Brian. It jogged me to update a page I wrote a while ago. The new version is at http://socalfreenet.org/safesurfing. I hope you'll find it useful. I also hope others with more knowledge than me will jump in and tear it apart so I can make it better! Just use the comments at the bottom.
> I know not to use credit cards and such. Perhaps erroneously, I actually worry far less about credit card transactions on an open wireless network than I do about someone reading my email or catching a worm. Most online stores use SSL to product your CC# enroute. Few email providers use SSL to protect your email contents (or even your email account name/password) as you sit there downloading it. And if you think about the kind of information email can contain, passwords, account numbers, various reports... More info at the link above, also copy pasted below (snapshot of work in progress). Hope this helps. cheers, michael ====== from http://socalfreenet.org/safesurfing ======== Safe Surfing on Open WIreless Networks Book submitted by mikemee on Wednesday, September 29, 2004 - 11:55 When you're using a wireless network, everything you do could be monitored by someone nearby or across the street, or even several blocks away. To keep your personal information private, there's an increasing level of steps you can take. Opinions vary widely about how important this is and ultimately its up to you to determine how much effort you put into this, but the 80-20 rule is well applied here - for 20% of the effort you can get 80% of the protection, so its worth doing some of the steps described below. Secure Surfing If you do web-based banking, or similar important transactions like stock trading, then be sure that your web browser shows that you are connected via a secure connection. This is typically shown in the browser with a small 'padlock' on the bottom bar. Also, the URL will begin with https:// instead of http://. Most shopping sites also use SSL, so generally speaking, I don't worry about buying a book at Amazon while using my computer at an internet cafe. (I worry much more about email, see below). If you want to ensure that no-one can see any web pages you go to, you can use a product like http://www.freedom.net/ or http://www.anonymizer.com for $30-50 per year. These products send all your traffic securely to their servers via https - i.e., the lock icon on your browser will always be on. Firewall Even though most open wireless systems are behind a firewall already, having a firewall on your computer is still a smart move in case anyone else on within the system is infected with a network virus. If you're using Windows XP, at a bare minimum, you should enable the built-in firewall (Microsoft step by step guide). This will block outside attacks. However, if you're already infected, or an attack comes via a web page, its helpful to run a more powerful firewall that will notify you about programs trying "break out" of your computer. If you have a Windows PC, we recommend either Agnitum's free Outpost (better, more features like ad and pop-up blocking) or ZoneLabs' free ZoneAlarm (easier to use). Anti-Virus Please run anti-virus software to catch viruses spread via email. My personal favorite is www.nod32.com which, coincidently is a local San Diego company. I like this because its much smaller, faster and specific than the behomoths offered by Symantec et al - and just as effective (if not more so). Its also cheaper. Got to love that! Email In practice, email is likely the most critical data to protect. Think about the number of passwords, order information and personal information that is stored in your email. Now imagine if someone could read this. Web Email Common webmail clients like hotmail and yahoo have a "secure login" button which you should always use. However, this only stops snoopers from seeing your password. Look closely at the "lock icon" on the browser and you'll see that it disappears after you logon. This means that whatever email you view on your computer can also be viewed by others. The reason hotmail and yahoo don't use security all the time is that it increases the load on their servers, which, as you can imagine, are already pretty busy! Unfortunately the only real solution (except for anonymoous surfing described above) if your webmail provider does not support https connections while reading your email is to switch to another provider that does. Of course this generally means changing your email address, which may be inconvenient. You will need to weigh the risk / reward benefit yourself. Personally I don't use a Yahoo/Hotmail account in public places. Like identify theft in general, the likelihood you'll have a problem is rare, but its also fairly easy to avoid. See the recommendations below. Email Programs If you're using an email program, like Outlook (Express) or Eudora, these use either POP3 or IMAP prototols - which are both completely insecure. Similarly when you send email, the sending protocol called SMTP is also insecure. However, many ISPs now provide a secure version of these protocols and its easy to find out if yours does. In Outlook Express, first go to Tools -> Accounts. Then choose Properites. CLick on the Advanced tab. THen check the two boxes This server requires a secure connection (SSL) for both SMTP and POP3 (or IMAP). Then send yourself a message. If you get an error sending, then uncheck the SMTP secure connection box and try again. If it works, your provider doesn't support secure sending of email (or possibly uses a nonstandard port). Similarly for receiving email. Email Recommendations My personal recommendation for email is http://fastmail.fm. They have several account levels, starting with free. Unlike Yahoo (and Hotmail, sort of), you can use Outlook Express or your favorite email program with Fastmail, as well as the web interface if you prefer. They support secure connections either via the web or your email client. So when you're using a public connection, you can be confident that no-one can easily read your email. Fastmail also provides the ability to check email from other accounts, including Hotmail (but not Yahoo unless you've paid for POP3 access). This provides a workaround to let you keep your hotmail account while you transition to fastmail. There are also other providers out there that specialize in secure webmail such as www.hushmail.com. (Full disclosure: if you do sign up with Fastmail at the above link, I'll get a small referal fee if you ever upgrade to a paid account). Please Comment! The opinions above are my personal take on security at wireless hotspots, but I'm no expert! Please chime in with opinions, questions and pointers to better resources below. Thanks.
