"If your company provides you with VPN access on your laptop, use it. That's a sure fire way to ensure that everything you send and receive is encrypted, and it makes your surfing much safer."
This should have been the first, and most important line of the entire article. Wireless encryption, IM client, and internet browser simply don't matter as someone who is out to grab your information is going to be doing so by viewing the packets sent between your computer and router.
It should have been the only line in the entire article. The only way that proper precautions such as this will be taken up by people who really don't care is if they are simple and succinct.
Agreed. Anytime I'm using one of my laptops - be it a personal or business one - outside of home or work, the first thing I do is start my VPN connection.
Amusing to see a blog on security focus implying that a WEP key when given to everyone was somehow better than nothing, even if it was from 5 years ago.
I like to think of myself as a newbie traveling entrepreneur. I have a travel trailer that I used to travel the south west this fall I did a lot of non camp ground camping in the big cities and took advantage of all the coffee shops I could find to take care of business. It was a blast and a great way to do business while traveling.
I am investing in a small motorhome to travel to tech conference throughout the year. I plan on spending lots of time in coffee shops if not staying camp grounds. I like the idea of having a "traveling home" that I can just jump into in a parking lot of a major event etc...
I also got to the local shop in beautiful Park City utah, just to get out of the house and have change of atmosphere while working.
Encryption requires a secret to work; anything else is just obfuscation, and wide open to anyone who knows the algorithm being used. You don't have to exchange long-lived shared keys, but alternatives (RSA, OTP, etc.) tend to require a preexisting trust relationship and/or secure channel.
Furthermore, the only way in which WEP or WPA improve real security is by keeping folks who don't know the key off the local network. Since most shops freely give away their network keys to anyone with enough cash for a cup of coffee, and seldom if ever rotate keys, it's an awfully weak level of protection.
If you assume that other network users are potentially hostile, and/or that the coffee shop owner (or its ISP, or someone who "hacked" their Linksys router via an unchanged admin password) can't be trusted, your only real option is routing your traffic over VPN to a trusted host elsewhere on the 'net.
My understanding of WPA2 is that each client negotiates its own key — so it's slightly better than having your traffic trivially transparent to all others on the same wifi. (I'm not sure if passive eavesdropping on the initial negotiation is enough to determine someone else's key, or if active MITM interference would be necessary — does anyone know for sure?)
I don't really know enough about this stuff, but couldn't you just generate some kind of temporary encryption credentials upon the initial wifi connection handshake and use that for the duration of the session?
I've always assumed that the reason it's not done is that the CPU resources needed to handle decryption of a reasonably strength was too much for a bunch of simultaneous connections on affordable hardware.
@cma: you mean I couldn't verify the identity of the router upfront and might handshake with someone pretending to be it? I figured you could tell by the SSID of who you're connected too if it's the right one, assuming the official one isn't offline.
See, I knew that I didn't know enough about this to lead a decent conversation ;)
must? I would be surprised if there were. For any protocol, a machine already on the network could 100% mimic the secure gateway. That would make it impossible for you to know which machine to trust, just like with BOOTP and DHCP.
A standard public-key encryption strategy would work if the key was generated on each client (instead of being handed over the air from the router in plaintext as you assume). This is exactly how HTTPS works — otherwise HTTPS would be completely susceptible to a man-in-the-middle attack
HTTPS is susceptible to a man-in-the-middle attack if clients don't validate certificates. To ensure you weren't connecting to a rogue access point in some hacker's backpack, every access point would need a certificate that you could verify via a trusted third party, just like certificate authorities such as Verisign verify Google's SSL cert so you known you're talking to Gmail instead of an imposter. It would be a nightmare to administer such a service using the current means of identifying access points (SSIDs). Who would be allowed to register a certificate for joescoffeeshop?
Since nothing like https exists yet for public wireless networks, it could be made so that when the client connects and the access point sends the client its public key, the public key shows up (or preferably doesn't show up but can be made visible) on the client's computer which can be then verified against a sign in the store if the client really cares. You don't need an outside authority when you basically trust the coffee shop.
I think that would work (if the sign in the store is physically safe), but I also (pedantically) think that would not satisfy the "without a shared key" part of the original question.
Thinking about this: publishing your public key on a bar code printed on a wall might be a better solution, if the world would be used to that. It would enable your computer to compare the public keys sent over the two channels (visible light and WiFi)
Gmail dint use https by default for the longest time. I remember getting an email from our department while at school about this too. Its default now and can be toggled from Settings -> Browser Connection.
This should have been the first, and most important line of the entire article. Wireless encryption, IM client, and internet browser simply don't matter as someone who is out to grab your information is going to be doing so by viewing the packets sent between your computer and router.