Password security on public wireless?
#1
Original Poster
Join Date: Oct 2008
Posts: 76
Password security on public wireless?
How do you all handle the whole password security on public hotel wireless networks? Do you log into your email account? Online banking? Paying bills?
Or am I am just paranoid to think that I might have my info taken and accounts hacked?
Or am I am just paranoid to think that I might have my info taken and accounts hacked?
#4
Join Date: Oct 2010
Posts: 20
My IMAP and POP servers support SSL.* My bank, of course, uses SSL and its certificate was issued and signed by a major certificate authority. That's the industry standard for security. It doesn't matter whether you're using wires or wireless. If you're on an https:// URL, and your web browser displays the lock icon or changes the location bar to indicate a secure site, all traffic between your computer and the remote computer is encrypted. This protocol is the bedrock of internet commerce, so it's pretty reliable.
If you are using http:// instead of https://, you are not secure. Even if your hotel gave you a password to use their "protected" wireless, a determined attacker can probably read your traffic. If you are using https:// but your web browser complains about the site's certificate, you may not be secure. Most sites' certificates are issued and signed by trusted certificate authorities; a "broken" certificate indicates the certificate in use was not issued to that site by a CA, or the certificate has expired. This error can occur with legitimate web sites, e.g. many sites run by the US government, which does not believe in paying CAs to sign their certificates. But a bank or legitimate business should present no errors when you connect to them with https.
Configuring secure email takes a little work. If you are using webmail, you're fine, your web browser and the server will work everything out as described above. If you're using a dedicated email client, you'll have to enable SSL in your account settings. There may be an option for "TLS if available," but that will fall back to an insecure connection if TLS is not available, and you probably don't want that.
* Broadly construed to include TLS.
If you are using http:// instead of https://, you are not secure. Even if your hotel gave you a password to use their "protected" wireless, a determined attacker can probably read your traffic. If you are using https:// but your web browser complains about the site's certificate, you may not be secure. Most sites' certificates are issued and signed by trusted certificate authorities; a "broken" certificate indicates the certificate in use was not issued to that site by a CA, or the certificate has expired. This error can occur with legitimate web sites, e.g. many sites run by the US government, which does not believe in paying CAs to sign their certificates. But a bank or legitimate business should present no errors when you connect to them with https.
Configuring secure email takes a little work. If you are using webmail, you're fine, your web browser and the server will work everything out as described above. If you're using a dedicated email client, you'll have to enable SSL in your account settings. There may be an option for "TLS if available," but that will fall back to an insecure connection if TLS is not available, and you probably don't want that.
* Broadly construed to include TLS.
#5
Join Date: Nov 2008
Programs: AA EXP, 2mm; Hilton Diamond
Posts: 325
That is incorrect. It is possible for the login form to be SSL encrypted while the page you are on is not.
Every major provider of email, online banking, online commerce, and so on is secured with SSL, even if the URL does not begin with https.
You do not need to open a VPN connection, though if you do, everything you transmit will be secure, rather than just your login credentials.
#6
Join Date: Oct 2010
Posts: 516
I wonder how many people regularly check the certs? Or even know how to identify a bad cert?
Also, depending on whether the attack is general (any random person on the hotel wifi) or targeted (you particularly), the attack sophistication may be vastly different. If you are targeted specifically, the attacker can use many different ways to make the SSL/TLS connection to be from the trusted entity, when it is not.
The vast majority of people will not be specifically attacked. Then again, the vast majority of people don't check certs, or know how to identify a bad cert.
The world is more dangerous than many know.
Also, depending on whether the attack is general (any random person on the hotel wifi) or targeted (you particularly), the attack sophistication may be vastly different. If you are targeted specifically, the attacker can use many different ways to make the SSL/TLS connection to be from the trusted entity, when it is not.
The vast majority of people will not be specifically attacked. Then again, the vast majority of people don't check certs, or know how to identify a bad cert.
The world is more dangerous than many know.
#7
Join Date: Jan 2010
Location: DTW
Programs: DL DM/1MM, Marriott Lifetime Platinum
Posts: 199
Easily obtainable and astoundingly easy to operate programs such as Firesheep (a Firefox Add-on) have further exposed just how vulnerable we are on public wireless. Although login data may be sent over SSL, many websites do not send the session information over an encrypted channel. This means that someone can pick it out of the air and impersonate you in real-time.
I would much rather have my employer watch me browse FT, Facebook, or BofA than a stranger trying to hijack my session. I use hotel wireless + corporate VPN when I don't have 4G... otherwise, I'm using my WPA protected hotspot on my HTC EVO from Sprint.
Double check that your corporate VPN redirects all your traffic, not just our internal company information.
#1. Open hotel wireless but do not sign into VPN.
#2. Go to www.whatismyip.com -- make a note of the large text at the top of the page that says "Your IP Address Is: 72.63.x.x"
#3. Open your corporate VPN and sign in.
#4. Close your web browser, then open a new one to www.whatismyip.com. If the IP address has changed, you're now browsing the internet through your employer and are no longer on the hotel wireless. If the IP address has not changed, then your web browsing is still occurring over the unsecured public wifi.
I would much rather have my employer watch me browse FT, Facebook, or BofA than a stranger trying to hijack my session. I use hotel wireless + corporate VPN when I don't have 4G... otherwise, I'm using my WPA protected hotspot on my HTC EVO from Sprint.
Double check that your corporate VPN redirects all your traffic, not just our internal company information.
#1. Open hotel wireless but do not sign into VPN.
#2. Go to www.whatismyip.com -- make a note of the large text at the top of the page that says "Your IP Address Is: 72.63.x.x"
#3. Open your corporate VPN and sign in.
#4. Close your web browser, then open a new one to www.whatismyip.com. If the IP address has changed, you're now browsing the internet through your employer and are no longer on the hotel wireless. If the IP address has not changed, then your web browsing is still occurring over the unsecured public wifi.
#8
Join Date: Mar 2009
Posts: 1,972
I am familiar with all the technical issues above, but can't be worried about the risk here for practical reasons. If somebody's trying to obtain people's personal information, there are so many "safer" ways for them to do it than physically hanging out at a hotel and eavesdroping on a wireless network. For one thing, WiFi signals are significantly weakened by walls and hotels have lots of them, so it's not clear how many rooms away somebody could even pick up your signal.
#9
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
----
Many computer users get away with using open public access points, Change the password on any accounts you plan to use prior to the trip, then change them again after once back on a 'home' (or otherwise believed to be secure) network.
As previously mentioned using VPN does help a lot. It's not bulletproof, it just protects the basic connection, but that does removes certain threats, and if your corporate network has a firewall or other security device, your computer may get additional protection from it. There are 3rd party VPN providers out there, but you'll have to find one with a good reputation.
Also previously mentioned, if the web session is https, it can be very secure, but make sure prior to travel, that the critical sites you use don't use https to log you in, then switch back to http. Those sites may leave you vulnerable to other issues with regard to that site.
One time passwords can also be very useful for security. Ebay/Paypal will sell you a fob for a few bucks. It generates a different password for login each time you press a button, so grabbing a password makes it less useful. There's at least one email provider out there that will give you a pre-created list of one-time passwords, or sell you a fob. If your bank or credit card company doesn't use one-time passwords yet, you should ask for it. Most don't, a few are reported to do so.
Even with a secure wireless set up, a vpn connection, and solid https, issues may still exist. It doesn't matter if you have a totally bolted up session, if you've gone to a web site with malicious code and your system gets compromised. Use a good 'traditional' anti-virus program (McAfee, Norton) with a newer one (MalwareBytes AntiMalware) as a belt and suspenders approach will tend to keep out most junk. I've run into issues with the classical AV programs are deleting critical windows components, so not getting infected to start is a big start. The MalwareBytes program is free in one form, and if you can't spring for McAfee or Norton, there are free ones out there like ClamAV. Let these programs do full scans while you're having downtime.
One alternative to public wifi may be data over your cell phone. Check with your cell provider to see if you can turn it into a modem, how much they charge, and if you can use while traveling, then turn it off. Sometimes these plans are priced competitively with hotels that charge and you'd have access in areas without Wifi hotspots. Speed is not as fast, but it's convenient.
The expression in the business is 'defense in depth' meaning, don't depend on one single security method, instead use several, so if one slips up, another catches the problem.
#10
Join Date: Jun 2006
Location: Denver, CO
Posts: 326
Don't forget even with SSL one can install a keylogger on a non-secure public PC, which records the website you type in, then your name and password.
If I have to use a public PC I'll head to Kinkos, or a hotel's business center where there's a log-in/log-off process based on an account that's created, and has restrictions against what I can and can't access and install.
I can cite two Ramada Inn's (Detroit and Costa Mesa) where their "business center" consists of PC with ZERO user restrictions and IE filled to the brim with tool bars and ad on crapware. (I wrote to their HQ but never heard back.)
I'd run from these, but yet people plop down and log into their airline accounts, banks, email and what not.
I'm far from an IT expert, but how hard is it to create a second "guest" log in with no file installation access? It's better for a hotel to have NO computer than one that's ripe for harvesting all of your Grandmother's personal info.
If I have to use a public PC I'll head to Kinkos, or a hotel's business center where there's a log-in/log-off process based on an account that's created, and has restrictions against what I can and can't access and install.
I can cite two Ramada Inn's (Detroit and Costa Mesa) where their "business center" consists of PC with ZERO user restrictions and IE filled to the brim with tool bars and ad on crapware. (I wrote to their HQ but never heard back.)
I'd run from these, but yet people plop down and log into their airline accounts, banks, email and what not.
I'm far from an IT expert, but how hard is it to create a second "guest" log in with no file installation access? It's better for a hotel to have NO computer than one that's ripe for harvesting all of your Grandmother's personal info.
#11
Join Date: Feb 2010
Location: US
Programs: (PM)AA SPG (Marriott), Hilton
Posts: 1,040
The person who suffers the cost of the breach is not the person running the security system. So, the hotel has little incentive to protect the user, especially if the defacto standard is the same for all 'public' pc systems at all hotels and other locations.
I'd use one of those public systems to get directions & print them, or check out the local movie or restaurant listings. If pressed, a throw-away email account would be about it.
I wouldn't treat the room wired connection as any more secure than wireless from a prevention point of view either. Google "the upside down ternet site:ex-parrot.com" for an example of someone who decided to have fun with their neighbors using their wireless w/o permission. You can just page down to the pictures and ignore the computer code at the top to get the point.
#12
In Memoriam, FlyerTalk Evangelist
Join Date: Nov 2002
Location: Southern California
Programs: DL: 3.8 MM, Marriott: Lifetime Titanium
Posts: 24,575
This thread is probably a better fit for our Travel Technology forum so we'll move it over there. Please follow at its new home.
Thanks.
________________________
Cholula
TS/S Co-Moderator
Thanks.
________________________
Cholula
TS/S Co-Moderator
#15
Join Date: Jul 2010
Posts: 4,096
To be paranoid is to be secure.
As stated above, I am sure to send all traffic over a VPN connection. I am able to avoid public WiFi altogether by using a BlackBerry/Android app called Tether. The application works as would the typical tethering plan from your carrier except for it is a one-time fee (not an additional rate added to your plan) and it works around the world on any cellular network where 3G is available.
But then, can you trust your cell carrier?
As stated above, I am sure to send all traffic over a VPN connection. I am able to avoid public WiFi altogether by using a BlackBerry/Android app called Tether. The application works as would the typical tethering plan from your carrier except for it is a one-time fee (not an additional rate added to your plan) and it works around the world on any cellular network where 3G is available.
But then, can you trust your cell carrier?