English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The insecure pleasures of wi-fi

Roel
Kaspersky Lab Expert
Posted July 21, 14:13  GMT
Tags: Wi-Fi
0
 

Today I was travelling in the Netherlands by train. One of the great things is that major stations have their own wi-fi access. When we stopped at a station, as usual I wanted to check my emails while waiting for the train to move on.

Once I established a connection with the access point and opened my web browser to log on I immediately noticed something suspicious. Instead of getting an HTTPS site I was being directed to an HTTP site.

In my mind there were two options. Either the log on procedure had changed, or I was dealing with a rogue access point. It turned out to be the first.

What's the problem with that? Well, anything you send over an unencrypted wi-fi connection is sniffable. This is why the log on page in particular should use HTTPS.

You can bypass traffic sniffing by using an encrypted tunnel to the service of your choice. For instance, emailing via SSL/TLS or using a VPN connection to do all your work. However you can not set up such a tunnel without having actually logged on to have full internet access. The log on credentials are transmitted in plain text.

This issue is particularly critical because a number of ISPs offer (limited) free internet access via these station hotspots. This means that if you log on using one of these hotspots, your log on details will be available to anyone with a network sniffer who is in the neighbourhood.

These hotspots may be convenient, but they’re currently insecure. As long as there’s no HTTPS available for logging on, I won’t be using this service, and I would advise users in the Netherlands to follow my lead.


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog