Tilted Forum Project Discussion Community - View Single Post - Is it safe to do online transactions over wifi?

Mephisto2 · 08-01-2004, 03:23 PM

It all depends.

There are two issues that must be considered here.

- the actual encryption provided by the transport medium
- the encryption provided by the session ("connection") with the transacting agent.

WiFi networks can be very secure if configured properly. I'll go into details below. However, public "hotspots" (like those provided by Borders etc) are, by definition, not secured. They are considered OPEN with no encryption, as the hotspot provider wants to enable as many people as possible to use it. Remember, it's only providing internet access, exactly like a internet cafe. The only difference is that it is using RF (radio frequency) instead of wires to "connect" your PC to the internet.

Many people use VPN software to "tunnel" back into their company's networks (or even homes). VPN software uses a protocol called IPSec to encrypt your traffic and setup a virtual tunnel between your client and the server or router to which you connect. VPNs are very secure, but are usually only used by companies who want to allow their mobile staff to gain access to their home networks whilst on the road.

So, if you are transmitting confidential information, you should never do it "over the open", as would be the case in a WiFi public hotspot. It would be very easy for someone to capture the packets your laptop are sending and decode them. I can hear the alarm bells sounding... :-)

How is this different from any other wired internet cafe? Well, it's not really. But the nature of WiFi means that anyone with a wireless card can "listen" to your traffic, while in a wired environment you would have to actually physically connect a device to the cables to capture the traffic.

So, in essence, public hotspots are not secure. But they're not MEANT to be. Remember, we've only discussed the transport medium here, and not the higher level connection. And this is where it gets interesting.

If you are talking about an online transaction, one assumes it is something like online banking or Amazon or eBay etc. In these circumstances security is provided by higher level protocols like SSL (Secure Sockets Layer). What this means is that your web browser itself (and not the wired or wireless network) has negotiated a secure session with the server.

You will know if an SSL session has been setup because of two things. First, HTTP will be replaced by HTTPS in your web-browser address field. Second, a little "padlock" symbol will appear somewhere in your browser status bar. Note that in some online transactions, the URL address bar is hidden so you may not see the HTTPS. But you most certainly should see the little padlock symbol. It is this symbol that your browser uses to tell you a secure session has been created.

SSL is very secure and you can rest assured that such a session is proof against prying eyes.

So, let's summarize this a bit. Network security can be considered in a layered manner. WiFi is a network and physical layer protocol (just like Ethernet is). It is not secure on its own, but with the latest protocols it can be made so. However, public hotspots do not enable these encryption protocols, as they want as many people to use their service as possible. And who needs encryption for plain old internet traffic?

That's where HIGHER level encryption protocols come into place. This is what SSL does. It's a browser enabled and controlled encryption method that sets up secure session-based channels between your computer and the transacting server at the other end. Once the session is complete, the secure channel is "torn down".

Finally to answer your actual question, would it be safe to do online transactions from WiFi hotspots?

The answer is Yes, if you're talking to a reputable transacting agent (like a bank or Amazon etc).

BUT... doing it at home, or via a wired network is always going to give you that little bit extra reassurance, isn't it? :-) Personally, I'd only do it if I had to (and I have done so on many occassions, when on the road).

HOW TO SECURE A WIFI NETWORK
If anyone wants more detailed instructions, just let me know. But in summary, follow these simple steps

1) Change the default SSID that your Access Point comes configured with.
2) Disable SSID broadcast
3) Enable WPA (WiFi Protected Access) with a key-phrase of at least 20 characters
4) Enable MAC Address filtering
5) Decrease transmission power to a level that covers your room/house only (no point in covering half the neighbourhood, is there?)
6) If your AP is a DHCP server, reduce the number of IP addresses it serves to the number of computers you use.
7) Change the default ADMIN password

Mr Mephisto

08-01-2004, 03:23 PM	#3 (permalink)
Mephisto2 Junkie	It all depends. There are two issues that must be considered here. - the actual encryption provided by the transport medium - the encryption provided by the session ("connection") with the transacting agent. WiFi networks can be very secure if configured properly. I'll go into details below. However, public "hotspots" (like those provided by Borders etc) are, by definition, not secured. They are considered OPEN with no encryption, as the hotspot provider wants to enable as many people as possible to use it. Remember, it's only providing internet access, exactly like a internet cafe. The only difference is that it is using RF (radio frequency) instead of wires to "connect" your PC to the internet. Many people use VPN software to "tunnel" back into their company's networks (or even homes). VPN software uses a protocol called IPSec to encrypt your traffic and setup a virtual tunnel between your client and the server or router to which you connect. VPNs are very secure, but are usually only used by companies who want to allow their mobile staff to gain access to their home networks whilst on the road. So, if you are transmitting confidential information, you should never do it "over the open", as would be the case in a WiFi public hotspot. It would be very easy for someone to capture the packets your laptop are sending and decode them. I can hear the alarm bells sounding... :-) How is this different from any other wired internet cafe? Well, it's not really. But the nature of WiFi means that anyone with a wireless card can "listen" to your traffic, while in a wired environment you would have to actually physically connect a device to the cables to capture the traffic. So, in essence, public hotspots are not secure. But they're not MEANT to be. Remember, we've only discussed the transport medium here, and not the higher level connection. And this is where it gets interesting. If you are talking about an online transaction, one assumes it is something like online banking or Amazon or eBay etc. In these circumstances security is provided by higher level protocols like SSL (Secure Sockets Layer). What this means is that your web browser itself (and not the wired or wireless network) has negotiated a secure session with the server. You will know if an SSL session has been setup because of two things. First, HTTP will be replaced by HTTPS in your web-browser address field. Second, a little "padlock" symbol will appear somewhere in your browser status bar. Note that in some online transactions, the URL address bar is hidden so you may not see the HTTPS. But you most certainly should see the little padlock symbol. It is this symbol that your browser uses to tell you a secure session has been created. SSL is very secure and you can rest assured that such a session is proof against prying eyes. So, let's summarize this a bit. Network security can be considered in a layered manner. WiFi is a network and physical layer protocol (just like Ethernet is). It is not secure on its own, but with the latest protocols it can be made so. However, public hotspots do not enable these encryption protocols, as they want as many people to use their service as possible. And who needs encryption for plain old internet traffic? That's where HIGHER level encryption protocols come into place. This is what SSL does. It's a browser enabled and controlled encryption method that sets up secure session-based channels between your computer and the transacting server at the other end. Once the session is complete, the secure channel is "torn down". Finally to answer your actual question, would it be safe to do online transactions from WiFi hotspots? The answer is Yes, if you're talking to a reputable transacting agent (like a bank or Amazon etc). BUT... doing it at home, or via a wired network is always going to give you that little bit extra reassurance, isn't it? :-) Personally, I'd only do it if I had to (and I have done so on many occassions, when on the road). HOW TO SECURE A WIFI NETWORK If anyone wants more detailed instructions, just let me know. But in summary, follow these simple steps 1) Change the default SSID that your Access Point comes configured with. 2) Disable SSID broadcast 3) Enable WPA (WiFi Protected Access) with a key-phrase of at least 20 characters 4) Enable MAC Address filtering 5) Decrease transmission power to a level that covers your room/house only (no point in covering half the neighbourhood, is there?) 6) If your AP is a DHCP server, reduce the number of IP addresses it serves to the number of computers you use. 7) Change the default ADMIN password Mr Mephisto