Does WPA make you safe if using a hot spot? Hi. If you use a business' access point with WPA2 encryption, is it possible that their router can record user names and passwords for sites you use or is that encrypted too? Say if it's a criminal, what can they record?
If confidentiality is critical then use a VPN tunnel when connected to an untrusted access point. WPA is a countermeasure against over the air eavesdropping only. If you do not trust the network infrastructure upstream, that is what VPN tunnelling exists for.
When you interact with web sites portions of the communication are transmitted in cleartext. Depending on whether it's SSL (https) or not, the layers that are encrypted may be deeper or shallower. Password authentication is supposed to be hashed between the browser and the server even when you're on port 80 (http).
A business (like an employer) cannot monitor and record your network activity without your consent. Or to put it another way, if they do, nothing they record will be admissible in court unless they informed you and you consented. That's why you see login banners that say "your activity may be monitored" that you have to click OK to in corporate domain contexts. A criminal does not care what the law says.
Scott Brown Consulting
reply to wifiq
Thanks for the response and explanation.
I will have to look for a VPN then, because I frequently login to email and sometimes even my bank account when using internet outside of my home.
Most wireless access points are not swimming with malicious agents, it's a judgement call it's up to you to make in context and to manage in the way that you're comfortable with. Like in the physical world some environments can be expected to be more hazardous than others. Well layered security practices and countermeasures might give you license to accept a certain cross-section of risk and check your bank account from a hotel's wireless AP even in spite of not completely trusting it. The more salient risk on public wireless APs is probably network intrusion (very easy attacks to mount with a high expectation of success) as opposed to targeted eavesdropping / man in the middle (harder attacks to mount with a low expectation of success).
Scott Brown Consulting
reply to wifiq
At public hot-spots you need to take precautions based on your personal risk threshold.
* Make sure you configure the network type to Public when connecting at a public hot-spot.
* When conducting e-commerce make sure the site, ie. bank or on-line retailer or whatever, are using SSL. Look for the little Lock icon at the top of IE or whatever web browser your using. This encrypts your e-commerce between you and the e-commerce provider servers.
* If your using email check with your email provider to see if they offer SSL protected email. Many, including my provider Cox HSI and Gmail, do. If not consider using a free service like Mail2Web while traveling to secure your email while on a public hot-spot. Keep in mind this encrypts your email between you and the Mail2Web servers not further.
If your truly paranoid look at using encrypted email between you and your recipients. You and your friends/family can get free email certificates from Commodo that are used to both sign and encrypt email. To send an encrypted email you need the recipients certificate and vice versa.
Another option is Gpg4win (an open source PGP, ie. OpenPGP, project). I sometimes use Gpg4win and the included Claws email client to exchange encrypted email.
* Some folks like to use a free service like Hotspot Shield to protect them while on public hot-spots. Keep in mind this encrypts your internet session between you and the Hotspot Shield servers not further.
* Lastly just practice safe surfing using good old common sense...
This has links to various discussions of public hotspot security that have been posted in the past on this forum. They also maybe of interest. The use of various VPN and SSH solutions is discussed.
»Re: public unsecured wireless internet--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer
I installed an Access Point using WPA-2 and connnected a laptop. I made the network type Public. This is used in my home. Is it safe to make a purchase using a credit card on a https site?
Your home access point is a trusted access point, because you (assumedly) properly configured it yourself, not an untrusted one as the discussion here pertained to, where you do not know who operates it or what they might be listening for.
reply to wifiq
Lots of good stuff above. I'd add that you can use free remote access services like Logmein.com or other service to establish an encrypted session and remote control your home PC to access your email, banking etc.
Just be sure to check that the SSL certificate presented is for the Logmein (or other provider) service. If you see a flag or cert warning alert for an unsigned cert, it could be from an ARP cache poisoning MITM attack originating from a system on the network you're using.