Today I was travelling in the Netherlands by train. One of the great things is that major stations 
have their own wi-fi access. When we stopped at a station, as usual I wanted to check my emails while waiting for the train to move on. Once I established a connection with the access point and opened my web browser to log on I immediately noticed something suspicious. Instead of getting an HTTPS site I was being directed to an HTTP site.
In my mind there were two options. Either the log on procedure had changed, or I was dealing with a rogue access point. It turned out to be the first.
What’s the problem with that? Well, anything you send over an unencrypted wi-fi connection is sniffable. This is why the log on page in particular should use HTTPS.
You can bypass traffic sniffing by using an encrypted tunnel to the service of your choice. For instance, emailing via SSL/TLS or using a VPN connection to do all your work. However you can not set up such a tunnel without having actually logged on to have full internet access. The log on credentials are transmitted in plain text.
This issue is particularly critical because a number of ISPs offer (limited) free internet access via these station hotspots. This means that if you log on using one of these hotspots, your log on details will be available to anyone with a network sniffer who is in the neighbourhood. Viruslist.com - Analyst’s Diary
From around the Web
- Windows Vista Service Pack 2 Latest Release Schedule
- Vista SP2: What is inside?
- NetWitness releases free version of security software
- Three Reasons Why Users Won’t Buy Into Security
- Automated security testing & its limitations
- Google Wants to Preinstall Chrome Browser on PCs
- Mozilla warns of Firefox China add on
- Firefox No Longer an Automatic Defense Against Browser Drive Bys
- Google patches Chrome file stealing bug
- Apple plays catch up, adds anti fraud safeguard to Safari
- Researchers find vulnerability in Windows Vista
- How to Use Network Behavior Analysis Tools
- The insider security threat in IT and financial services
- Windows 7 security: An overall improvement?
- Windows 7 UAC could be less of a nag