Re: [OS2Wireless]Re: David Pogue wakes up about WIFI encryption
Date:
Tue, 09 Jan 2007 18:13:47 -0500
To:
OS/2 Wireless Users Mailing List <os2-wireless_users@2rosenthals.com>
I am really enjoying this thread. It's good to see how Stan's link has set forth the juices of conversation (though somehow, drooling while talking to people is not something I want to contemplate for quite some time, yet)...
I think we need to consider two basic scenarios before we come down on either side of the fence vis-à-vis encryption:
1. Private networks with Wi-Fi access;
2. Public Wi-Fi hotspots and hotzones
Email issues aside (see later), here is what I see:
In the first case, the client isn't the only data to be of concern. It's whatever else is on the network. When you're home, for example, perhaps you don't have to worry about your own OS/2 box (such is my case), or your wifes (ditto), but you may have some concerns about your kid's (or kids') Windows machines, that portable, network attached storage device with copies of scans of your credit card invoices, etc.
In the second case, you should assume no more or less privacy than using a public telephone. If you want to whisper sweet nothings to your wife over the phone, then standing in the middle of Penn Station at the phone kiosk probably isn't a good idea. :-\ OTOH, if you could employ Maxwell Smart's "Cone of Silence" (I'm dating myself, huh?), then it mightn't be a real problem (though then everyone on the outside of the cone could hear you, and she couldn't...)
Important email should be encrypted from end to end using certificates whenever the content is of a sensitive nature or whenever you are not physically located on the same network as the server and the recipient, for just the reasons cited previously in this thread: data may be intercepted anywhere along the line, so it's not just a matter of checking your email with an unencrypted password (though this does indeed fall into category 1, above, no matter where you're located).
Also to note is that besides using SSL or TLS (the same, essentially; the latter simply travels over the same port as unencrypted traffic, forgoing the need to open additional ports in a firewall, and allowing the server and client to automatically switch when both support it) for the email content itself, one should ensure the use of encrypted passwords (it is possible to authenticate in clear text, and then switch to TLS for the mail transfer - Doh!).
My own server supports TLS and encrypted passwords, though I have had some issues with SMTP using SeaMonkey with TLS enabled (though encrypted auth seems to work for POP3, IMAP, and SMTP without issues).
Anyway, that's my read. Oh, and the fact that whatever security measure(s) you decide to use (*if* you decide to use any) should be worth the effort you need to put into it/them for the modicum of security you gain (the effort to configure 64-bit WEP is hardly worth the reward, while turning beaconing off (SSID broadcasting) and/or MAC address filtering probably block more attacks). WPA2 using 256-bit AES encryption with a strong passphrase ("love" is *not* a strong passphrase, whereas "aq987eh245pi87t2%^#$;;..,><7fcwerfnwedf" is) is fairly easy to configure, requires no maintenance once in place (WEP keys should be changed manually on a regular basis), and provides fairly good insurance these days. At a hotspot, however, this is all moot, as most public hotspots have no security enabled whatsoever (that would be like having to use a PIN to use a public phone...but since everyone who needs to use it gets the PIN anyway, what's the big deal?).
--
Lewis
------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE
Rosenthal & Rosenthal, LLC
Accountants / Network Consultants
New York / Northern Virginia www.2rosenthals.com
eComStation Consultants www.ecomstation.com
Novell Users Int'l www.novell.com/openenterpriseserver
Need a managed Wi-Fi hotspot? www.hautspot.com
------------------------------------------------------------
back to list