If you want to avoid being compromised when using typical Wi-Fi hotspots that have no security, you can use the following table as a reference of protocols you should and shouldn't use. The insecure protocols should be banned and never used again; the protocols on the right are the secure alternatives. Anyone who doubts this is a problem should look at the DEFCON Wall of Sheep.
Note that in order to use these secure protocols properly, only Digital Certificates that are signed by publicly trusted Certificate Authorities like VeriSign, Entrust, GeoTrust, or GoDaddy should be used on the server side. Here's a tutorial on how to acquire, purchase, and install a Certificate on your Server for less than $20 a year. The use of expired or self-signed Certificates is forbidden because it forces and conditions the user in to ignoring Certificate warnings which is extremely dangerous. Clients don't usually require Digital Certificates and they just need to be configured to point to the secure services.
|Insecure protocols (BAN usage)||Secure protocols|
|HTTP||HTTPS with SSL|
|POP (TCP: 110)||POP with SSL (TCP: 995)|
|IMAP (TCP: 143)||IMAP with SSL (TCP: 993)|
|SMTP (TCP: 25)||SMTP with SSL (TCP: 465)|
|FTP||FTPS or SFTP ****|
|PPTP VPN||PPTP over SSTP VPN|
|ICQ||IM client configured for SSL|
|Skype (Proprietary PKI)|
|SSL-VPN, L2TP*, IPSEC**|
|SSH VPN tunneling ***|
Unfortunately this is all probably too complex for the vast majority of users and the infrastructure needs to take a lot more responsibility by blocking the usage of insecure protocols. Services like HTTP can automatically be redirected to HTTPS but very few online services will do this. Google supports HTTPS mode if the user manually types in https://mail.google.com which almost no one does so that really doesn't help the vast majority of users who don't know any better.
Almost none of the so-called "Web 2.0" providers care about your online privacy. For example, the following services have zero support for HTTPS and they're all vulnerable to side-jacking.
- Google's YouTube service
- Google Video
- Google Maps (you want people knowing where you live?)
- Google's Blogspot
- Microsoft Hotmail
- Yahoo mail
What is going on here? I challenge these online services to start protecting people's privacy and start using HTTPS for everything! [Update 8/8/2007 - Robert Graham of ErrataSec noted that SalesForce.com defaults to SSL mode and even lets companies block non-SSL connections to their own data. I would add that this is to be expected of any corporate Application Service Provider which charges a substantial monthly fee per user. What I'd like to see is every online service regardless of whether it's a subscription service or Ad driven service should protect people's privacy.]
Note: Anyone who tells you SSL and encryption is too expensive is living in the 1990s. Moore's law has given us 2.4 GHz Quad Core processors from Intel for $280 and there are thousand-dollar encryption off-loaders that can encrypt multiple gigabytes of data per second! I don't want to hear Google saying they can't afford a cheap gigabit encryption off-loader for their Gmail service. I'm tired of hearing all the excuses.
As people's lives become more and more centered around these online services and more and more people start using Wireless networking, this is a disaster waiting to happen. My voice isn't enough and you the reader need to demand better security from your online service providers. I challenge the big three (Google, Microsoft, and Yahoo) to see who will be the first to provide secure HTTPS services by default. If they want to have an insecure version, let them host that under something like insecure.gmail.com and make people go out of their way to be insecure.
The first ISP that becomes secure-by-default will get my praise. I also want to see which major Hotspot provider or Municipal Wi-Fi service will implement the Secure Wireless LAN hotspot for anonymous users. Will it be T-Mobile or AT&T? I hope other bloggers, Journalists, and Editors to all do the same.