Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security, WiFi & 3G

S

Sirolway

macrumors 6502
Original poster
Jun 13, 2009
421
23
London
Do people worry about security using WiFi hotspots?
An O2 sim in the UK gets you access to a pretty wide cafe wifi coverage, but completely insecure. I'm figuring on using 3G for anything secure (email) but wifi for general browsing, as it's faster & unlimited.

Bit of a niusance though...

How do others tackle the whole security issue?
 
miles01110 said:
If it's not https, don't provide login credentials to that site. It's the same on the iPad as it is on pretty much everything else.
Click to expand...

While that is certainly true on a secure local network (hopefully your business, your home (you ARE using WPA2 on your wifi network at home, right??? WEP or WPA is NOT enough), etc.) additional steps are needed on a public network. You go to some coffee shop, college campus, hotel, airport, etc. and join a public network and visit all the https you like, every username and password you use COULD be stolen if there was a simple man in the middle or other types of fairly simple attacks sitting on the network.

Unless you take extra precautions, on an open wifi network (coffee shop, campus, etc.) I would not do anything other than surf non-password websites. Definitely not banking or buying anything at Amazon or wherever. You can judge yourself for email, some say email accounts are not worth the effort. I agree it is less of a valued target, but a) I still wouldn't want some hobby hacker poking around or using it as a spambot, and b) are you sure no other account information (from amazon, your bank, etc.) isn't traceable in all your old email? I hope not, but still....

So what can you do if you are on a wifi network and want to check your email or whatever? I have and would suggest you turn on a VPN (stand for Virtual Private Network) and the iPad supports many (Cisco's, PPTP, and I think with OS4 SSL) VPNs. You can set up your own if you want to have your computer or a server do it at home, even free stuff like hamachi can do that. Or you can use some of the questionable free third party stuff out there, but then you are trusting that third party. Two relatively cheap for pay third parties (which have been around for awhile, so should be trustworthy) are hotspotvpn ($100ish a year?) and witopia ($40ish a year?). Takes 15 minutes to sign up with one of them, enter in the info on your iPad (iphone, laptop, whatever), and have it when needed. When needed it is as simple as popping into prefs on the ipad, sliding the VPN slider to ON and let it connect over the next 20 seconds, and you have a secure tunnel that somebody sitting on the hotel's network shouldn't be able to break. If they can, they have bigger fish to go after than you.

I would be interested to know of any other, TRUSTED, VPN solutions out there that people use???? Your employer may have one too, but then I don't know their policies on using their network for private use.

BTW, 3G isn't even as secure as it really should be, though practically it is unless you have somebody after you who has a few thousand dollars worth of equipment. The hobby hacker is most likely targeting the public wifi networks around you with free, easy to use software...not packing equipment that costs some money and requires expertise to use just in case they can crack 3G. I personally consider 3G safe, but it is not as safe as SSL / VPN connections over WiFi for instance. But for practical purposes, it is for now.
 
Sirolway said:
Do people worry about security using WiFi hotspots?
An O2 sim in the UK gets you access to a pretty wide cafe wifi coverage, but completely insecure. I'm figuring on using 3G for anything secure (email) but wifi for general browsing, as it's faster & unlimited.

Bit of a niusance though...

How do others tackle the whole security issue?
Click to expand...

SOLUTION: Use your iPad only on your personal wifi network, or one's that are encrypted! Sorry, not the solution you're looking for. This was my intended use from the start so it's easy for me to justify.
 
You really think if you are using SSL for stuff like e-mail that hobby hackers (nice term) can read/steal your e-mail info through the iPad and iPhone mail app? It seems there are more and more free public wifi spots and being advertised as such. Having data stolen in this regard doesn't seem so prevalent so I have to imagine that it is quite tough to do so (assuming you are using SSL of course).
 
ks-man said:
You really think if you are using SSL for stuff like e-mail that hobby hackers (nice term) can read/steal your e-mail info through the iPad and iPhone mail app? It seems there are more and more free public wifi spots and being advertised as such. Having data stolen in this regard doesn't seem so prevalent so I have to imagine that it is quite tough to do so (assuming you are using SSL of course).
Click to expand...

Remember this isn't an ipad/iphone problem or question, but any computing device (laptop for instance) using public wifi.

On how prevalent, I have no idea. Not even sure how it would be reported, i.e. if your CC# was taken or email compromised was it that wifi hotspot you used? That waitress that skimmed your CC#? Some breakdown at some other business you placed an order with? Who knows.

On how easy is it, that depends. VERY easy to do a man in the middle attack where you sit on a public wifi and act as the intermediary between the secure website and the client. You have to be able to pose as both the server and the computer, but there are apps out there to do just that you can dowload and run in 5 minutes. Now, the cheesy ones, while easy to use, would at least cause the client's browser to pop up an "invalid SSL certificate" type error message, but some people click through those as they don't know what they mean and/or their browser/security settings don't even throw those up.

If you always use SSL, practice good browser/security hygiene, have an updated software firewall running in the case of a computer, and only visit sites that have correctly implemented SSL certificates your risk is likely much lower. But how do you know if the site is implementing SSL correctly or there isn't a more dedicated hobby hacker :) with a more sophisticated man in the middle attach that doesn't throw up such an obvious security message?

Running with a VPN when you do transactions (or probably email) is fairly painless and provides a level of comfort. Of course, if there are lots of people on the wifi connection, and others don't have a firewall, are using non-ssl email, etc. etc. they are going to be the targets, not you who are a little more cautious.

Its all what you consider an acceptable risk. If you use public wifi a few times a month, then making sure you use SSL may be sufficient for checking your email. If you are using public wifi on a daily basis no way would I rely on just SSL to protect me.
 
Treebark said:
Remember this isn't an ipad/iphone problem or question, but any computing device (laptop for instance) using public wifi.

On how prevalent, I have no idea. Not even sure how it would be reported, i.e. if your CC# was taken or email compromised was it that wifi hotspot you used? That waitress that skimmed your CC#? Some breakdown at some other business you placed an order with? Who knows.

On how easy is it, that depends. VERY easy to do a man in the middle attack where you sit on a public wifi and act as the intermediary between the secure website and the client. You have to be able to pose as both the server and the computer, but there are apps out there to do just that you can dowload and run in 5 minutes. Now, the cheesy ones, while easy to use, would at least cause the client's browser to pop up an "invalid SSL certificate" type error message, but some people click through those as they don't know what they mean and/or their browser/security settings don't even throw those up.

If you always use SSL, practice good browser/security hygiene, have an updated software firewall running in the case of a computer, and only visit sites that have correctly implemented SSL certificates your risk is likely much lower. But how do you know if the site is implementing SSL correctly or there isn't a more dedicated hobby hacker :) with a more sophisticated man in the middle attach that doesn't throw up such an obvious security message?

Running with a VPN when you do transactions (or probably email) is fairly painless and provides a level of comfort. Of course, if there are lots of people on the wifi connection, and others don't have a firewall, are using non-ssl email, etc. etc. they are going to be the targets, not you who are a little more cautious.

Its all what you consider an acceptable risk. If you use public wifi a few times a month, then making sure you use SSL may be sufficient for checking your email. If you are using public wifi on a daily basis no way would I rely on just SSL to protect me.
Click to expand...

Thanks for the thorough explanation. I very rarely use public WiFi except when I'm on vacation. I'm also trying to figure out just how big of a deal it would be if somebody could read my e-mail. I'm guessing a hacker would find it all pretty boring and move along...
 
ks-man said:
Thanks for the thorough explanation. I very rarely use public WiFi except when I'm on vacation. I'm also trying to figure out just how big of a deal it would be if somebody could read my e-mail. I'm guessing a hacker would find it all pretty boring and move along...
Click to expand...

Yeah in your case on the ipad over public wifi def. make sure you are on SSL for any account browsing (so have ssl checked on your mail setup in settings...pretty sure it is on by default if you used something like gmail's webdave setup or def. if you used exchange) or use ssl webmail sites in safari. If you are talking a few times a year I may not even have gone vpn then if using legitimate public wifi (malls, starbucks, hotels, etc.).

As for email some websites annoyingly send your username and password to your email (so can they log on and get access to your bank if it was a banking account, or your orders from a retailer? Order more stuff at amazon?), or emails may have your account info, your street address, etc.

Or of course they could use your email account to go spam a few hundred thousand people until your email account gets shut down by your provider.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back