Many people share their internet connection through Wifi these days, either intentionally or unintentionally.
On this page I want to share some thoughts behind this phenomenon.
I think the emphasis of sharing your Wifi signal with others (read: strangers) should lie on "security".
Not only the security of the person who shares his/her connection is questionable.
Also the ones who use shared Wifi connections may be vulnerable.
Even complete outsiders may fall victim of shared Wifi Networks! Think in this respect about spam, and spreading of trojans, viruses and illegal material.
So if you're sharing your internet connection because you think you have nothing to hide, or because you are a social sharer, or just out of laziness or ignorance, this page should start you thinking.
I know, if everybody closes their open Wifi connections now, I won't be able to check my mail when I'm abroad anymore. But that's a risk I ought to take.
Let's start with the worst case scenario: You may end up in jail!
I'm serious, you can get serious trouble with the law! OK, chances may be small that this will indeed happen to you, but it is possible. For instance if some stranger has uploaded some illegal material through your internet connection. You will be held responsible and there is no way for you, or anyone else, to find out who really did it.
Other threats which will await you are:
"I have nothing to hide", I hear you say?
Are you sure you have never used your credit card to pay something on the internet?
And you never bought anything on e-bay?
You do not use your computer for banking?
You do not use Paypal?
You have no friends with which you share your intimate secrets through e-mail or messenger programs?
Are you really sure you have never ever entered a single password on a web site!?
You don't have private photos on your computer?
OK, then you don't have anything to hide.
Chances are that you connect to the internet using an open network of a no-know. Someone who doesn't understand or care why he/she should encrypt the Wifi connection. My guess is that most open networks fall under this category.
However, you can't be sure! You might as well have logged in to a honey pot network. A network that intentionally has been left open to attract visitors. Be prepared to share your entire communication with the Wifi owner who can have a program running which monitors all traffic.
Risks may be relatively harmless, like your user name and password for your blog site may be intercepted.
Later you'll find your entire blog to be erased and replaced by a lot of junk.
Other more serious damages are very likely if you traverse a completely unknown open Wifi network.
Not only the Wifi owner can listen in to your connection!
Because the connection is not encrypted anyone around you can listen in through their WLAN interface.
If you can, always use encrypted communication. For instance good ISPs will give you the opportunity to use POPS and SMTPS to read and send mail securely. If your ISP does, be sure to use it!
Also logging in to your private VPN server immediately after connecting to an untrusted Wifi network is a very good idea, if you have a VPN server of course.
But probably the worst thing that can happen to you is that your laptop gets snatched away from you while you're at it. Data theft is possible, but let's face it, you're laptop is probably far easier to steal from you than your data.
Many commercial and free hotspots exist world wide.
They can be found in most public places like airports, train stations, hotels, restaurants and libraries, to name but a few popular locations.
The difference between an open Wifi network and a hotspot is that you'll have to authenticate yourself when you're trying to connect. For commercial hotspots you probably even have to pay in some way.
Well, there can't be any problems here, can there? I mean these hotspots are run by respectable companies and they have done their utmost to make the hotspots safe, haven't they? They won't eavesdrop on me, will they?
I think it's safe to say that at least in the free part of the world these companies are not after your passwords or other data.
This doesn't mean though that they don't log your access, just in case you are doing something illegal.
This will help law enforcement later if there happens to be a dispute.
No, the danger is not the hotspot provider, it are their customers that I don't trust. Remember that your wireless connection to the hotspot is not encrypted. This means that any other hotspot customer can listen in to what you're doing.
Of course it is not all that bad.
Let's pretend to log in to a commercial hotspot.
You simply connect to the strongest signal available, open your browser and type any URL.
No matter what you entered you'll be presented with a secured login screen.
On this screen you can authenticate yourself and may be given the opportunity to pay for the connection.
Usually payment can be done in various different ways.
Credit cards, vouchers and Paypal are probably the most popular ways to pay for your connection.
OK, we want to pay by credit card this time. Now is the time to stop and double check what you're doing!
First of all make sure you are looking at a secured HTTPS web site!
If not, ABORT!
Don't ever enter you credit card details on a non secured site!
Anyone around you can read what you type!
But even if the site is secured, it still does not guarantee that the page is genuine. You may have logged in to a Wifi network of someone around you, running a virtual hotspot on his laptop. After all, you did login to the strongest signal, didn't you!? I think you can fill in the blanks from here.....
I don't know how clever these hotspot fakers are, but I imagine that they are only after your credit card data. My advise is to use a fake credit card number first when you're trying to log on. There's a big chance that the card data is simply stored and not verified at the card company by the faked hotspot. So chances are that you can successfully login to the hotspot even with the wrong card number.
This should be proof enough for you to trigger all the alarm bells and disconnect immediately.
FON is one of the popular "free" hotspot concepts.
The idea is to share your internet with the world.
And in exchange you can use any Fonspot in the world for free.
A great initiative!
But beware. If you Google around a little you'll find many sites explaining how to hack into La Fonera, the Fon Access Point. This enables the Fonspot owner to make it do whatever he likes. That particular Fonspot can for instance log whatever you are doing.
My advise is simple: Don't trust any hotspot!
Login to a VPN server if you can to encrypt whatever you're doing.
Or pay particular attention to secured connections if you are sending or receiving sensitive private information.
Most hotspots are secure enough. But there's absolutely no way to know for sure. Better be safe than sorry. Don't do anything dangerous if it is not absolutely necessary.
Simple, we all experience the results of open networks: Spam, trojans, viruses, denial of service attacks, web site spoofing, phishing, defacements, etc. etc.
Of course these annoyances probably will still exist when there are no open networks anymore. But thanks to the open networks it is very easy for the malicious internetters to remain anonymous and thus avoid being caught.
What can I do about it? Quite a lot really, but we'll have to do it together!
Apart from the tips given above to the non Wifi users, Wifi users may find the next tips useful to increase their sense of security.
If you don't want to share your internet with strangers, protect your Wifi connection with WEP or WPA.
WPA is generally considered very secure, but older equipment can handle it, so you may have to fall back on WEP to ensure complete compatibility.
WEP can be cracked. However it still requires some knowledge, special equipment and skills to do so. While WEP is highly insecure, it is still better than doing nothing at all. At least it prohibits accidental sharing. It prevents (simple) eavesdropping. And people looking for an open network will likely go a few doors further rather than trying to break into your secured network.
Use strong encryption, but don't overdo it.
Don't simply use a word or name which could be guessed quite easily.
If you have to rely on WEP encryption it doesn't really matter how many bits you use, or what particular key you use. They can all be broken with the same efforts. So make it easy on yourself and use 64 bits encryption and an easy to remember, but not too obvious, encryption key.
Don't share your entire hard drive on your laptop. Only share one (usually empty) directory if you have to transport data from one PC to another.
Always use encryption for sensitive data if you're visiting an untrusted (read: any network but your own) Wifi connection! Login to a VPN server if you can. Use encrypted mail servers if you can.
Never use the default SSID of your Access Point. Change it to something descriptive. You could hide your SSID on some Access Points if you want some extra security. Strangers could see that there is something there, but they can't login because they don't know the SSID. However this will complicate making connections to that Access Point for yourself too.
Always change the default password of your Access Point!
Don't do sensitive things on a strange network if you don't have to. Wait a few hours until you're home if it can wait.
Change your roaming passwords regularly. For instance passwords used to access Hotspots may be intercepted and abused.
Pay particular attention to failed logins to Hotpsots. Someone may be faking a well known Hotspot with the intention to steal your credentials. If you're in doubt, change your password as soon as possible after a failed login.
If you're a Windows or smart phone user I highly recommend you to use Tunnel Bear as soon as you connect to a strange network. It is a very easy to setup and use free VPN service.
Don't install an unencrypted e-mail account on your mobile phone! Most ISPs provide just a basic e-mail service with very limited capabilities. Encryption of the connection is rarely ever possible. So as soon as you connect your mobile phone to an untrusted network your password has already been sent in the clear before you even are able open a VPN tunnel.
Use your common sense.