If you are in the least bit concerned with keeping snooping eyes off your e-mail you should make sure you are using SSL or “secure authentication” with your POP3 accounts if possible (and if not, bug your ISP to add support by calling them one the phone and writing them a letter-- yes snail-mail). In addition, you should always use HTTPS to authenticate for webmail.
Neither of these help you with concealing your e-mail from prying eyes as it flies down the wire, as it travels in plain-text for anyone to read who wants to (i.e. your ISP, your average hacking no-good-nick at a LAN, or rogue government agent – be it foreign or domestic, etc).
So… (especially for Gmail users) you can use Windows Privacy Tools (www.winpt.org), which is a frontend for Gnu Privacy Guard (a PGP alternative, since PGP is patented, and open-source). This is an easy to way to set up your keypair, and encrypt/decrypt clipboard or files. Even gives you a shell extension for windows to do on files/dirs, etc. I personally save my keyrings on a USB memory drive that I keep on my keychain.
Also for Gmail users is this neat little app which uses HTTPS and uses good security practices for hiding your password to let you have a Windows systray biff app: http://torrez.us/archives/2004/05/23/000272.html
It also lets you register Gmail as your default mail app if you would like to do such a thing.
If you are interested in e-mailing me in the future, my homepage (which is my blog) has my public key posted on it.
Oh yeah, also, use PuTTY for the SSH front-end so you can stop using telnet-- telnet also sends your passwords in the clear (anyone with a tiny packet sniffer driver or device can liberally take your passwords to your Unix machines, router, etc). http://www.chiark.greenend.org.uk/~sgtatham/putty/
In a moderate to heavily trafficed area with a wireless network? Depends.
On a college campus in the in-dorm networks? Automatically assume that your connection is being sniffed 24/7 by the local script kiddies.
At least, that’s my experience.
That said, despite the fact that I could see the reasons behind PGP encrypting your email, I have never personally done so, because I know no one I regularly email who’d have any idea how decrypt it. Same with PGP signing.
SSH is a no-brainer though, especially in that I can use it’s connection compression and automagic X-Forwarding to display programs running remotely on my *nix box on the WinXP workstation.
How about not using a free, web-based e-mail service for stuff you don’t want people to see?
As for sniffing, I work at one of the larger universities in the U.S., and if you asked the central IT people (the folks who maintain the network infrastructure), or the dorm IT group, they’d tell you that network sniffing is pretty low on their concern list. Whether it’s because it doesn’t happen or they’ve found ways to detect/prevent it, I don’t know. Active problems are the main concern (people downloading virii containing keyloggers or IRC/FTP bots, system exploits…).
On a wireless connection, okay maybe for the idiots who do not have encryption turned on their router - but I can’t see that as being common.
As for every other instance, most people who warn of this are doing so because of old warnings, old stylenetwork setups, back when switches were expensive. But now that almost everyone uses switches over dumb hubs, you simply do not have access to the traffic to sniff. The traffic is not being broadcast everywhere.
There’s a lot of idiots in the world, and wireless gear is cheap. I was messing around with my kids’ computer the other day, which is the only one in the house on a wireless connection. Since we live in a condo, I have the signal encrypted, limit connections, etc. to keep prying neighbor kids out. On a whim I scanned for other networks and found four, two of which still had the default name assigned, and none of which were encrypted. I resisted the urge to start hacking, but now I’ve started watching the area for people sitting in cars with laptops & no pants.
Web-based e-mail is still transmitted in the clear. Remeber, you are hitting “submit” and your browser dumps your secure connection after you login (if even that). The only web based e-mail I know of that is “free” and has full session HTTPS is Gmail, which has its own set of worries.
Also, even if you connection is secure, when the server on the other end sends your e-mail to the other person’s server it is no longer protected from view in any way.
WPA is still not implemented across the board for all wireless routers. WEP is extremely easy to break (RC4 56bit vs WPA’s AES). WPA is a new standard codified by the IEEE but vendors seem pretty slow to adopt it for 802.11b products when they still have a lot of excess stock sitting on shelves without it.
Their concern for sniffing is low because it doesn’t impact themselves. Once they have their passwords stolen they might change their tune from their new personal experience. Heh. They are only concerned with what directly affects their workload as an IT person.
It isnt’ an issue - because it isn’t an issue. On ground lines, there is no issue for the most part. Do you understand what it would take for someone in a dorm to sniff traffic from the payroll department?
As for gmail. While your session is encrypted, the packets that actually send the mail are not, so they would be subject to the same scare mongering the rest of your post applies to.
The thing I always like to say is, “you don’t send your mail at the post office without an envelope, or a secured envelope if it is sensitive information, do you?” I realize that people do send postcards, but for anything you don’t want people to read (financial, insurance, medical, etc information, receiving ID or credit cards in the mail, etc) then it seems ludicrous to suggest that everyone should transfer their stuff on a post-card in plain view of all handlers at the post office or anyone who peeks at your mail.
SSH also has SFTP and tunneling for applications that don’t directly support it. =)
I’m not talking about sniffing payroll department from the dorms. I’m talking about sniffing other student’s logins for their university shell accounts, their online banking, their e-mail accounts, their logins for university registration, anything at all that they transfer their user ID and password in the clear. If another student, staff member, or intruder came in and attached a sniffer it wouldn’t take very long for them to capture some useful information that could let them gain access to someone else’s private information or unlawful entry to the university systems.
Gmail has AES session encryption. You are correct that the packets that are sent from the e-mail server to another e-mail address are not encrypted. I addressed this in a separate post, sorry.
First, even with wireless, most newer wireless routers are switches, so you could not sniff the packets passing by unless you hacked the router.
If another student, staff member, or intruder came in and attached a sniffer
And if they just took the computer under their arm and ran… this is exactly what was being mentioned as an issue - the idea of someone key logging etc, this is not the same as general traffic being sniffed by a third party. What your original post I thought was about.
If you broke into someone’s dorm room. Installed a device between that person’s computer and the network, yes. Yes, you could sniff their packets, but that is getting ludicrous in what most commonly happens. A student cannot just say - hey I hate bobby, i am going to hack into his bitstream from my room over here and monitor his traffic, they would have to compromise a router or switch - which is whole different ball game.
I stand by what I said first off - packet sniffing is an old issue that is no longer relevant in networking.
This is just not true. The vast majority of academic segments are not switched due to budget, time, and manageability constraints. Many commercial LANs are in the same situation. Bridged yes, switched no.
This is just not true. The vast majority of academic segments are not switched due to budget, time, and manageability constraints. Many commercial LANs are in the same situation. Bridged yes, switched no.[/quote]
Gotta back stusser up on this one, I 've seen a lot of piss-poor antiquated corporate LANs still getting heavy use. A 10mb ethernet segment might not be good for the data center but it’s just peachy for a bunch of file clerks so why spend money to upgrade it?
I’m not talking about breaking into someone’s dorm room. Many universities have publically available computer centers, and it would be relatively easy to slip a Linux boot disk into one of them to turn it into a packet sniffing device. Alternatively, just placing a laptop with the sniffing software on to a publically usable ethernet port placed for laptop usage (which are often seen in university libraries).
I’ve seen this problem also in the university LAN arena. Many state universities, especially those in California, are strapped for cash. They don’t see the need to upgrade student infrastructure when they can’t afford to upgrade the university’s ISP connection. Many places are still even running half-duplex over 10mbit, and I’ve seen some that run over standard POTS cable or with proprietary antiquated wireless technology (pre-802.11a).
