Saturday, September 12, 2009

Well, I guess even Clark Howard doesn't know everything.

Howard, for those of you not familiar with him, is a financial guru and consumer advocate with shows on both radio and cable TV. Generally I find him both knowledgeable and skilled in sharing his expertise, but then again, all I know about money is that I want more of it. However, I've got to blow the whistle and throw the flag for something he did at the start of one of today's telecasts-he joined the chorus of those chanting the mantra that using an open Wi-Fi link is inherently dangerous from a privacy and security standpoint, repeating the old chestnut that one shouldn't do online banking or the like except at home.

And now a brief pause for the facts. While it's easy for someone "sniffing" network traffic between your laptop and an open router to intercept data that is sent in the clear, this is plainly and simply not the case if the website you are accessing is secured by a properly configured SSL installation. Just think about it for a moment. Imagine you're sitting with a laptop within range of an open router and you're using a sniffer to monitor a session between me and the SSL-encrypted website of my financial institution. What do you think you're going to see? That's right-all you will capture is the encrypted traffic between me and the remote site, and you won't be able to decrypt it because you didn't exchange keys with the site; I did. The encryption occurs between my computer and the site, not either between me and the router or between the router and the site. The data is encrypted at my computer before it ever leaves for the router, just as data from the site is encrypted at the site before it ever gets to the router from the Internet. A properly implemented VPN is perfectly safe to use over open Wi-Fi for the same reason.

Just what part of this do the many so-called experts who spout this don't-bank-or-shop-over-open-wireless nonsense not understand? What do they think happens? Do they believe the router magically (i.e., without having exchanged keys with it) decrypts incoming data from the remote site, or that the client laptop, after establishing an encrypted session, then uplinks in the clear and that the router then magically re-encrypts the data before sending it on its first hop? Remember, SSL is intended to protect the data all the way from the remote site to the client. The router, just like all the other servers between the client and the remote site, neither knows nor cares that the data it passes is third-party encrypted-it merely needs to know where it came from and where it's going so it can do its job.

All of this is not to say, of course, that there aren't risks you need to watch out for when on an open Wi-Fi connection. Jumping online with file and printer sharing turned on (and as an aside, I can't think of any good reason to ever have them turned on with a laptop) is one. Exchanging sensitive information with a properly SSL-secured site, however, isn't.

And for those inclined to disbelieve that, ask yourself this: Why do AT&T and T-Moblie leave their play-for-pay routers unsecured? If SSL weren't sufficient to protect the credit card numbers customers have to enter on their login pages, I think they'd sell even fewer sessions than they probably are selling these days.


No comments: