I spent five days in Austin last week at South by Southwest Interactive (SXSWi), the digital media and politics cousin to the music festival, which started the day I left town. I used Wi-Fi service in Seattle, Denver, and Austin airports along the way, as well as at my hotel and the SXSW venue, the Austin Convention Center.
What I didn’t do is expose my passwords, my browsing habits, my email, or my FTP transfers to anyone who might have been watching my traffic. I used a variety of encryption methods to make sure that nothing I did was easily snoopable, because all of the networks I used were public.
While I don’t stay up at night worrying about whether someone intercepts my non-secured Web page interactions, I am concerned that my passwords for those pages could be scooped up. Most transactions you carry out using dedicated software don’t include any default protection of your password, much less the data you’re sending. So when you send email, upload via FTP, use a Web site that has a non-secured login, or use Netopia’s Timbuktu Pro 7 or earlier, your password is just out there to be snatched.
Are people sniffing? You bet. Especially at a technology conference. They might be sniffing as a hobby, or they might be simply amoral or even actively malicious. You have to assume that out of several hundred people, one person is monitoring traffic using free and freely available software, and thus you’re at risk.
There are two main approaches to encryption that you could wind up using: transactions and sessions secured with Secure Shell (SSH) or Secure Sockets Layer (SSL) technology, and all-encompassing network encryption with a virtual private network (VPN) connection. (SSL is also known as TLS, or Transport Layer Security; the former was its name under patent, while the latter is its "freed" name.)
Like a Signet Ring for Email — More and more software comes with encryption built in, requiring a similar piece of software on the other end that also supports encryption. For email, I now secure both incoming and outgoing messages along with the passwords that allow me to send and receive email.
My email host is FastMail, which secures incoming POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) and outgoing authenticated SMTP (Simple Mail Transfer Protocol) using SSL, the same encryption that’s been protecting Web pages for nearly a decade. (Authenticated SMTP lets you send email from anywhere by logging in to an outgoing mail server just as you would to an incoming one, but the encryption it uses for passwords (and only for passwords!) is considered weaker than SSL.)
Virtually all Macintosh email applications support SSL for POP and SMTP and most for IMAP, including Apple Mail, Eudora, Entourage, and Mailsmith, to name the four most popular. Enabling SSL email involves little more than toggling a few checkboxes and sometimes using an alternate port number.
I pay FastMail $40 per year for three gigabytes of monthly email and file transfer and 2 GB of storage. Free FastMail users can use only SSL for IMAP, along with secure webmail. Paid users have access to SSL for POP, IMAP, and SMTP. (It can be difficult to find the setup and troubleshooting FAQ for SSL on FastMail, so I’ve provided the link below.)
Some other mail providers, such as even Google’s free Gmail service, include SSL, too, but usually in a more limited way. Gmail supports secured POP and SMTP, for instance. Oddly, very few ISPs offer secured email; in fact, please let me know if yours does!
Securing Other Services — If you’re like me, and I suspect you are, you may wind up using a half dozen different Internet-based services in an average day, and that’s no different on the road. You might use FTP to upload a file, Timbuktu Pro to control a machine remotely, and instant messaging to conduct some conversations. Each of these services can be secured directly with the right software.
Secure FTP uses SSH to encrypt a connection between an FTP client, like Interarchy or the beta version of Fetch 5, and a server that supports SFTP. If you’re connecting back to a Mac, go to System Preferences > Internet > Services and check Remote Login. This enables SSH, and, it turns out, SFTP. You don’t need FTP Access turned on for this to work because SSH triggers a special application under Mac OS X and similar Unix, Linux, and BSD variants.
Timbuktu Pro 8 added SSH support, as well, which is a great boon when you need its abilities on public networks (see "Timbuktu Pro 8.0 Finally Adds Encryption" in TidBITS-769). Timbuktu Pro would always be harder to crack because sniffers would need more specialized software to view transactions, like file transfers or mouse movements, but the password transfer by itself would enable an intercepted transaction to turn into remote control of a computer. To use SSH with a Mac OS X computer, Remote Login must be turned on and you must set up a Mac OS X user login within Timbuktu Pro 8.
Depending on the instant messaging service, everything you send from password to emoticons is passed in the clear. That’s why I recommend Skype. It’s free and has a robust Mac OS X client that supports text messaging and phone calls using voice over IP (VoIP) with up to five other people conferenced in with you. And it’s all encrypted. However, Skype won’t discuss its encryption, so we don’t know long-term whether it’s reliable. But for right now it’s certainly a good option.
Hiding All Your Traffic — Because I use so many Internet services, I went full bore and turned on a VPN server in my office. When I connect from my computer to the VPN server, every piece of data entering and leaving my machine is encrypted as it passes over the network. This means there’s no unencrypted data in transit that someone can sniff.
I discovered at SXSWi that Rendezvous traffic bypasses the VPN because it’s considered local traffic, and this is fine as Rendezvous services typically don’t expose any passwords. But if you’re iChatting over Rendezvous, your messages would be sent in the clear. Remember, though, that unless both you and the other party have a VPN enabled, your conversation would be in the clear on one side or the other.
VPN servers used to cost thousands of dollars, but the Buffalo Wireless Secure Remote Gateway has a simple VPN server for a few dozen users built in, and it costs between $140 and $200.
You can use the Buffalo gateway in Mac OS X 10.2 Jaguar or later because it relies PPTP (Point to Point Tunneling Protocol) for encapsulating and encrypting your network data. Launch the Internet Connect application to create a PPTP connection. The Buffalo gateway requires an IP address reachable from the rest of the world, whether static or a dynamic one mapped through dynamic DNS.
There are services that let you rent VPN access as well. HotSpotVPN.com, for instance, offers an $8.88 per month unlimited usage rate that’s compatible with Jaguar and later versions of Mac OS X.
Keeping It Real: Real Private — I hate to sound paranoid. I don’t think anyone wants my personal information. But I do know that plenty of people want as much private data as they can find for whatever purposes they choose to put it to. Windows viruses running on a Wi-Fi network you’re connected to, for instance, could constantly scan the Wi-Fi network for account names and passwords and send them back to a remote cracker for later use.
I like to keep my passwords close and any potential enemies – impersonal or not – far away. Using encryption sensibly keeps attackers at bay.