How paranoid do I need to be about allowing my phone to connect to open/unencrypted WiFi hotspots?
I don't really care if other people see my data (email being received or sent, stock quotes, whatever). I think all I really care about is whether they see my passwords (Gmail, Facebook, etc).
I understand I probably don't want to initiate a connection to a financial institution, and that I'm potentially subject to man-in-the-middle attacks even if my passwords aren't cleartext.
Please note that I am aware of this question and its answer, and it doesn't really answer my question because it's just about the data: What Android sync'd data is encrypted?
If this question has already been asked and answered, please point me to it. I searched with the built-in engine and Google and couldn't find it.
Answer
If you use the Android web browser to access any sites that you've logged into and that don't use an SSL encrypted page while you're browsing them, then you should be very paranoid.
Have a read up about the Firesheep add-on to Firefox, it uses the fact that on an open, unencrypted Wifi connection anyone can listen to anyone else who is connected's network traffic. It listens out for cookies that other people's laptops and phones send out while they're browsing, grabs those cookies and lets you use them to log into a vast list of websites as that person. It doesn't need to capture login names or passwords, so it doesn't matter if you're careful about not entering your password into anything over an open connection. All it needs is your cookie and then it can log someone else into your Facebook, or GMail, or Twitter, Amazon (they can even place One-Click orders on your behalf) etc. BoingBoing has slightly more on what this demonstrates about web security.
The scary thing is that Firesheep doesn't do anything magic. It just makes a process that anyone could do (listening to open WiFi traffic, and spotting the interesting bits) and makes it one-click easy.
No comments:
Post a Comment