A Brief History of Everything Wireless

How Invisible Waves Have Changed the World

Earlier entries Show latest

Author's Blog

Chrome update will make a forced push towards safer networking

2018-05-08 [Petri]

In Chapter 11: Home Sweet Home I discuss the security issues stemming from the fact that Wi-Fi signals are free for anyone to receive, and thus any traffic that is floating around can be tapped into with relative ease, totally unnoticed by the originator of the traffic.

This is very much an issue with public Wi-Fi networks which commonly do not use any traffic encryption, and hence the air at the nearest Starbucks is ripe with data to be discreetly intercepted by anyone within range, either inside the café or outside at the parking lot.

By connecting to an unknown public network and accessing websites that use the unencrypted HTTP protocol not only makes you an easy target for wireless eavesdropping, but naturally all of your network traffic has to pass through the unknown system of the network provider, and therefore it can be intercepted and rearranged freely along the way. For any HTTP traffic, there is no easy way to detect this kind of traffic tampering.

A partial remedy against this for sensitive websites is the application of HTTP Secure (HTTPS) protocol, which will provide you a warning in case the access to your website is being intercepted through a so-called “man-in-the-middle”-attack. And in case of Wi-Fi eavesdropping, the use of HTTPS also encrypts the wireless data flying through the air: the hackers can still tap into it, but can't see what it is about.

The flipside of this is the fact that many common websites that are not requiring passwords or other sensitive information do not yet use HTTPS, as there was no pressing incentive to do so: when HTTP was developed, the networked world was a much more innocent place...

All this is about to change this June, when Google's Chrome browser starts flagging all non-HTTPS sites as "not secure". And unless something goes drastically wrong, it is clear that other browsers will soon follow the suit: Firefox already has a hidden setting available to turn this on.

It is unrealistic to expect that all websites will immediately jump to use HTTPS, and therefore this change is bound to create some confusion amongst non-technical users, as they suddenly start seeing security warnings on the familiar websites that they have been accessing daily.

Therefore, there may be a nasty side effect on this non-mandatory change: as there will be new and potentially numerous notifications that warn about these “not secure” sites, the end users may become oblivious to these warnings, and as a result, will also ignore some valid ones due to this "warning fatigue".

Don't let this happen to you: if you are using a public connection, remember that every time you have a warning that relates to security, stop and assess whether it is a valid one, and if you have any doubt, do not do what you were about to do until you are back in the relative safety of your home or workplace network.

The simple rule is that if the warning is shown on a website that requires logging in or any other sensitive information, do not continue.

On the other side of this equation, a change like this puts pressure on the website administrators:

Switching the web servers to HTTPS on a global scale requires a considerable amount of work. This used to be a manual, error-prone and tedious process, and as the required Secure Sockets Layer (SSL) certificate was seen more of a professional “eCommerce website” feature, the cost of a certificate used to be somewhat steep, but it has now fallen into roughly 10-dollar range per year. Hence, price is no reason to avoid going “full monty” on HTTPS anymore.

Even better, the non-profit organization LetsEncrypt.org offers free SSL certificates, all in the benefit of making the web more secure for all of us to use, and the installation process is now almost fully automatic via the Electronic Frontier Foundation's CertBot service.

Your only remaining “pain” is to automate the re-certification (the free certificates expire in 90 days), and to donate a tenner every once in a blue moon to LetsEncrypt.org to keep these good guys in business.

I ran this process on my web server last week, and as you can see from the padlock in the address field, it works. There was some manual cleanup left to be done after the automatic install, but nothing compared to my earlier experience of setting a HTTPS site up and running from scratch.

The biggest issue was the fact that by default the automatic installation process blindly duplicated the Django backend server setup to both HTTP and HTTPS versions, which caused the setup to fail. But the installation process flagged the problem and automatically reverted back to the working config.

Using HTTPS is only part of a story when it comes to safe wireless connectivity, and as mentioned, further discussion on this important issue can be found in Chapter 11: Home Sweet Home of my book.

Permalink: https://bhoew.com/blog/en/17

Show latest Earlier entries

Creating secure websites is easy via LetsEncrypt & CertBot

You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.

Earlier entries:

You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.

PRIVACY STATEMENT AND CONTACT INFORMATION: we don't collect anything about your visits to this website: we think that your online history belongs to you alone. However, our blog comment section is managed by Disqus. Please read their privacy statement via this link. To contact the author directly, please costruct an email address from his first name and the name of this website. All product names, logos and brands are property of their respective owners and are used on this website for identification purposes only. © 2018 Petri Launiainen.