Last summer, ZiefBrief reported that wireless was coming to the library. There was a note in that article: "(Our helpful Law IT staff ask us to remind you that, wireless being wireless, it will never be 100% secure. So please don't us it for your online banking and such!)"

I commented with some of my thoughts about why that was important. Our public networking uses a wildly insecure method for authenticating users and authorizing access. The first, most obvious problem is that no wireless encryption is used. All communications with the wireless network are in the clear, and anyone within range can watch your traffic. Second, there's no authentication of the wireless network; that is, there's no way for the user to know that the "USFWireless" SSID they connect to is, in fact, USFWireless. Finally, because there is no authentication of the wireless network and no wireless network authorization, authentication to the public network happens by means of a jail, which is opened by means of a form on an apparent transparent HTTP proxy.

Why is that a concern? Rather than redirect the request to an authentication host with an appropriate, properly sign TLS (nee SSL) certificate, the request is simply hijacked. Users are lulled into accepting these poorly signed certificates as a regular part of getting online. It becomes second nature to ignore those warnings, and I'm sure many do. That opens up a prime opportunity for a man-in-the-middle attack. Even if you send all of your traffic across an encrypted channel, if you get to the point you simply accept "bad" certificates, you no longer know who is watching your data.

This came to mind today as I was reading this article from the Washington Post. It describes new, automated tools for sniffing credentials from the "wire" and using them to connect to common online services. Similar attacks on USFConnect (the university intranet) aren't hard to imagine. It's never been particularly hard to pull this off; it's just that now folks are demonstrating automated tools to do the job.

And so, this is a gentle reminder to watch the certificates you're granted while you're surfing online. Be careful with the information you send around on insecure wireless networks, and that especially includes relatively public places like the law school. Perhaps one of these days, the IT folks will see fit to strengthen the protections; it's not hard, but the user support can be daunting. For the time being, wireless continues to be unsafe, even though its use can be a calculated risk.