cancel
Showing results for 
Search instead for 
Did you mean: 

Security

N/A

Security

My home setup is with a wireless connection to my broadband router and I have configured it as recommended with security in mind i.e.

I use WPA encryption
I enable MAC address filtering
I disable SSID broadcast

I have just looked into BTOpenzone and was surprised to find that none of the above are used. http://www.btopenzone.com/why/wireless_standards.jsp

I suppose it has to be open to work but people should be aware of the risks.
There are hi tech solutions using vpns and the like http://www.netstumbler.org/showthread.php?t=12727

am I right in thinking that if I log on to plus net to collect my email at a BT Openzone then my email username and password are broadcast in the clear for any hacker to read.

Mike
7 REPLIES
N/A

Security

Taken from the FAQ.

Quote
14. Is Wireless Broadband secure?
Wireless Broadband protects data transfer by using 128-bit public key encryption during log-in. Your account is password protected and all account traffic is protected by SSL encryption. However, we recommend that when banking online, you check for the padlock icon on your browser. Click on it, to prove that the website is genuine and secure.
N/A

Security

I think they are telling the truth but not the whole truth

Taken from BT Openzone blurb.

Quote
The following activities are undertaken using a 128-bit Secure Sockets Layer (SSL):

* when logging in to use BT Openzone
* purchasing a pricing plan
* changing your password
* checking your profile details

When you choose to launch a new browser window to surf the web, depending
on your chosen web site, your session may no longer use SSL.

WEP is not enabled for BT Openzone (i.e. no on-air wireless encryption is used).



So only a very limited set of situations are encrypted.

Mike
N/A

Re: Security

Quote
My home setup is with a wireless connection to my broadband router and I have configured it as recommended with security in mind i.e.

I use WPA encryption
I enable MAC address filtering
I disable SSID broadcast

I have just looked into BTOpenzone and was surprised to find that none of the above are used. http://www.btopenzone.com/why/wireless_standards.jsp

I suppose it has to be open to work but people should be aware of the risks.
There are hi tech solutions using vpns and the like http://www.netstumbler.org/showthread.php?t=12727

am I right in thinking that if I log on to plus net to collect my email at a BT Openzone then my email username and password are broadcast in the clear for any hacker to read.

Mike


If they had WPA encryption enabled, you'd have to ring them up for the key every time you wanted to use the hotspot.

If they had MAC address filtering, you'd have to tell them your MAC address every time you wanted to use a hotspot.

If they disabled SSID broadcast, you wouldn't know you were in a hotspot.

However, SSL encryption is used for payment screens and so on.

Your email username and password would only be visible for unencrypted POP3 sessions. Your best bet is to access your PlusNet email using @mail.

James
N/A

Security

As always its a trade off between Security and Useability and wireless hotspots seem to have gone strongly for the useability approach.

I just think that statements in the Plusnet FAQ like the following

Quote
14. Is Wireless Broadband secure?
Wireless Broadband protects data transfer by using 128-bit public key encryption during log-in. Your account is password protected and all account traffic is protected by SSL encryption. However, we recommend that when banking online, you check for the padlock icon on your browser. Click on it, to prove that the website is genuine and secure.


give the impression , "Yes it is secure" when really it isn't. They should at least say "be aware that checking your emails at a BTOpenzone will cause your login details and all emails to be transmitted unencrypted". Which of course they could never say as people would go "WHAT!!!".

My email account contains many sensitive emails that all sorts of companies send me confirming details of my username and password after I sign up. Once these are compromised it doesn't matter that the site uses SSL as the hacker will have my legitimate log on details to use.

Quote
Your best bet is to access your PlusNet email using @mail.


I'm not familiar with @mail but a quick look at their site seemed to just say they let you encrypt individual emails. This wouldn't stop the POP3 logon details being sent in the clear. But perhaps you are suggesting I need to encrypt all my old emails as well.

Anyway its still great technology and for people who don't really care about security they are happy with an easily used system, for people like me it means I get to play with even more technology like vpns so I'm happy as well


Mike Smiley
N/A

Security

@mail is the base webmail software used by PlusNet for there webmail service.

http://webmail.plus.net/

This provide strong encrypted access to your e-mail. Supply your username and password, and you have access to a fully configured mail client anywhere.
N/A

Security

Quote
This provide strong encrypted access to your e-mail


Excellent. Just what I wanted and it was there all along.

Cheers

Mike
N/A

Security

Could this work:
1.synch with BT OpenZone hotspot
2.run sniffer
3.find gateway
4.become gateway
5.man in the middle
6.grab someone else's login details
7.start browsing using their account