On The Insider: Nicole Richie Home from the Hospital
BNET Business Network:
BNET
TechRepublic
ZDNet

August 6th, 2007

How to protect your online privacy

Posted by George Ou @ 11:40 pm

Categories: Browsers, Hardware, Infrastructure, Mobile/Wireless, Networking, Security, Servers, Technology policy

Tags: Google Inc., Online Privacy, TCP, SSL, George Ou

If you want to avoid being compromised when using typical Wi-Fi hotspots that have no security, you can use the following table as a reference of protocols you should and shouldn’t use.  The insecure protocols should be banned and never used again; the protocols on the right are the secure alternatives.  Anyone who doubts this is a problem should look at the DEFCON Wall of Sheep.

Note that in order to use these secure protocols properly, only Digital Certificates that are signed by publicly trusted Certificate Authorities like VeriSign, Entrust, GeoTrust, or GoDaddy should be used on the server side.  Here’s a tutorial on how to acquire, purchase, and install a Certificate on your Server for less than $20 a year.  The use of expired or self-signed Certificates is forbidden because it forces and conditions the user in to ignoring Certificate warnings which is extremely dangerous.  Clients don’t usually require Digital Certificates and they just need to be configured to point to the secure services.

Insecure protocols (BAN usage) Secure protocols
HTTP HTTPS with SSL
POP (TCP: 110) POP with SSL (TCP: 995)
IMAP (TCP: 143) IMAP with SSL (TCP: 993)
SMTP (TCP: 25) SMTP with SSL (TCP: 465)
FTP FTPS or SFTP ****
Telnet SSH ***
PPTP VPN PPTP over SSTP VPN
ICQ IM client configured for SSL
  Skype (Proprietary PKI)
  SSL-VPN, L2TP*, IPSEC**
  SSH VPN tunneling ***

* L2TP requires Server and Client side Digital Certificates.
** IPSEC can use Server and Client side Digital Certificates or pre-shared keys.
*** SSH is not SSL based but is very similar to SSL in principle.
**** FTPS is an SSL version of FTP, SFTP is SSH based version of FTP.

Unfortunately this is all probably too complex for the vast majority of users and the infrastructure needs to take a lot more responsibility by blocking the usage of insecure protocols.  Services like HTTP can automatically be redirected to HTTPS but very few online services will do this.  Google supports HTTPS mode if the user manually types in https://mail.google.com which almost no one does so that really doesn’t help the vast majority of users who don’t know any better.

Almost none of the so-called “Web 2.0″ providers care about your online privacy.  For example, the following services have zero support for HTTPS and they’re all vulnerable to side-jacking.

  • Google’s YouTube service
  • Google Video
  • Google Maps (you want people knowing where you live?)
  • Google’s Blogspot
  • Microsoft Hotmail
  • Yahoo mail
  • Facebook
  • MySpace

What is going on here?  I challenge these online services to start protecting people’s privacy and start using HTTPS for everything!  [Update 8/8/2007 - Robert Graham of ErrataSec noted that SalesForce.com defaults to SSL mode and even lets companies block non-SSL connections to their own data.  I would add that this is to be expected of any corporate Application Service Provider which charges a substantial monthly fee per user.  What I'd like to see is every online service regardless of whether it's a subscription service or Ad driven service should protect people's privacy.]

Note: Anyone who tells you SSL and encryption is too expensive is living in the 1990s.  Moore’s law has given us 2.4 GHz Quad Core processors from Intel for $280 and there are thousand-dollar encryption off-loaders that can encrypt multiple gigabytes of data per second!  I don’t want to hear Google saying they can’t afford a cheap gigabit encryption off-loader for their Gmail service.  I’m tired of hearing all the excuses.

As people’s lives become more and more centered around these online services and more and more people start using Wireless networking, this is a disaster waiting to happen.  My voice isn’t enough and you the reader need to demand better security from your online service providers.  I challenge the big three (Google, Microsoft, and Yahoo) to see who will be the first to provide secure HTTPS services by default.  If they want to have an insecure version, let them host that under something like insecure.gmail.com and make people go out of their way to be insecure.

The first ISP that becomes secure-by-default will get my praise.  I also want to see which major Hotspot provider or Municipal Wi-Fi service will implement the Secure Wireless LAN hotspot for anonymous users.  Will it be T-Mobile or AT&T?  I hope other bloggers, Journalists, and Editors to all do the same.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 39 Talkback(s)
RE: How to protect your online privacy
I always use Road Warrior VPN.com they provide a nice and fast connection with no blockage. It is also really easy to set up, just install the client and click connect, enter user name and password and you are connected to your secure connection. ... (Read the rest)
Posted by: drallcalm Posted on: 09/29/09 You are currently: a Guest | | Terms of Use
Google maps  GW Mahoney | 08/07/07
Google Maps?  drobinow | 08/08/07
You get what you pay for  jfp | 08/07/07
That's a lame excuse  georgeou | 08/07/07
Yahoo Small Business Email and Website Hosting  VTSkiBum | 08/07/07
They won't change until consumers start demanding it  georgeou | 08/07/07
I was having trouble understanging Gmail  nucrash | 08/07/07
it redirects to where u started  (``-_-´´) | 08/07/07
Kindof defeats the purpose of Cookie Dumping  nucrash | 08/07/07
I can find out where you live now  frgough | 08/07/07
And you made this discovery all by yourself?  nucrash | 08/07/07
Nice jab, but what about his POINT?  comp_indiana | 08/08/07
Thanks George. Always pertinent. (eom)  BillyG_n_SC | 08/07/07
INternet Anonymity / Security  CSmith66 | 08/07/07
Alternative Browser?  Moisés Ágreda | 08/07/07
That has nothing to do with this  georgeou | 08/07/07
George - Yes it does  xrayman | 08/09/07
Spams with PDF's.  Rick_R | 08/07/07
Some are text searchable  nucrash | 08/07/07
PDF spam is VERY dangerous and may contain malformed exploits  georgeou | 08/07/07
Avira AV and pdf  BorisKarloff | 08/10/07
Yahoo Mail is secure  Galactic_Nagus | 08/07/07
Secure beyond the login negotiation?  VTSkiBum | 08/07/07
Yahoo NOT secure past login - I was wrong  Galactic_Nagus | 08/07/07
None of these guys are secure by default  georgeou | 08/07/07
is ISP uses secure connection  hen770@... | 08/07/07
Everyone needs to encrypt  georgeou | 08/07/07
Has Google really said that  mhenriday | 08/07/07
They haven't said that in public  georgeou | 08/07/07
Gmail Schmemail  D. T. Schmitz | 08/07/07
What about 95% of the Gmail population that won't do that?  georgeou | 08/07/07
Redirecting option/default for Gmail  VTSkiBum | 08/09/07
Redirecting option/default for Gmail  VTSkiBum | 08/09/07
No reason why they shouldn't default to HTTPS  D. T. Schmitz | 08/09/07
what about Zdnet?  (``-_-´´) | 08/08/07
techrepublic no https logins ?  jedibanana@... | 08/12/07
Myway.com's web-based email service defaults to secure mode!  DFM III | 09/01/07
RE: How to protect your online privacy  Hassan11 | 03/11/08
RE: How to protect your online privacy  drallcalm | 09/29/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
    • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
    • Smart People The best and worst moves in the management and strategy trenches. Learn More