The Lure of Wireless Encryption
Following our article entitled “Jekyll or Hyde? Better browse securely” in the last issue of the Bulletin, some people wondered why the CERN wireless network is not encrypted…
There are many arguments why it is not. The simplest is usability: the communication and management of the corresponding access keys would be challenging given the sheer number of wireless devices the CERN network hosts. Keys would quickly become public, e.g. at conferences, and might be shared, written on whiteboards, etc. Then there are all the devices which cannot be easily configured to use encryption protocols - a fact which would create plenty of calls to the CERN Service Desk… But our main argument is that wireless encryption is DECEPTIVE.
Wireless encryption is deceptive as it only protects the wireless network against unauthorised access (and the CERN network already has other means to protect against that). Wireless encryption however, does not really help you. You might get a false sense of security as your traffic is encrypted between your device and the wireless hub, but further down the wire it is not. In reality, your traffic transits the Internet in clear text apart from the first few wireless metres - unless you take additional protective measures.
Therefore, don’t let yourself be lured by wireless encryption! If you are serious about privacy and encryption, ensure that your traffic is encrypted on the whole path from your local application to the remote service you are using. Check for the “S” (“secure”) in your communication protocol:
- “HTTPS” for secure web browsing, as displayed in your browser’s address bar;
- “IMAPS”/”POPS” for secure e-mail transfer; the default for accessing your CERN mailbox;
- “SSH” and “SCP” for secure remote access and data transfer, mainly on Linux PCs. “SSH” can even be used to encrypt other protocols, a technique called “tunnelling”;
- On Windows PCs, there is also “RDP”, the Remote Desktop Protocol, which is encrypted too.
Of course, there is more to encryption than this. In order to protect your privacy and undermine surveillance, take advantage of so-called “Anonymize” services like http://www.anonymizer.com or the Tor network. These hide your IP address and channel your traffic through a proxy network, making the determination of traffic partners very difficult.
If you host sensitive or confidential data (see the new CERN Data Protection Policy), access protection and data encryption are a must! This is particularly true if you keep this kind of data on a USB stick or laptop, both of which can easily be lost or stolen while you're travelling... TrueCrypt is a good open-source on-the-fly encryption tool for data stored on Windows, Mac and Linux PCs.
For further information, please contact the Computer Security Team or check our website.
Access the entire collection of Computer Security articles here.