Today I was travelling in the Netherlands by train. One of the great things is that major stations have their own wi-fi access. When we stopped at a station, as usual I wanted to check my emails while waiting for the train to move on.
Once I established a connection with the access point and opened my web browser to log on I immediately noticed something suspicious. Instead of getting an HTTPS site I was being directed to an HTTP site.
In my mind there were two options. Either the log on procedure had changed, or I was dealing with a rogue access point. It turned out to be the first.
What’s the problem with that? Well, anything you send over an unencrypted wi-fi connection is sniffable. This is why the log on page in particular should use HTTPS.
You can bypass traffic sniffing by using an encrypted tunnel to the service of your choice. For instance, emailing via SSL/TLS or using a VPN connection to do all your work. However you can not set up such a tunnel without having actually logged on to have full internet access. The log on credentials are transmitted in plain text.
This issue is particularly critical because a number of ISPs offer (limited) free internet access via these station hotspots. This means that if you log on using one of these hotspots, your log on details will be available to anyone with a network sniffer who is in the neighbourhood.
These hotspots may be convenient, but they’re currently insecure. As long as there’s no HTTPS available for logging on, I won’t be using this service, and I would advise users in the Netherlands to follow my lead.