Networking

Unsecured connections: Checking the basics

The sheer number of connections we make every day using common programs and protocols multiplies the risk that basic security is overlooked.

As IT professionals, or even computer enthusiasts, passwords are nothing new. Neither is the fact that sending those passwords, or any other sensitive information, whether it's your bank account number, your important documents, or communications with the office, must be done over a secure connection. It's basic security, and something that anyone who takes an interest in how the Internet works soon discovers.

When you go to an important web site, you look at the https:// keyword in the URL. When you need to share folders with colleagues, you open a VPN first, to ensure no one can sniff your traffic on the network and get those important documents. You may even have gotten paranoid enough to manually check security certificates, after the recent scare about compromised certificate authorities.

But that only covers part of what each of us does online. We make many more connections, and often times, our computers make those connections for us, sending things to remote servers, quite often using proprietary protocols that do not use HTTP. Are these connections safe? How can you know if some of them went over the network in clear text? Let's recap some of the basics about secure and unsecure connections.

Email

The first, and probably most common case, is email. There are many different protocols for sending email, some of them are secure, but some are not. First, with Gmail or another webmail site, then it's quite easy to see. Even if a site doesn't display a form that's on an SSL connection, you could use a tool like Firebug on Firefox or the developer console on Chrome to check that the submit buttons indeed lead to a secure page.

But if you use a desktop mail client like Outlook, it's not that simple. A corporate email system, using a Microsoft Exchange server, will usually be encrypted, assuming it is configured correctly. In the Exchange's POP3 settings, simply go to the Authentication tab, and select Secure Logon as the login method. Similarly, if you use Microsoft's Hotmail ability to deliver directly to Outlook or Live Mail, that connection is also encrypted.

However, if your mail comes from an Internet Service Provider over POP3 or IMAP, then it probably is not encrypted. By default, those protocols send both the emails and the account information, including your password, in plain text. It's possible to add encryption to make these protocols secure, but most ISPs do not.

File Transfer Protocol

When you transfer files, there are many ways to do it, from using a shared folder to simply transferring them using a web-based service like DropBox. But one of the oldest and simplest ways to transfer files is using FTP. By default, FTP does not use encryption, although it too can be made secure if configured correctly, and if your client supports it. Assuming you run a Microsoft FTP server, simply configure the FTP SSL Settings from within the Connections pane in IIS Manager.

A typical case for FTP is transferring files to a web server. I've seen several cases of people using a web host, with a web based panel, where they make certain that the web connection to that configuration panel is secure, but then they go right over to their FTP client to send files to their host, sending their user name and password in plain text for all to see.

Telnet

Telnet isn't used much anymore, but it still can bite somebody. Many hosts offer the ability to connect to their servers and allows you to have access to a command line. Telnet, the program and protocol used to connect, is not encrypted. Instead, SSH should be used, and is usually supported by these hosts.

Note that Telnet isn't only used with hosts. If you're an IT professional and have to configure routers, chances are you may have to use Telnet, unless you manually configure SSH. On some routers this can be somewhat tricky, requiring you to create a certificate and assign it before it allows you to turn SSH on. So instead you may want to use a direct console connection to the device using a serial cable instead of sending all your data over the network.

Other programs

Chances are your computer has many more programs that are constantly connecting to remote servers, some of which transmit account information. Whether it's an Adobe AIR based Twitter client you use, the Gmail Notifier widget, the DropBox client, your IM client like Windows Live or AIM, and so on, the list is almost endless. So how can you know each of them send your data in an encrypted fashion?

Instead of going to each software manufacturer site and reading through their FAQ, trying to find out if they produced secure software. You can quickly see a list of ongoing connections from your computer by using the command netstat. You can type it in a command window, and in the third column of the output, you will get a list of the remote hosts with the ports used. Any time a remote host is using port 443, or HTTPS, then it's secure.

My preferred solution however is to use a packet sniffer. What better way to know whether you have confidential information leaking from your computer than to go and look for it? My preferred one is Microsoft Network Monitor, available for free from the Microsoft site, but many people like Wireshark.

You do need a bit of familiarity with parsing the results, but by looking at the streams that each program opens up with remote hosts, you can see very plainly the data that was transmitted. If you can see readable text, then that's a red flag. If all you see is gibberish, or the stream is identified by your packet capture software as a TLS or SSL connection, then you know it's secure.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

Editor's Picks