PL1
Active Member
Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.
|
|
|
- Thread starter drum118
- Start date
Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.
LNahid2000
Senior Member
Having a Twitter account isn't the issue. It's the permissions you grant it to have access to your account.
rbt
Senior Member
I'm kinda amazed the Wifi company went through with installations despite low interest from the big phone companies.
Paying $25M+ for the pleasure of giving away Wifi without any return? Seems like a risky business model.
Wind service doesn't seem to be impacted by this Twitter thing.
Paying $25M+ for the pleasure of giving away Wifi without any return? Seems like a risky business model.
Wind service doesn't seem to be impacted by this Twitter thing.
TheTigerMaster
Superstar
Nope. I can nearly guarantee you that Twitter encrypts all passwords. Sending passwords over the internet without encryption is a huge nono, and there's no way a company as large as twitter would be caught with their pants down. If Twitter was sending passwords in cleartext this would be an enormous security problem.
A quick overview of how it works:
With encrypted WiFi everything transmitted is encrypted. Nobody will be able to snoop on your data, assuming proper encryption.
Individual websites/services can also encrypt their data. That means that even if you were working on an unencrypted WiFi connection, the person snooping on your WiFi wouldn't be able to see the content of the data being sent between you and the encrypted webs service. However, data sent between you and web services that are unencrypted can be snooped on.
Napoleon
Active Member
Or to put it even more simply. If the website starts with http:// and no lock symbol appears on the page, it's clear text. If the websites starts with https:// you'll often see a lock symbol either in the address bar or in a bottom corner of the browser, the website is secure.
Websites like your bank and gmail are always encrypted. The problem is that people often reuse passwords. In fact, it looks like the UrbanToronto logon is unencrypted...someone check me on this. So if you were to reuse a secure password in an insecure site, it can easily be recorded.
I had a friend who dealt with an annoying neighbour by gaining access to his wireless router. He then proceeded to flip upside down every image that was served by a webpage...pretty annoying.
LNahid2000
Senior Member
If you're concerned about privacy, I'd be more concerned with being connected to an open wifi network than some app permissions that probably don't mean anything.
smably
Senior Member
Having to use Twitter to sign in may be annoying, but I really doubt that any of your web browsing traffic goes through Twitter after you've signed in. If it's anything like other services that allow sign-in via Twitter, Facebook, or Google, your account is just used for authentication. I mean, sure, BAI could be feeding a list of all the URLs you visit back to Twitter, but they'd have to go to a fair amount of effort to collect all that data, correlate it with your sign-in account, and then send it to Twitter. Does the privacy policy say anything about this? Has anyone actually read the privacy policy?
The Star ran a story on this a few days ago that might clear up some concerns:
http://www.thestar.com/news/gta/tra...i-users-need-twitter-accounts-this-month.html
You can put me in the "it's really not a big deal" camp.
TheTigerMaster
Superstar
Web services are hacked with alarming frequency. Many of these services don't securly store their customer's passwords, so when the service is hacked the criminals can see the username/password combinations for all their users and try those to log into other services. This is why it's important to never reuse passwords.
When I tried to use it the other day, I recall that I didn't like the permissions thing. I've authorized many apps to log in through both Facebook and Twitter, but this one seemed more intrusive than most. I should have screen capped it. At any rate, it didn't work, just kept looping back to the Twitter log in.
Megaton327
Senior Member
Actually, on an open wi-fi network, it is not only possible but tremendously easy to strip SSL away from any info. A friend of mine, a software engineer, was actually on a CBC segment a few years ago demonstrating this--at a public library, they had the reporter use the open wi-fi, and login (with fake data) to very-well-encrypted online banking; 10 seconds later they had her login information in text form on their laptops.
It is a common misconception that, when on unsecured wi-fi, SSL still works. It absolutely does not. Anybody standing in that subway station can, with near-zero effort, get your twitter username and password--though twitter login or not, yes, anything you enter while connected to the network has always been subject to that risk as well, I solve that by simply checking traffic and streetcar positions on the wi-fi, which I can no longer do without exposing my twitter password at these new stations.
LNahid2000
Senior Member
So make a fake Twitter account with a password you don't use anywhere else. Not that hard. It's the price you have to pay for free wifi.
salsa
Senior Member
May I ask why does anyone care about using wifi in the subway stations? How much web browsing can you possibly pull off within the minute or two before the train arrives?
I had to wait 15 minutes for the streetcar at Union the other day
rbt
Senior Member
Indeed. The attacker needs to be on the wifi to capture packets right from the beginning (during the SSL connection setup), at which point it is basically a hijack attack and SSLStrip would take care of most of it. This, of course, works on wired networks too if the attacker can get access to your data (yay switches that become hubs when you enable promiscuous mode).
Using most types of VPN over the public WIFI (private key on both ends) ought to be safe.
Last edited: