News   GLOBAL  |  Apr 02, 2020
 9.6K     0 
News   GLOBAL  |  Apr 01, 2020
 41K     0 
News   GLOBAL  |  Apr 01, 2020
 5.4K     0 

I don't see what the big deal is. It takes 30 seconds to sign up for a Twitter account. I'd rather have that then have to pay for wifi with my fares.

Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.
 
Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.
This depends if Twitter is using SSL on their logon page or not. Also, this would apply to any website where you enter logon credentials.
 
I'm kinda amazed the Wifi company went through with installations despite low interest from the big phone companies.

Paying $25M+ for the pleasure of giving away Wifi without any return? Seems like a risky business model.

Wind service doesn't seem to be impacted by this Twitter thing.
 
Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.

Nope. I can nearly guarantee you that Twitter encrypts all passwords. Sending passwords over the internet without encryption is a huge nono, and there's no way a company as large as twitter would be caught with their pants down. If Twitter was sending passwords in cleartext this would be an enormous security problem.

A quick overview of how it works:

With encrypted WiFi everything transmitted is encrypted. Nobody will be able to snoop on your data, assuming proper encryption.

Individual websites/services can also encrypt their data. That means that even if you were working on an unencrypted WiFi connection, the person snooping on your WiFi wouldn't be able to see the content of the data being sent between you and the encrypted webs service. However, data sent between you and web services that are unencrypted can be snooped on.
 
Individual websites/services can also encrypt their data. That means that even if you were working on an unencrypted WiFi connection, the person snooping on your WiFi wouldn't be able to see the content of the data being sent between you and the encrypted webs service. However, data sent between you and web services that are unencrypted can be snooped on.
Or to put it even more simply. If the website starts with http:// and no lock symbol appears on the page, it's clear text. If the websites starts with https:// you'll often see a lock symbol either in the address bar or in a bottom corner of the browser, the website is secure.

Websites like your bank and gmail are always encrypted. The problem is that people often reuse passwords. In fact, it looks like the UrbanToronto logon is unencrypted...someone check me on this. So if you were to reuse a secure password in an insecure site, it can easily be recorded.

I had a friend who dealt with an annoying neighbour by gaining access to his wireless router. He then proceeded to flip upside down every image that was served by a webpage...pretty annoying.
 
Having a Twitter account isn't the issue. It's the permissions you grant it to have access to your account.
If you're concerned about privacy, I'd be more concerned with being connected to an open wifi network than some app permissions that probably don't mean anything.
 
Twitter has sponsored the TTC WiFi network. As a result it has been restricted to users with Twitter accounts only. You must login to your Twitter account to use the WiFi, which will then feed to Twitter all sites you visit and apps you use.
Having to use Twitter to sign in may be annoying, but I really doubt that any of your web browsing traffic goes through Twitter after you've signed in. If it's anything like other services that allow sign-in via Twitter, Facebook, or Google, your account is just used for authentication. I mean, sure, BAI could be feeding a list of all the URLs you visit back to Twitter, but they'd have to go to a fair amount of effort to collect all that data, correlate it with your sign-in account, and then send it to Twitter. Does the privacy policy say anything about this? Has anyone actually read the privacy policy?

The Star ran a story on this a few days ago that might clear up some concerns:
http://www.thestar.com/news/gta/tra...i-users-need-twitter-accounts-this-month.html

You can put me in the "it's really not a big deal" camp.
 
Or to put it even more simply. If the website starts with http:// and no lock symbol appears on the page, it's clear text. If the websites starts with https:// you'll often see a lock symbol either in the address bar or in a bottom corner of the browser, the website is secure.

Websites like your bank and gmail are always encrypted. The problem is that people often reuse passwords. In fact, it looks like the UrbanToronto logon is unencrypted...someone check me on this. So if you were to reuse a secure password in an insecure site, it can easily be recorded.

I had a friend who dealt with an annoying neighbour by gaining access to his wireless router. He then proceeded to flip upside down every image that was served by a webpage...pretty annoying.

Web services are hacked with alarming frequency. Many of these services don't securly store their customer's passwords, so when the service is hacked the criminals can see the username/password combinations for all their users and try those to log into other services. This is why it's important to never reuse passwords.
 
Having to use Twitter to sign in may be annoying, but I really doubt that any of your web browsing traffic goes through Twitter after you've signed in. If it's anything like other services that allow sign-in via Twitter, Facebook, or Google, your account is just used for authentication. I mean, sure, BAI could be feeding a list of all the URLs you visit back to Twitter, but they'd have to go to a fair amount of effort to collect all that data, correlate it with your sign-in account, and then send it to Twitter. Does the privacy policy say anything about this? Has anyone actually read the privacy policy?

The Star ran a story on this a few days ago that might clear up some concerns:
http://www.thestar.com/news/gta/tra...i-users-need-twitter-accounts-this-month.html

You can put me in the "it's really not a big deal" camp.
When I tried to use it the other day, I recall that I didn't like the permissions thing. I've authorized many apps to log in through both Facebook and Twitter, but this one seemed more intrusive than most. I should have screen capped it. At any rate, it didn't work, just kept looping back to the Twitter log in.
 
Well, the TTC wifi is unencrypted (I believe) so your Twitter password is available to anyone with the right set-up.

This depends if Twitter is using SSL on their logon page or not. Also, this would apply to any website where you enter logon credentials.

Nope. I can nearly guarantee you that Twitter encrypts all passwords. Sending passwords over the internet without encryption is a huge nono, and there's no way a company as large as twitter would be caught with their pants down. If Twitter was sending passwords in cleartext this would be an enormous security problem.

A quick overview of how it works:

With encrypted WiFi everything transmitted is encrypted. Nobody will be able to snoop on your data, assuming proper encryption.

Individual websites/services can also encrypt their data. That means that even if you were working on an unencrypted WiFi connection, the person snooping on your WiFi wouldn't be able to see the content of the data being sent between you and the encrypted webs service. However, data sent between you and web services that are unencrypted can be snooped on.

Actually, on an open wi-fi network, it is not only possible but tremendously easy to strip SSL away from any info. A friend of mine, a software engineer, was actually on a CBC segment a few years ago demonstrating this--at a public library, they had the reporter use the open wi-fi, and login (with fake data) to very-well-encrypted online banking; 10 seconds later they had her login information in text form on their laptops.

It is a common misconception that, when on unsecured wi-fi, SSL still works. It absolutely does not. Anybody standing in that subway station can, with near-zero effort, get your twitter username and password--though twitter login or not, yes, anything you enter while connected to the network has always been subject to that risk as well, I solve that by simply checking traffic and streetcar positions on the wi-fi, which I can no longer do without exposing my twitter password at these new stations.
 
Actually, on an open wi-fi network, it is not only possible but tremendously easy to strip SSL away from any info. A friend of mine, a software engineer, was actually on a CBC segment a few years ago demonstrating this--at a public library, they had the reporter use the open wi-fi, and login (with fake data) to very-well-encrypted online banking; 10 seconds later they had her login information in text form on their laptops.

It is a common misconception that, when on unsecured wi-fi, SSL still works. It absolutely does not. Anybody standing in that subway station can, with near-zero effort, get your twitter username and password--though twitter login or not, yes, anything you enter while connected to the network has always been subject to that risk as well, I solve that by simply checking traffic and streetcar positions on the wi-fi, which I can no longer do without exposing my twitter password at these new stations.
So make a fake Twitter account with a password you don't use anywhere else. Not that hard. It's the price you have to pay for free wifi.
 
May I ask why does anyone care about using wifi in the subway stations? How much web browsing can you possibly pull off within the minute or two before the train arrives?
 
Actually, on an open wi-fi network, it is not only possible but tremendously easy to strip SSL away from any info. A friend of mine, a software engineer, was actually on a CBC segment a few years ago demonstrating this--at a public library, they had the reporter use the open wi-fi, and login (with fake data) to very-well-encrypted online banking; 10 seconds later they had her login information in text form on their laptops.

Indeed. The attacker needs to be on the wifi to capture packets right from the beginning (during the SSL connection setup), at which point it is basically a hijack attack and SSLStrip would take care of most of it. This, of course, works on wired networks too if the attacker can get access to your data (yay switches that become hubs when you enable promiscuous mode).

Using most types of VPN over the public WIFI (private key on both ends) ought to be safe.
 
Last edited:

Back
Top