Sin 8: Failing to Protect Network Traffic

Overview of the Sin

Imagine youre at a conference with free WiFi connectivity. As you browse the Web or read your e-mail, all of the images you attempt to download get replaced with a picture of Barbara Streisand, or some other image you dont want to see. Meanwhile, attackers have captured your login information for e-mail and instant messenger. Its happened before (for example, its a standard trick at conferences like Defcon), and there are tools that make attacks like this easy to launch.

One security professional used to give talks about e-mail security, and at the end of a talk, he would announce a lucky winner. This person would get a T-shirt with his or her e-mail login information on it. Someone else had used a sniffer, identified the username and password, and written the information onto a T-shirt with a felt-tip pen during the talk. Its pretty sad, really: people are usually really excited that theyve won something, without realizing they didnt intentionally enter any contest. Then, when they figure out whats happening, their excitement turns to major embarrassment! Its all fun and games at a conference, but the sad truth is that, in many environments, e-mail does not receive adequate protection on the wire, due to poorly designed protocols.

These kinds of attacks are possible because so many network protocols fail to protect network traffic adequately. Many important protocols, such as Simple Mail Transfer Protocol (SMTP) for mail relay, Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) for mail delivery, and HyperText Transfer Protocol (HTTP) for web browsing provide no security at all, or at most, provide basic authentication mechanisms that are easily attacked . Sure, for the major protocols, there are usually more secure alternatives, but people dont tend to use them, because the older, less secure protocols are ubiquitous. Plus, there are plenty of protocols out there that dont have more secure options!