WEP isn't better than nothing. It is nothing, at least from the perspective of the user of a public hotspot. WEP provides no protection against one machine on that WLAN from reaching another. Thus, it is exactly the same protection as nothing.

The article would have achieved more good if it pushed "always encrypt". This, though, gets into an entirely new topic. For example, email privacy is only partially improved by using secure SMTP and IMAP. That protects two points of possible attack, but every move between SMTP servers and every residence, however brief, on a mail queue somewhere, is another point of possible attack. Better to use end-to-end encryption (ie. PGP).

With respect to SMTP, most ISPs - especially those that are sufficiently savvy as to support encrypted SMTP - will have one or more additional points beyond the standard 25. This is specifically for those mobile clients that are "stuck" behind a firewall that (responsibly, alas!) blocks outbound port 25 access.

There are standard ports assigned to SMTP submission and secure SMTP, but there's often going to be at least one more nonstandard port in use by an ISP as backup (against an especially strict firewall).

The coffee shop staff will know nothing about this, but the user's ISP (or email service provider) should be able to provide the necessary information.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/385/33121#33121