Helping people with computers... one answer at a time.

We put a lot of emphasis on keeping ourselves secure from internet threats. But what if the threat is on our own network? How do we stay safe then?

How do I stop my brother from seeing my surfing habits in my wireless laptop? In our house he has the Desktop and the cable router. I've set the connection up with WPA-PSK and I have a Norton internet security 2007 and my windows firewall is on with the don't allow exceptions checked; is that enough?

I can't help you with your brother, but I want to address this question because is raises a number of issues around the assumptions that we make when using our computers at home. Assumptions that can affect our security and our privacy.

If you have a tech-savvy snoopy brother like the person asking this question, you won't like the answer.

When we set up a home network we put a lot of emphasis on security, or more specifically keeping "us" safe from "them". By "them" we mean all the purveyors of spyware, viruses and what-have-you out on the internet, and by "us" we mean the machines at home, usually on our local network.

In fact, we often think of the line coming into our home as the boundary. On the internet side of our router or broadband modem is "them" - the internet - with "us" on the local network or LAN side.

The implicit assumption we're making is that every machine and user on our LAN is trustworthy. I'll guess that more than 80% of the time that's a valid assumption. It's certainly the explicit assumption I make on my home network.

What if that assumption is wrong? What if you can't trust everyone on your home network?

"The implicit assumption we're making is that every machine and user on our LAN is trustworthy."

Then you have to treat your home network as if it were the internet. Then you have to set up things like firewalls on each machine you want to keep safe.

Then you need to start thinking about privacy in a whole different way.

And that last one isn't pretty.

I know the original question was about wireless sniffing, and I've discussed some of the issues there before. Using WPA is one good way to keep things fairly secure. But there's a much, much larger problem here than just wireless.

There was an interesting statement in the question: "In our house he has the Desktop and the cable router." The desktop's no biggie, but the router? That's huge. Whoever controls the router has immense power. In general whoever has access to the router can typically monitor which sites you visit. Depending on the router, they may even be able to monitor the traffic itself - reading your email or viewing the web sites you view.

In the worst case whoever controls your router or connection to the internet could go so far as to insert a hub "upstream" and be able to monitor all internet traffic going to and from your entire home network.

Scared yet? It gets worse.

As we've heard with the recent router admin password vulnerability, it's possible to configure many routers to misdirect you. You may enter "google.com", but the router could send you somewhere else entirely. This depends on your router's capabilities, and the expertise of the person controlling the router. It's not common, but it is possible.

So what do you do?

It depends on your level of paranoia. If the person controlling your router isn't that savvy, you may be quite safe in simply making sure your WiFi is encrypted by using WPA or even WEP and leaving it at that.

If they are savvy, and you believe that they have reason to invest a lot of effort trying to spy on you, things get very difficult. Some things you may want to do include:

  • Only connect to web servers via https. This encrypts all the data between your machine and the server, and renders it inaccessible to anyone in between, including whoever's running your router. The bad news? First, not all websites - in fact very few - have https connections for anything except ecommerce. And second, even though he can't see the data, your router admin can still see which sites you're connecting to.

  • Consider using an anonymous service such as TOR. Not only does this encrypt the connection leaving your machine, as https does, but it also hides which web sites you're visiting. The downside is that it can be much slower, and I believe it'll be obvious that you're using it - meaning that it'll be obvious to whoever's monitoring your router that you're hiding something.

  • Use an encrypted connection to your email. Email is normally sent "in the clear" and thus could be read by anyone who has access to your router or internet traffic and knows how to do it. You can either encrypt the contents of your email - which still leaves the information about who you're emailing visible - or you can use an encrypted connection to your email provider. That could be as simple as using an https-based web interface, or if your email provider supports it, configuring an SSL connection in your mail program's account settings.

There's a common theme above and that's "encryption". You can't stop the person who has administrative access to your router from being able to see your data. You can encrypt that data so that it's of no use to them.

Now, I'll definitely admit that all that does sound like so much paranoia. Certainly sibling interaction could be one reason for paranoia, but there could be other reasons as well depending on personal situations.

However, I do want to be very clear that for most people there's really nothing to be concerned about. We're the only ones to play with our own routers, and we may not even have the skills to set up this advanced type of network sniffing and monitoring. As long as we've protected ourselves properly from "them" - the bad guys out on the internet - we're safe on our LAN.

But I do think that it's important to understand what assumptions that safety entails.

Article C2941 - February 22, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
ronny
February 22, 2007 3:39 PM

>In the worst cast whoever controls

In the worst case...

Leo A. Notenboom
February 22, 2007 3:46 PM

Thanks. Fixed. :-)

Scott
February 23, 2007 6:38 PM

What comes to my mind is....why would he care if his brother knows where he surfs? Hmmmmmm...Gee, what are you up to???

Tony
February 24, 2007 4:54 AM

Great article along with the related links!!!!!!

kwasi
February 26, 2007 2:20 AM

do want to say my boss read all our e-mails.

Bob
May 8, 2007 10:13 AM

Thanks for all the info. When I am connected thru my cable network and also have my wireless connection enabled, does the unknown person in the neighborhood who is leaking his connection (and I am picking up) have access to my internet usage since they are the ones with the router?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.