|
All of this is good advice and as the previous poster brought up should be followed wherever you are, but I think the article as a whole kind of missed its intended point. Also it seems a little insincere for the author to ask us to trust O'Reilly and its authors personal sites blindly.
If the target audience is readers who dont have access to or cant figure out how to setup VPNs, most of the advice presented here probably wont make much sense and some of it is actually wrong. Using the "secure" (encrypted) version of any protocol helps a little bit but honestly your messages are going to end up unencrypted somewhere so its not a cure-all by any means.
Additionally due to the way DNS really works, the advice presented here is just hogwash. DNS is in no way a "standalone" thing, even the best servers almost always depend on as many as 40 other servers which are outside of the "good" server admin's control. If one of those gets compromised, you still get "bad" DNS.
Using IP addresses instead of URLs is also pretty much useless. If someone is monitoring your web access they can capture and check the IP address of a server just as easily as reading an interesting URL.
OK having said that, if readers are interested in setting up "stronger" connectivity for email, ask the people who take care of your mail service if they support SSL (sometimes called TLS) for POP and SMTP (recieving and sending) and ask them for the details you will need to use SSL/TLS. Once thats done, if you are using Mail.app, go into the preferences and account settings to enter these changes for each of your accounts. If you check the checkboxes for SSL/TLS in your preferences, Mail.app will change the port numbers used to connect to your mail server(s). The numbers it uses are the standard ones, but make sure they match what your provider told you for the details of their servers. Some providers may try and tell you these things only work with MS Outlook, but I've found that Mail.app does SSL/TLS for POP & SMTP just fine. Dont forget that this connection is only "secure" between your computer and the mail server itself. Once your mail leaves the server its sent in the clear.
In any case, the advice to look for https in a URL or to use SFTP, SSH, etc is good. Just remember that its still not any kind of guarantee of security.
If you are even mildly serious about security when traveling for business, make your techies setup an IPSEC VPN. Almost every firewall on the market includes this feature and your Mac has the client software built in. There are plenty of good books about setting up IPSEC VPNs out there for less than the cost of a business dinner. Unfortunately the first and second edition of the O'Reilly VPN books cost more than a pizza and were far less satisfying.
|
A for effort, C for execution
[View]
I am afraid I wasn't clear: in no way am I asking you to trust O'Reilly or its authors blindly. The examples I quote are simply URLs of "general purpose" sites that do not make logging into a system or passing along confidential information mandatory. You'll notice I rely on good old "*.example.com" a couple times in the article but, for the sake of diversity, thought I should also quote some real world examples.
Encrypted protocols certainly do not encrypt the message on the destination server. That is not what they are intended to do. In that, I do not believe recommending that they be used be "wrong". If one cannot expect one's email provider or host to take reasonably good care of one's accounts, then the problem goes beyond what most users would be able to solve by themselves.
As far as DNS goes, I agree as well: the way it works makes it easy for one bad server to poison a great many downstream servers. Yet, if one is on a particularly weak link, it cannot hurt to bypass that one, which brings the odds of a "bad server" back to those one would encounter on a home or small business connection.
I also agree about the IP. On a moderately busy WiFi network however, access logs can be pretty large. Conducting a reverse DNS lookup, no matter how easy, is an additional step to take for someone who will, anyway, normally have a great deal of addresses to look up. Also, note I am not recommending one uses IP addresses to thwart shoulder surfers but simply as a way to avoid relying on the local DNS server.
All in all, we seem to agree! Remember this article is intended for readers who do not have a "techie" at hand, which is a vast majority of users. And as far as firewalls including VPN servers, I am afraid this is not the case: most of them allow for VPN pass-through but they do not act as servers themselves.
FJ