The Insecurity of Unencrypted Communications
by Eric Thomas Black
The original design of the common protocols in use on the Internet did not give a lot of concern to security. The primary emphasis on the research was how to transmit the information from one source to another. Little thought was given to keeping that information secure while it was being transmitted. The primary problem is that the primary protocols; Telnet, FTP, HTTP, and POP all transmit their information in clear text.

Clear text or plain text is what we call unencrypted information. The problem with clear text is that it is readable on the internet by anyone with a sniffer. Well, what's a sniffer? A sniffer is a program that puts an ethernet card into "promiscuous" mode thus allowing it to read all of the packets on a given subnet. Now, in order to take the best advantage of this, a person using a sniffer would want to place it on or near a switch so that it could get all of the traffic coming into or out of a network.

Imagine it this way, you are mailing post cards across the country. Now the post card is easily readable by anyone who picks up the post card. So there is a post worker down at your local post office who is reading all of the post cards that come through the Post Office. Now, knowing that anyone can read your post card you are not going to be putting critical information (such as your credit card number) on that post card. No, you are going to put it into an envelope so that the postal handlers or whomever is reading it cannot read it easily.

This is where encryption comes in. Using the previous metaphor, encryption is an envelope that can not be opened by anyone handling the mail (even if they wanted to). Each of the primary protocols now has an equivalent that is encrypted. For instance, replace Telnet with SSH, FTP with SCP or SFTP, HTTP with HTTPS, POP with Secure IMAP.

So what is encryption? Here is a definition:

The conversion of data into a secret code for transmission over a public network. The original text, or plaintext, is converted into a coded equivalent called ciphertext via an encryption algorithm. The ciphertext is decoded (decrypted) at the receiving end and turned back into plaintext.

The encryption algorithm uses a key, which is a binary number that is typically from 40 to 128 bits in length. The greater the number of bits in the key (cipher strength), the more possible key combinations and the longer it would take to break the code. The data is encrypted, or "locked," by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to "unlock" the code and restore the original data.

So to go back to our original metaphor the information is place in a special envelope that only the receiving party can open because they have the key. If you have ever noticed the key at the bottom of your web browser that is what it refers to. When the key is intact that means you are engaged in encrypted communication with a server, usually via SSL (Secure Socket Layer). That way a person with a network sniffer would not be able to eavesdrop on your conversation with the server. If they were able to eavesdrop it could mean that your username and password would become compromised, or that they would be able to record your credit card information.

While it is technically possible to break encryption via "brute force" techniques, it is a practical impossibility. In order to crack a single 128 bit message would take a single Pentium-based computer a greater amount of time than the age of the Earth. Now, while it is possible to use many computers in conjunction it still does not help significantly in the long run. In order to crack a simple sentence using the 56-bit DES encryption algorythm (an extremely weak form of encryption), it took a specially designed Super Computer plus the aid of 100,000 computers on the Internet 22 hours to break the key. This was for a single sentence. Now, most people aren't going to have the resources of a super computer let alone 100,000 Pcs just to crack your credit card information.

However, if you use unencrypted communication you expose your vital information to anyone with a PC and a simple sniffer program downloadable from hundreds of sites.

Below is a list of protocols that are vulnerable to network sniffing and a list of secure alternatives.


SSH for UNIX or Terminal Server for NT
FTP (File Transfer Protocol)
SCP (Secure Copy Protocol) or SFTP
HTTP (Hypertext Transfer Protocol)
HTTPS/SSL (Secure Socket Layer
Secure IMAP or Secure POP3 (to protect passwords when connecting to server)

S/MIME or PGP Encryption (to protect the contents of your email during transmission)