Screen-friendly
page
Printer-friendly
pageHow Far Should My Information Be Encrypted?
This page contains information about secure data encryption.
Whether or not you should use encryption to protect your network communication depends on its importance. Ordinary pages such as news, campus weather, and the like don't contain information that should be kept secret, so there's no need to encrypt them. On the other hand, any pages that use your identification, such as user names, passwords, credit cards, or banking information, should always be encrypted. Email and wireless network access are two special circumstances explained in more detail below.
In the tables that illustrate encryption levels below, colors are used in addition to text to make the desired levels easier to see at a glance.
- Orange indicates that you should make sure that you use encryption here.
- Blue indicates that encryption is optional and usually not necessary.
- Pink indicates that any connection of this type will automatically be encrypted.
- Green indicates that the encryption status depends on the software you use.
Ordinary information
Summary:
| Your computer | Network | Target computer |
| Optional | Optional | Optional |
Explanation:
When you're looking at ordinary web pages and online applications that don't need personal data, you usually don't need encrypted access. Some sites, like CITES NetFiles, use encryption with all communication for security's sake. Other cites, like Google and CNN, rarely use encryption because the information they provide is clearly public knowledge. Other sites use both: on Amazon and eBay, product pages are not encrypted because they're considered ordinary information, but login screens and personal records are encrypted because they're considered private information.
If a web page begins with https:// and your browser window displays a closed lock in the border, the site is using encryption all the way from your browser to their server.
If the web page begins with http:// and the browser displays an open lock, the page is not encrypted.
Private information
Summary:
| Your computer | Network | Target computer |
| Encrypt | Encrypt | Encrypt |
Explanation:
A general rule of thumb about how far to encrypt sensitive information is that if you're sending information that you wouldn't want to post on a flyer on the Quad, you should use end to end encryption. If all that's private is your password, and you wouldn't mind the rest going on the Quad, simply make sure that any location receiving your password is encrypted, and the rest can be optional. (You'll see this philosophy demonstrated in some Web-based email systems like Hotmail and Gmail, where the password page is encrypted but pages composing email or reading mail are not encrypted.)
Whether or not you're using constant end-to-end security depends on what software you've decided to use and how the server on the other end will communicate.
Most software that accesses a network can be used in either a secure, encrypted mode or an insecure, unencrypted mode. The most common examples include:
| Insecure / unencrypted | Secure / encrypted | |
Web
browsing |
HTTP | HTTPS (with SSL) |
In a web browser, a closed
lock in the border of your browser window and a URL beginning
with https:// indicates that you're using SSL to secure the
information all the way from your computer to their server. |
||
Email |
POP or IMAP | Secure POP / Secure IMAP |
| See the email discussion below for more information about email encryption. | ||
File
transfer |
FTP | Secure FTP (SFTP) |
| FTP is never secure; use SFTP as a replacement that provides full end to end encryption. | ||
Shell
access |
Telnet | Secure Shell (SSH) |
| Telnet is never secure; use SSH as a replacement that provides full end to end encryption. | ||
In the past, it was sometimes difficult to find servers using secure technology like Secure POP and SSH, and regular POP and telnet were more common. Now the situation is nearly the opposite, with secure methods more likely to be required and insecure methods more likely to be prohibited.
Summary:
| Your computer | Network | Email server | Network | Receiving mail server | |
| Password | Encrypt | Encrypt | Encrypt | N/A | N/A |
| Email contents | Encrypt | Encrypt | Encrypt | Optional | Optional |
Explanation:
All email systems treat your password differently than your email. Your password is only sent as far as your email server; email is sent to other servers for other recipients. Until relatively recently, neither your password nor your email could be encrypted during an exchange with a typical email system.
The introduction of SSL, Secure POP, and Secure IMAP made it possible for email servers to keep your password and your communications with your own server encrypted. However, none of those three technologies would secure your email after it leaves your server.
PGP makes it possible to encrypt the contents of your email even after it leaves the server; only the destined recipient of a PGP mail can open it. However, relatively few people use PGP, and both the sender and the recipient must use PGP in order for the privacy features to work as intended.
Therefore, when in doubt, don't send private information like passwords or credit card information through email. If you have no alternative to emailing sensitive information, make sure that both you and your recipient are using PGP and have exchanged public keys.
For more information, see the email security scenario and PGP's executive briefs explaining the principles of what PGP does for email security.
Wireless networking
Summary:
| Your computer | Wireless network | Connection to wires | Wired network | Target computer | |
| UIUCnet VPN | Automatically encrypted | Automatically encrypted | Automatically encrypted | Software dependent | Software dependent |
| UIUCnet QuickConnect | Software dependent | Software dependent | Software dependent | Software dependent | Software dependent |
| Standard wireless | Software dependent | Software dependent | Software dependent | Software dependent | Software dependent |
Explanation:
Wireless networking is inherently less secure than wired networking. With a wired network, information travels through a network cable, and intercepting or eavesdropping requires effort and equipment. With a wireless network, information travels through a broad, unrestricted area and can be intercepted from the air by anyone sharing the same access point.
Both of the most commonly available wireless security standards (called WEP and WPA) have serious flaws in them, to the point where it can take an attacker less than fifteen minutes to break in to a wireless connection.
To combat this problem, CITES offers two security solutions for UIUCnet Wireless users.
- UIUCnet QuickConnect
UIUCnet QuickConnect is a simple way to identify yourself as someone authorized to use the UIUCnet network. Unlike the VPN, you don't need to download and install any special software; as long as you have a web browser and a Network ID, you can connect to UIUCnet Wireless through QuickConnect.
However, QuickConnect doesn't provide any encryption of its own. Therefore, most insecure services (like telnet and FTP) are blocked by QuickConnect, while secure services (like SSH/SFTP) and common services that usually don't need encryption (like browsing web pages) are permitted.
As shown in the table above, there is no functional difference in the amount of networking security of QuickConnect and standard unsecured wireless. If you're allowed to perform a certain type of networking over QuickConnect, your software (web browser, email client, etc.) is the only point of security to rely upon. For more information, see QuickConnect and Security.
- VPN server
The campus VPN server is a more secure and more complex system. It provides encryption between your computer and the campus VPN server, allowing you to use any wireless network (not just UIUCnet Wireless) without allowing other users of the same access point to eavesdrop on your network communications.
In order to use the VPN system, you need to install a compatible VPN client on your computer. You use the VPN client to connect to the VPN server in order to create your encrypted, private connection between your computer and the server. However, the VPN's protection lasts between your computer and the server, and whether or not your data is encrypted beyond that point is again dependent on the software you used. For more information, see Overview of VPN Security.
For more information
For additional examples of how encryption is used in everyday network activities, see: