1

I currently use my neighbours' WLAN (with their permission). It uses WPA2 and the DSL router is a Fritz!Box 7170 (see English manual).

What information can a router admin user possibly see without using custom firmware?

Is it possible to see which websites I use? (I don't use Tor. Would this even help?)

Is it possible to see plain-text passwords?

Is it possible to see download volume?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Martin Thoma
  • 3,952
  • 6
  • 33
  • 42

2 Answers2

4

Of your three questions, the answers would be:

  • Yes
  • Yes
  • Yes

So if these are a worry, you need to look at mitigation. What would help is to use https in every possible case - this at least hides passwords and content, but doesn't hide which websites you visit.

Tor can help hide the websites you visit, so if that is a concern to you then yes, run everything through tor. Or you could set up a server on the Internet that allows you to connect to it via SSL and redirect to whatever website you want. This way all your neighbour will see is encrypted traffic to one IP address.

Download volume is something you can't do anything about - other than use a different route to get your data. Perhaps get yourself a router and connection to the Internet.

(Alternatively, don't go to any websites you would be embarrased by if your neighbours found out...)

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
  • I would prefer using my own router, but sadly this is not possible. I'm a student and I neither have a telephone socket nor a tv-antenna jack. And using mobile internet is too expensive. – Martin Thoma Oct 02 '13 at 08:16
  • @RoryAlsops: Websites are not really a problem and download volume also isn't. I guess he might be astonished of the number of websites I visit (damn StumbleUpon) and hopefully the volume I download in total would be ok for him (Telekom has introduced a data limit ... but currently, we are not limited). The real problem I though of are some Websites that don't offer https and need login / apps of which I don't know if the connection is encrypted (Is there a way to find this out without using Wireshark?). The two other questions came to my mind when I wrote the question. – Martin Thoma Oct 02 '13 at 11:56
  • if you absolutely must access sites which don't offer https, your best bet is to route through an SSL tunnel -so Tor is one option here (that is possibly overkill) – Rory Alsop Oct 02 '13 at 12:03
  • Ok, but as I have the possibility to use a VPN, I guess this might be easier (Or does "SSL tunnel" include VPN?). Thank you for answering! – Martin Thoma Oct 02 '13 at 12:14
  • Yes - most VPNs are created through SSL tunnels – Rory Alsop Oct 02 '13 at 12:22
2

To add to what @Rory says, you might want to refine what you mean by "without modification". Technically, every single byte your computer sends and receives will go through the router, so whoever has full control on the router can potentially get a copy of it. Without any form of encryption, he will see everything, including names of Web sites and plaintext passwords (which are called "plaintext" for that precise reason).

Even if the site uses HTTPS, the router admin will be able to deduce the name of the site, from three sources:

  • All IP packets will be tagged with, as destination, the IP address of the server hosting that site.
  • In the initial steps of the SSL handshake, prior to the activation of the encryption, the server will send its certificate, which contains the site name (and the client may also advertise it as part of the SNI extension).
  • Before opening the connection, your computer will first need to obtain the IP address of the target server, and it will do so by sending a DNS request, which is unencrypted and contains the target site name.

However, a basic router will offer a user interface which does not, by default, allow such kind of inspection. So an unskilled neighbour may not know how to alter his router to install such spying (or, similarly, how to install and operate another computer, also linked to that router, and observing the traffic at the WiFi level -- something which may be easier to do, in fact, than catering with the router's configuration options). So it really depends on the extent of knowledge of your neighbour (including the knowledge of his snarky teenage nephew who "does computers", if applicable).

To protect your traffic, you must use an all-encompassing solution, namely a VPN of some sort. All your traffic (including DNS requests) has to go to some server somewhere, with encryption applied for this link. There are commercial VPN providers, who will offer this service... at a cost. If you have SSH access to some machine somewhere, you can also setup a SOCKS proxy which will handle all traffic from your Web browser (but not from, e.g., online game applications).

Community
  • 1
Tom Leek
  • 172,594
  • 29
  • 349
  • 481
  • I am aware of the fact that technically, he could do everything I mentioned above. When I say "without modification" I mean that he does use the router and does only install firmware form the manufacturer. So I trust him in the sense that I don't think he will spy me on purpose. But if there was a simple setting like "record my connection data", he could probably switch it on just because he is interested. So it is basically your "unskilled scenario". Thanks! – Martin Thoma Oct 02 '13 at 11:47