We all consciously or unconsciously use some kind of protocols. If we wanted to abandon them altogether we would not only have to give up using the Internet but also the telephone. Protocols are communication standards that include hardware specifications and data exchange between receiver and sender. As a rule, protocols are programmed in such a way that they serve users for many years and can be preserved when updating the programs that use them. That is, when upgrading some program from version 10 to version 11, we can expect that the new version will use exactly the same protocol for its purposes. That is, the program gets new functionality after the upgrade, but the protocol it uses very often remains the same. But little is said about the fact that, like software, protocols also age and need to be updated from time to time. Such a need is actually quite rare. However, if all indications are that you are using some old protocol that is already considered unsafe today, or has lived to see a much better replacement, you should very seriously consider an upgrade. In today’s episode, we will list 5 protocols that are worth watching out for for various reasons, and are still quite popular.
As a rule, protocols are updated along with either the software or the operating system. When we update the software we simply select in the programs settings which protocols we want to use. From the list of available protocols, you simply choose the one that is more secure or more efficient. So if any of you are using one of the protocols I am about to list, I encourage you to review the alternatives. There is no need to install anything but software here and it is a good idea to review the available protocols in our programs once a year.
The first protocol to always look out for is FTP or File Transfer Protocol, an extremely popular protocol for transferring files. The origins of FTP date back to the early 1970s, when the name “Internet” was just being forged in the academic community and there wasn’t much talk of hackers. In those days, there wasn’t much thought about how to secure data as it was transferred between computers. And so a standard was created that sends all usernames and their passwords during authentication in open text. They are not encrypted, so anyone who is able to intercept our communications using this protocol can very easily read these warrants and, if they want to, anything we download or send. FTP for its time was a great protocol, but as of today it does not meet basic security standards. Let’s imagine a scenario like this. Suppose I have my own website on some server. I send any files with graphics or code of this site there via FTP. Someone eavesdrops on my communication and quickly learns my username and password. I guess the easiest thing for such a hacker to do would be to log into my site and start hosting some content that would damage the company’s image. But that would probably be too easy. After all, I’ll find out pretty quickly that something is wrong and I’ll act quickly. I’ll learn to put more weight on security and just start preparing for such situations. What if the hacker is smarter? Instead of doing something that will immediately attract attention he will decide to put something on the server that will go unnoticed for a long time. Maybe it will be a cryptocurrency miner? Maybe he’ll attach the server to a botnet, or send spam? Or even worse, it will start checking if my email also has a password like the one for FTP. And if I don’t have another password everywhere, how many services have I given it access to in this way? I could multiply many more scenarios. FTP is one of the least secure protocols today, and yet I very often find myself using it routinely. If I don’t know exactly the path of communication between my laptop and the target server, I don’t use this protocol, because it is simply unsafe. There are good replacements for FTP and they are readily available. One is called SFTP and the other is called FTPS. Both are de facto FTP protocols, but with an additional encryption tunnel provided by other, newer technologies. These protocols provide security and confidence that the server you are connecting to is actually the one it claims to be. Ordinary FTP simply relied on trust. We had to trust that the target server was actually who it claimed to be. In general, I don’t completely delete FTP. For transferring some public data or inside some private network it can still be useful. I’m only sensitizing you to the security aspect of the Internet, which is an untrusted network. If our communication goes over the Internet, we must always take into account that someone may be watching, and FTP will not protect us from that.
The second protocol that is no longer worth using is POP3, or Post Office Protocol version 3. This is already quite a vintage protocol for retrieving e-mails from a server using mail clients such as Thuderbird, for example. This protocol has rather limited capabilities. For example, it only gives you the ability to download an e-mail message in its entirety. It is not possible to download the header of the message itself using this protocol, or to opt out of downloading drawings, thereby downloading only the text. How many times have we received a notification that we have received a message that clearly does not interest us. For example, we received an offer for a discount on some product and carelessly signed up for some mailing list. Seeing the header of such a message, we immediately know that it will land in the trash in a moment. Unfortunately, with the POP3 protocol, we can only download the entire such message to our devices and then delete it. This creates an additional risk. If the message is infected then we will download it to ourselves in its entirety, along with the malicious code. If we delete the message right away probably nothing will happen, but why create another dangerous situation and generate unnecessary network traffic?
Nowadays, most of us have several e-mail accounts. Even if one tries to minimize the number of e-mail boxes one usually has at least two, one private and one for work. If we use POP3 to synchronize our messages with our computer, they all end up in one directory. This loses the natural division of emails into personal and work matters. In addition, the default setting of email clients is almost always to download the message from the server and delete it from there. The result of this is that the email we have received is basically carried over, and once it hits one of our devices, it can’t go to another because it has already been deleted from the server. The result is chaos in the messages. We have some on our smartphone, others on our laptop and still others on our tablet. Nowhere do we have all of them. Usually, the mail client can be configured to leave emails on the server, however, you always have to keep this in mind whenever you configure a new client, such as on a new laptop or smartphone. A good replacement for POP3 is the IMAP protocol. It solves all the problems mentioned above. It can download both whole messages and only parts of them. Thus, we can see just the title and sender of the message and order the remote deletion of the message, without having to download it to ourselves locally. IMAP allows us to synchronize multiple directories and multiple mailboxes while preserving the directory structure. So if you have several mailboxes and different directories IMAP will preserve the entire structure after synchronization. IMAP synchronizes emails by default, that is, it equates the newer state with the older state. If some change has occurred on the server, such as a new email, the state on our device will be neutralized. On the other hand, if it is on our device that a change has occurred, the state on the server will be updated. So in order to delete something from the server, all we need to do is delete it locally at home. IMAP is undoubtedly a better protocol than POP3, for this reason it is worth taking interest in it.
The third protocol should actually be disabled everywhere right away. This is WEP, or Wired Equivalent Privacy. We remember that wireless devices connect to the network via radio waves. Since these are radio waves, in order to eavesdrop on all communication it would be enough to simply have an antenna with the right frequency, stand close enough with it and start receiving. WEP was introduced in 1997 to secure these communications. Since you can’t hide the transmitter and receiver, you have to encrypt the messages you send and receive. This way, despite the fact that we know which device is sending and which is receiving, we will not know what the content of such communication is. The purpose of the WEP protocol was precisely to provide such encryption. Unfortunately, over time, as the computing power of computers has grown, breaking WEP has become quite easy. Today, after collecting enough data with such an antenna, the process of cracking a password can take less than 60 seconds. Although WEP has been considered outdated since 2004, you can still come across devices that still use it. I encourage you to immediately review your WiFi router’s settings and replace the WEP standard with the newer WPA2 and set a strong password of at least 16 characters. If your router only supports WEP or WPA standards and does not support at least WPA2, I would seriously consider replacing such a device with a newer one. I encourage you to review your devices and, of course, change the standard password to a longer and more difficult one.
The fourth protocol to watch out for is HTTP. This is the very protocol that we use to look at some website and also the same one that our smartphone apps usually use to connect to their servers. I will mention at the outset here that it is impossible to stop using HTTP altogether. In the era of web applications, HTTP is a total mainstay. I just want to sensitize you to the difference between HTTP and HTTPS. HTTPS is basically HTTP with an additional encryption tunnel that guarantees security and allows you to verify that the server you are connecting to is actually what it claims to be. When we connect to a website over HTTP, every device in the communication path between us and the server is able to “see” what we are doing. HTTPS, by providing encryption, not only hides all of this, but also allows verification of the sender. It can be risky to provide any passwords over HTTP or to download files that are important to us. On the other hand, however, if we’re looking for our dentist’s website just to find a phone number there to make an appointment, one might consider that additional security is not that important. Of course, I already leave the question of sense of privacy to each listener to judge according to their own standards. In any case, using HTTP without an additional layer of security may be acceptable, depending on the specific case. Unfortunately, to this day I still see unsecured websites with contact forms where you have to enter your personal information and phone number. I advise against trusting such sites. Providing HTTPS is already very cheap today, so its absence is, in my opinion, a sign of negligence. And recognizing whether you are using HTTPS is very simple. Just look for a padlock or certificate symbol in the URL bar at the top of our browser window. When we click that, we should be able to see the security certificate. Passwords, logins, personal information, financial information or actually anything that should remain classified should be sent over HTTPS and not over unsecured HTTP.
The last protocol to watch out for is SMB version 1. Some of you are probably wondering what SMB even is and what it is used for. Well, SMB, or Server Message Block, is a protocol used in Windows systems to share files and printers over a network. It is the most popular protocol for such applications. It has already seen versions 2 and 3 and newer. However, from the point of view of security, we should be most interested in SMB version 1, or SMBv1 for short. The history of this protocol dates back to the early 1980s. SMBv1 was declared outdated in 2013 and is not installed by default on newer operating systems. However, there are still many old devices, such as network printers or file servers still using this protocol. Most people recognize that since something works, there is no need to replace it. And so we very often maintain a very old infrastructure, when laptops and smartphones are replaced much more readily. And in order to make these devices work with an old printer or file server, we sometimes knowingly run an outdated protocol ourselves. In May 2017, an entire group of SMBv1 protocol vulnerabilities, called EthernalBlue, was published. Using these vulnerabilities, a hacker is able to run virtually any code on a server running this protocol or cause communications to be blocked. Also in 2017, there was a massive hacking attack on Windows computers that used this protocol. These machines were infected with malware called WannaCry or WannaCrypt, which encrypted the entire contents of their drives and demanded a ransom to decrypt them. It is estimated that some 300,000 computers in nearly 100 countries were infected in this way. In fairness here, it should be acknowledged that the Microsoft corporation has released patches for SMBv1, but it is estimated that about a million old devices that have not been updated may still be vulnerable. I encourage you to check if by chance one of your older devices is not using SMB version 1. It’s possible that all the years the device will serve without problems. However, it will be enough if you give your friend your wifi password, or if you unknowingly bring home some malicious code in your laptop, and you may fall victim to an attack. It’s not worth the risk, especially if you store some important files on a server with this protocol.
Like software, protocols also age and are phased out. The aforementioned do not exhaust the list of vulnerable or obsolete protocols still in use. However, the five protocols listed may unknowingly be used either at home or in the office. They are basically part of our daily lives, when the others that I have chosen to omit may already belong mainly to the interests of network administrators. But whether we use our small home network or go to the office, we should be careful about the protocols listed. Some of them may simply extend our work time, while others may expose us to big losses. And how we use our computers and secure our network is up to us.