Packet sniffing and my passwords

Further reading seems to suggest that the data flowing to and from my computer can be 'sniffed' by anyone if it's not encoded through SSL or similar? Is this true?

Yes, this is true. Both wireless (WiFi) and wired (Ethernet) networks can be sniffed easily, although it may be a little more complicated on switched Ethernet.

Even if you are connected to Internet directly over wired DSL or dial-up, for example, there is still a possibility for someone to tap the line, although this is a lot less probable than outsiders monitoring a public WiFi network. (On the other hand, some ISPs have been caught inspecting traffic too carefully.)

My network has WEP encryption I think it is called.

Aside from being hilariously insecure, WEP only protects traffic between your computer and the wireless AP – and even then only from passive monitoring, not from people connected to the same network. Most of it applies to WPA too.

WPA2 is a bit more secure, but like WEP it only secures one segment (you ↔ AP).

In comparison, TLS (aka SSL) offers end-to-end encryption: the data is secure at any point between you and the server. It also ensures that you are connecting to the real server, to prevent man-in-the-middle attacks.

Besides TLS, there are other methods of securing traffic: SSH is similar in function but is used mostly for shell access.

You can use an encrypted VPN or proxy server to encrypt everything you do, including MSN and generic web browsing. However:

  • TLS/SSL and SSH do end-to-end encryption but only protect specific services on specific hosts (for example, HTTP at example.com; IMAP at imap.gmail.com),
  • whereas connecting through a VPN or using WEP/WPA will secure all traffic but only between you and the VPN server or the WPA2-enabled access point.

Can people

  • People connected to the same WiFi hotspot? Coworkers? Your school's IT guy? Yes, see above.
  • People using the same ISP? For most ISPs, no; customers only receive their own traffic.
  • People in the same city/country/planet? No. IP routing doesn't allow this. (IP routing can be subverted – there is a history of countries allowing a website block to propagate over BGP – but be assured that this gets noticed really fast.)

read my hotmail and gmail emails?

Yes, unless you access Gmail over SSL (https://mail.google.com/).

And see my msn conversations,

Yes. The MSNP protocol is plain-text.

what sites I am visting

Yes.

and when I am online?

Depends on your definition of "online" (connected to Internet? connected to MSN Messenger?), but for most of them the answer is "yes".


Also, terminology: to encode something is to convert it into a different representation (such as Base64); whoever knows the algorithm can easily decode it. To encrypt something is to scramble it in a cryptographically secure way, so that only the key holder(s) can decrypt it, even though the algorithm is (should be) widely known. TLS/SSL does encryption. WEP does "encryption" (see note on security).


Anything that's not encrypted via SSL/TLS can be read. If there's no lock symbol in the browser, it's like a postcard being passed between letter carriers.

Your wireless encryption has little to do with this issue. That only means the connection from your computer to your access point is encrypted. Switch to WPA2 if you can, though.