I just received this e-mail from Francois Doremieux, Senior Program Manager, Product Group: Customer Experience in response to my WiFi is Insecure post from last week. I thought it worth sharing.
It was a pleasure meeting you in Redmond last month.
I just read your "WiFi is not secure" article and I wanted to add a brief comment.
As we discussed in Redmond, the notion of security and quality at the network layer is only one way to look at it. I agree that it’s possible to snoop and intercept the packets over WiFi. Therefore, one cannot trust the network layer alone for security (as we had discussed in Redmond that it is not possible to trust the network layer alone for management of quality). That is why the approach we have taken with Microsoft UC is to provide security at the application layer, with strong authentication, non repudiation, signaling and media encryption (in the same way we did it for quality with the adaptive media stack).
Transport is a very important element of the stack, but it can’t solve all issues (and its solutions tend to not have the flexibility software brings to the application layer). Applications such as OCS can overcome the transport flaws and provide software based security and quality, in conjunction with or even as a substitute to the network depending on the specific circumstances.
Thank you Francois for the e-mail as your letter helps clarify this entry. The problem I referred to is with Web 2.0 applications, especially those where the Session ID and cookies are hijacked and cloned. As you mention, applications such as OCS and others with strong encryption can (thankfully) overcome transport flaws.
The point is when you are in an area where you are using WiFi, your packets can be hijacked and used to recreate your account. This is especially the case with Web 2.0 applications which loosely refers to hosted software as well.
Use of products like Citrix, Remote Desktop and OCS should significantly minimize if not eliminate the risk of identity hijacking.