Results 1 to 12 of 12
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Stay safe when using public Wi-Fi hotspots

    LANGALIST PLUS

    Stay safe when using public Wi-Fi hotspots


    By Fred Langa

    For many Windows Secrets readers, the holidays mean travel. Here are tips for protecting your data when connected to shared networks in hotels, restaurants, airports, and other public places. Plus: The free Detekt tool is an anti-spyware scanner for people in extreme circumstances.


    The full text of this column is posted at windowssecrets.com/langalist-plus/stay-safe-when-using-public-wi-fi-hotspots/ (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    Star Lounger
    Join Date
    Apr 2011
    Posts
    55
    Thanks
    0
    Thanked 4 Times in 4 Posts
    I have been using VPN for years because I travel a lot. I settled on PIA (Private Internet Access). It has servers in many countries and good Windows software. One subscription applies to multiple devices.

    The problem I have is with my iPhone and iPad. Apple's iOS doesn't seem to like vpn, at least not PIA. There is no equivalent software for iOS to maintain the vpn connection, as there is for Windows and Android.

    I have to manually start the vpn connection each time with iOS. Then it will rarely hold more than 5-10 minutes before disconnecting. Before you even notice that disconnect, your email client may have refreshed, sending your now unencrypted password and downloading unencrypted messages.

    I have not found a solution to this problem.

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    10546
    Posts
    23
    Thanks
    0
    Thanked 3 Times in 2 Posts
    Recently, traveling in Ankara Turkey, I found the the hotel's system was clearly messing with my http traffic. I suspect it was an incompetent attempt to inject are modify adds. The obvious symptom that they broke any site that needed cookies.

    I've now gone to my home made VPN like approach and feel much safer.

    (I run a socks sever on my home linux machine and establish an ssh tunnel for socks, then configure firefox and thunderbird, the only online apps I use, to use socks for everything including DNS. Yes, it's geeky, but its free and all under my control. I could set up true VPN but that's more (manual reading) work than I'm ready for)

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Alexandria, VA
    Posts
    3
    Thanks
    1
    Thanked 2 Times in 1 Post
    I'd say that Rick is not only not paranoid, he's probably not paranoid enough! One thing to keep in mind, even if you are on the wired network or the wireless is running WPA2 other users on the same network can see your data unless you are specifically encrypoting using a VPN or SSL/TLS as you recommend. The network encryption only secures you from non-hotel (or other shared network, e.g. Starbucks) users. It is shared encryption with all users. Also on the wired network, depending on the infrastructure (in general a switch vs. a hub) being used, your data may be visible to other users on the same network as well, think rooms on the same floor on near your room. You should always assume that the network is insecure and that other users have access to your data in transit, so if you are not encrypting it yourself and relying on the network to implement the security you are taking risks.

  5. #5
    New Lounger
    Join Date
    Dec 2012
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I have tried Ultra Surf 14.04 http://en.wikipedia.org/wiki/Ultrasurf
    It is completely free and appears to work. Have you any information or thoughts on this VPN option?

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    SF Bay Area, California, USA
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    "Hotspot Shield – Free version with ads; $2.50 per year for ad-free Hot Shield Elite"

    That should be $2.50 PER MONTH.

  7. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    West Linn, Oregon, USA
    Posts
    7
    Thanks
    0
    Thanked 3 Times in 3 Posts
    There is a no-cost solution for protected Internet access, but it requires a bit of technical savvy.

    Buy an internet router that you can flash the firmware with TomatoUSB. The Tomato build has an OpenVPN server that I set to force the client to use the router VPN endpoint for all Internet access by the client, not just to the network protected by the router.

    Typical configuration for a VPN connection to your router provides end-to-end encryption only to your router: client (encrypted) <-> Wifi hotspot (encrypted) <-> Internet (encrypted) <-> your router (encrypted) <-> local network (unencrypted). All other connections are unencrypted: client (unencrypted) <-> Wifi hot spot (unencrypted) <-> Internet (unencrypted).

    The option to use the router as a proxy for all Internet access functions like any commercial VPN provder, regardless of the destination: client (encrypted) <-> Wifi hotspot (encrypted) <-> Internet (encrypted) <-> your router (encrypted) <-> Internet (unencrypted).

    For years I used the DD-WRT firmware, but I don't recall the option to use the router as a proxy. The TomatoUSB is way superior and more stable compared to DD-WRT, but is written for a much smaller number of routers.

    The only downside to using your router as a proxy is that your Internet speed is limited to the upload speed of your home Internet service.

  8. #8
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    968
    Thanks
    19
    Thanked 4 Times in 4 Posts
    Here's another security concern when using external networks that few people are aware of.

    If you use Outlook desktop and the standard SMTP port 110 to connect to your email provider, then your username and password are being transferred clear text! Oops.

    Your email provider needs to offer an encrypted connection (like TLS) and a port like 587 (this is what mine uses) to encrypt what you send to them, before they then send the email msg through the net to its destination.

    I think this would be something that Fred or someone on WS should write about.

  9. #9
    New Lounger
    Join Date
    Dec 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi I have never been able to find the answer to the following question re public wi-fi security---Even when using HTTPS, isn't the first "handshake" with the server to get the encryption key subject to interception? How can that cookie or data, which then permits the HTTPS connection, first be established over wi-fi securely?

    Thanks.
    Chuck

  10. #10
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,483
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by ShelleyP View Post
    I have tried Ultra Surf 14.04 http://en.wikipedia.org/wiki/Ultrasurf
    It is completely free and appears to work. Have you any information or thoughts on this VPN option?
    Before using this service, readers should read carefully and all the way through the Wikipedia article.

    This service is old. It uses closed-source code. It censors (filters) content. Logs are kept and have been shared with the Chinese and US governments, as I read the section of the article discussing these things. Its servers are overloaded and there are no plans for long-term funding of the project.

    The service is basically a direct competitor with TOR, and serves the same functions. While TOR is an anonymizing service, it is by itself not a true VPN service.

    There are numerous other criticisms of Ultrasurf in the Wikipedia article.

    I would not trust this service with my privacy.
    -- Bob Primak --

  11. #11
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,199
    Thanks
    48
    Thanked 987 Times in 917 Posts
    Quote Originally Posted by Chuck95402 View Post
    isn't the first "handshake" with the server to get the encryption key subject to interception?
    Only if the server is using old protocols that don't authenticate the server / client. Any recent web site should not have this issue.
    To see if you have a valid connection to a web site, view the certificate and check the hierarchy. For example, the Windows Secrets certificate is validated by GeoTrust, which my computer already trusts because their certificate is installed as part of Windows. See attached screenshot.

    cheers, Paul

    Capture.PNG

  12. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    Buckinghamshire, UK
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Chuck95402 View Post
    isn't the first "handshake" with the server to get the encryption key subject to interception? How can that cookie or data, which then permits the HTTPS connection, first be established over wi-fi securely?
    SSL/TLS uses something called 'public key cryptography' which enables public exchange of data that can be used to generate a secure private key (this may sound impossible, but trust me, the maths works). If you're interested search for "Diffie-Hellman key exchange" (warning: second year undergraduate number theory may be required). When I taught classes in this stuff, I used to demonstrate by getting two people to call out numbers to each other and show how they can be used to generate a secret, shared key that no-one else can calculate from the public information.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •