Cloak your connection to foil Firesheep snoopers

Topic

New Reply

	TOP STORY[/size][/font] Cloak your connection to foil Firesheep snoopers[/size]
	By Woody Leonhard In his Oct. 28 In the Wild column, Robert Vamosi showed how easy it is to snoop a Wi-Fi connection using a clever Firefox add-in called Firesheep. If you’re serious about protecting your surfing from prying eyes while on an unencrypted public Wi-Fi connection, the onus is on you to lock down your connections. Using virtual private networking (VPN) is one of the best ways I know to do that.[/size]

---

The full text of this column is posted at WindowsSecrets.com/2010/11/04/01 (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Just curious if a WiFi public hotspot secured with WPA2, where everyone knows the WPA2 password, is still more secure than an unencrypted WiFi hotspot? I assume knowing the WPA2 password allows you to unencrypt the data but wondered if it was still inherently more secure regardless or if it’s a wash.

Reply | Quote

Just curious if a WiFi public hotspot secured with WPA2, where everyone knows the WPA2 password, is still more secure than an unencrypted WiFi hotspot? I assume knowing the WPA2 password allows you to unencrypt the data but wondered if it was still inherently more secure regardless or if it’s a wash.

@Bob –

Yep, it’s inherently more secure because each connection is encrypted separately. But I’m NOT sure if anyone’s been able to figure out how to sidejack over a WPA2 connection with a publicly-known key. I can’t find anyone who’s actually done it, but…

Reply | Quote

Just curious if a WiFi public hotspot secured with WPA2, where everyone knows the WPA2 password, is still more secure than an unencrypted WiFi hotspot? I assume knowing the WPA2 password allows you to unencrypt the data but wondered if it was still inherently more secure regardless or if it’s a wash.

@Bob –

I just got through to my router guru and, yes, it is possible to sniff packets if you know the WPA2 password. (I always assumed the encryption was secure between each PC and the access point, but it isn’t.) I haven’t heard of anybody using Firesheep over a WPA2 encrypted connection, but it sounds as if it could be possible.

All the more reason to use VPN, eh?

Reply | Quote

I don’t know much about the technical details of VPN so it is difficult for me to evaluate various VPN providers. I use a service called WiTopia which costs $69.99 per year and has servers in several locations throughout the world. This service was not mentioned in this article and is considerably cheaper than the one’s mentioned. Does anyone know anything about this service and it’s strengths/weaknesses compared to other providers? I am going to be traveling soon and really want to have secure communications.

Reply | Quote

Is something going on today? The link for the news letter fails with “The page isn’t redirecting properly”. When I try to login to the site to read it directly, the site does not accept my e-mail & subscriber code. However, I can get in and see my preferences and expiration date.

Reply | Quote

Guys,

I’m a VPN user not a VPN expert…hence my lame question.

If i’m getting the article right.

When I install OPENVPN or any of the VPN services Woody mentions on the article and I have it running, the path that my connection will follow from my house to… lets say Amazon.com would be:

From my house to Amazon.
Encrypted data leaves from my PC …………..to my ISP (using my ISP’s DNS? or OPENVPN’s DNS ? ) …………to OpenVPN Gateway/server (where the encryption will be removed) then the unencrypted data will go……………………………TO Amazon.com

From Amazon to my House
Amazon process my request and sends unencrypted data …………….. Back to OpenVPN Gatewayserver where the data from Amazon will my associated with my original transmission and encrypted……………..Sent back to my ISP who will send it……………………..to my PC???

Again Im not an expert so please excuse my questions if it sounds stupid..So I guess I have two questions, one about the Path that the connection will follow, and the second is about what DNS server does my computer uses (does it use my ISP’s DNS server or OpenVPN DNS server.

Thanks
RB

Reply | Quote

Guys,

From my house to Amazon….

Again Im not an expert so please excuse my questions if it sounds stupid..So I guess I have two questions, one about the Path that the connection will follow, and the second is about what DNS server does my computer uses (does it use my ISP’s DNS server or OpenVPN DNS server.

Thanks
RB

Not a stupid question at all! Amazon encrypts its pages – everything you do is over an https connection – so you don’t have to worry about getting sidejacked. But to answer your question in general, yes, those are the stages the communication goes through. It’s in the clear between the VPN’s server and the web site, then back to the VPN server.

The DNS server is the VPN’s DNS server.Your VPN connection doesn’t interact with your ISP at all.

Reply | Quote

Hi Woody,

A good, matter-of-fact article on protecting your “public wi-fi” connection. Just wanted to let you know about a potentially lower cost hosted VPN option for the Road Warriors out there.

I found WiTopia has an excellent service, “PersonalVPN” that uses both SSL/PPTP with a customized OpenVPN to tunnel through to their servers and on to the internet. The SSL/PPTP option runs $70/yr and they have servers available around the world, with plenty spread around the US where I do most of my traveling. The PPTP option also allows my iPhone to connect securely with the built-in VPN which is important for checking my IMAP email servers.

Speed-wise in my testing, there was little speed reduction using the WiTopia VPN through their servers. Though I’ve just started using them in the last few months, they’ve been around for at least 5 years or so. The link to their site is http://www.witopia.net.

With WiTopia for secure connections (even on the hotel’s hard-wired connections) and a fully encrypted hard drive using TrueCrypt, I feel a little more secure traveling.

Reply | Quote

Speed-wise in my testing, there was little speed reduction using the WiTopia VPN through their servers. Though I’ve just started using them in the last few months, they’ve been around for at least 5 years or so. The link to their site is http://www.witopia.net.

With WiTopia for secure connections (even on the hotel’s hard-wired connections) and a fully encrypted hard drive using TrueCrypt, I feel a little more secure traveling.

@Charles @Virgil –

Sounds like a winner to me. There are many VPN services out there these days. The tough part is that all of the free ones I’ve found are really slow…

Reply | Quote

Hi Woody,

A good, matter-of-fact article on protecting your “public wi-fi” connection. Just wanted to let you know about a potentially lower cost hosted VPN option for the Road Warriors out there.

I found WiTopia has an excellent service, “PersonalVPN” that uses both SSL/PPTP with a customized OpenVPN to tunnel through to their servers and on to the internet. The SSL/PPTP option runs $70/yr and they have servers available around the world, with plenty spread around the US where I do most of my traveling. The PPTP option also allows my iPhone to connect securely with the built-in VPN which is important for checking my IMAP email servers.

Speed-wise in my testing, there was little speed reduction using the WiTopia VPN through their servers. Though I’ve just started using them in the last few months, they’ve been around for at least 5 years or so. The link to their site is http://www.witopia.net.

With WiTopia for secure connections (even on the hotel’s hard-wired connections) and a fully encrypted hard drive using TrueCrypt, I feel a little more secure traveling.

Reply | Quote

Thanks for the comments about VPN but especially about WiTopia. I had come across WiTopia earlier — never saw reference to it before — but haven’t signed up for it yet. Is it really just a one-time payment of $70? I want to use it at a vacation cottage — not near big city — that offers an Internet connection, but I think it’s picking up the signal from a neighbor. Would be nice to have a little more security than that.

Reply | Quote

It’s been one of “those” days. I’m tired right now so if this is a idiot question please bear with me.

I like Firefox add-ons but I’ve never heard of the Force TL addon nor can I find it on the web.

Any idea where it is and how I get it?

Thanks.

Reply | Quote

It’s been one of “those” days. I’m tired right now so if this is a idiot question please bear with me.

I like Firefox add-ons but I’ve never heard of the Force TL addon nor can I find it on the web.

Any idea where it is and how I get it?

Thanks.

http://forcetls.sidstamm.com/

Reply | Quote

Woody,

Thanks for this article as it is very timely for me. I have been looking around for VPN software to put on my recently purchased netbook. In searching thru the various applications offered, I have concerns about the security of the provider and whether they are potential providers of my personal information to 3rd parties. Not all have easy to decipher privacy policies.

Since I am just starting out with this and have limited knowledge of setting up VPN, a free easy to use was also a major consideration. I did look at OpenVPN and ItsHidden, but I didn’t quite understand how the client needed to be set up. I also didn’t like the fact that a user had to sign in.

I finally installed SecurityKISS (it is based on OpenVPN), which offers both free and paid services and was simple to install. It also does not require any sign in. While the free version is limited to 300MB per day, it is more than provided by most free VPN providers.

Do any of you knowledgeable readers have any advvice for me regarding VPN software and providers?

Thanks to all for the info above

To oddjob,

In Firefox go to Tools/Add-ons/ Get Add-ons and type in “Force-TLS”

Reply | Quote

It was not the Force-TL add-on. Search of add-ons failed to find it in Mozilla. Real name was Force TLS. See chrome://forcetls/content/upgrade.html.

Reply | Quote

It was not the Force-TL add-on. Search of add-ons failed to find it in Mozilla. Real name was Force TLS. See chrome://forcetls/content/upgrade.html.

@Paul –

You’re absolutely right, and my apologies! There should’ve been a link…

Reply | Quote

I also use Witopia and find it to be very reliable, fast and multiple access points all round the world (including alternate ports for many if required):

AMERICAS

UNITED STATES
Atlanta
Chicago
Dallas
Los Angeles
New York City Metro
San Francisco
Seattle
Washington, DC Metro

ARGENTINA
Buenos Aires

BRAZIL
Sao Paulo

CANADA
Toronto
Vancouver

MEXICO
Mexico City

PANAMA
Panama City

ASIA and AUSTRALIA

AUSTRALIA
Sydney

CHINA
Hong Kong

INDIA
New Delhi

JAPAN
Tokyo (coming soon)

MALAYSIA
Kuala Lumpur

SINGAPORE
Singapore

SOUTH KOREA
Seoul (coming soon)

EUROPE/MIDDLE EAST/AFRICA

BELGIUM
Brussels

CZECH REPUBLIC
Prague

EGYPT
Cairo

FINLAND
Helsinki

FRANCE
Paris

GERMANY
Frankfurt

IRELAND
Dublin

ITALY
Milan

LATVIA
Riga

NETHERLANDS
Amsterdam

POLAND
Warsaw

PORTUGAL
Lisbon

RUSSIA
Moscow

SPAIN
Madrid

UNITED KINGDOM
London
Manchester

Ian

Reply | Quote

You can find it on the Firefox Force-TLS add-on download page.

Reply | Quote

Thanks all. Force-TLS located and installed.

Reply | Quote

I have been using Witopia for several years in a country where many VPNs are blocked and it works very well. I have needed their support service a couple of times and found them to be very efficient and helpful. A great VPN service, I can’t recommend it too highly.

Reply | Quote

@Bob –

Ends up it’s a tough question. Even Sophos got it wrong.

Take a look at the comments ontoday’s Sophos post about Firesheep. Ends up that the password is combined with the SSID to produce a key that encrypts the session. Anyone who’s sufficiently talented, and knows both the password and the SSID, can sniff packets.

The poor guy at Sophos made so many mistakes in that post it’s embarrassing – and he’s getting raked over the coals for it. As far as I can tell, all of the objections being raised in the comments are correct.

Reply | Quote