Stay safe when using public Wi-Fi hotspots

Topic

New Reply

LANGALIST PLUS

Stay safe when using public Wi-Fi hotspots

By Fred Langa For many Windows Secrets readers, the holidays mean travel. Here are tips for protecting your data when connected to shared networks in hotels, restaurants, airports, and other public places. Plus: The free Detekt tool is an anti-spyware scanner for people in extreme circumstances.

---

The full text of this column is posted at windowssecrets.com/langalist-plus/stay-safe-when-using-public-wi-fi-hotspots/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

Reply | Quote

Replies

I have been using VPN for years because I travel a lot. I settled on PIA (Private Internet Access). It has servers in many countries and good Windows software. One subscription applies to multiple devices.

The problem I have is with my iPhone and iPad. Apple’s iOS doesn’t seem to like vpn, at least not PIA. There is no equivalent software for iOS to maintain the vpn connection, as there is for Windows and Android.

I have to manually start the vpn connection each time with iOS. Then it will rarely hold more than 5-10 minutes before disconnecting. Before you even notice that disconnect, your email client may have refreshed, sending your now unencrypted password and downloading unencrypted messages.

I have not found a solution to this problem.

Reply | Quote

Recently, traveling in Ankara Turkey, I found the the hotel’s system was clearly messing with my http traffic. I suspect it was an incompetent attempt to inject are modify adds. The obvious symptom that they broke any site that needed cookies.

I’ve now gone to my home made VPN like approach and feel much safer.

(I run a socks sever on my home linux machine and establish an ssh tunnel for socks, then configure firefox and thunderbird, the only online apps I use, to use socks for everything including DNS. Yes, it’s geeky, but its free and all under my control. I could set up true VPN but that’s more (manual reading) work than I’m ready for)

Reply | Quote

I’d say that Rick is not only not paranoid, he’s probably not paranoid enough! One thing to keep in mind, even if you are on the wired network or the wireless is running WPA2 other users on the same network can see your data unless you are specifically encrypoting using a VPN or SSL/TLS as you recommend. The network encryption only secures you from non-hotel (or other shared network, e.g. Starbucks) users. It is shared encryption with all users. Also on the wired network, depending on the infrastructure (in general a switch vs. a hub) being used, your data may be visible to other users on the same network as well, think rooms on the same floor on near your room. You should always assume that the network is insecure and that other users have access to your data in transit, so if you are not encrypting it yourself and relying on the network to implement the security you are taking risks.

Reply | Quote

I have tried Ultra Surf 14.04 http://en.wikipedia.org/wiki/Ultrasurf
It is completely free and appears to work. Have you any information or thoughts on this VPN option?

Reply | Quote

I have tried Ultra Surf 14.04 http://en.wikipedia.org/wiki/Ultrasurf
It is completely free and appears to work. Have you any information or thoughts on this VPN option?

Before using this service, readers should read carefully and all the way through the Wikipedia article.

This service is old. It uses closed-source code. It censors (filters) content. Logs are kept and have been shared with the Chinese and US governments, as I read the section of the article discussing these things. Its servers are overloaded and there are no plans for long-term funding of the project.

The service is basically a direct competitor with TOR, and serves the same functions. While TOR is an anonymizing service, it is by itself not a true VPN service.

There are numerous other criticisms of Ultrasurf in the Wikipedia article.

I would not trust this service with my privacy.

-- rc primak

Reply | Quote

“Hotspot Shield – Free version with ads; $2.50 per year for ad-free Hot Shield Elite”

That should be $2.50 PER MONTH.

Reply | Quote

There is a no-cost solution for protected Internet access, but it requires a bit of technical savvy.

Buy an internet router that you can flash the firmware with TomatoUSB. The Tomato build has an OpenVPN server that I set to force the client to use the router VPN endpoint for all Internet access by the client, not just to the network protected by the router.

Typical configuration for a VPN connection to your router provides end-to-end encryption only to your router: client (encrypted) Wifi hotspot (encrypted) Internet (encrypted) your router (encrypted) local network (unencrypted). All other connections are unencrypted: client (unencrypted) Wifi hot spot (unencrypted) Internet (unencrypted).

The option to use the router as a proxy for all Internet access functions like any commercial VPN provder, regardless of the destination: client (encrypted) Wifi hotspot (encrypted) Internet (encrypted) your router (encrypted) Internet (unencrypted).

For years I used the DD-WRT firmware, but I don’t recall the option to use the router as a proxy. The TomatoUSB is way superior and more stable compared to DD-WRT, but is written for a much smaller number of routers.

The only downside to using your router as a proxy is that your Internet speed is limited to the upload speed of your home Internet service.

Reply | Quote

Here’s another security concern when using external networks that few people are aware of.

If you use Outlook desktop and the standard SMTP port 110 to connect to your email provider, then your username and password are being transferred clear text! Oops.

Your email provider needs to offer an encrypted connection (like TLS) and a port like 587 (this is what mine uses) to encrypt what you send to them, before they then send the email msg through the net to its destination.

I think this would be something that Fred or someone on WS should write about.

Reply | Quote

Hi I have never been able to find the answer to the following question re public wi-fi security—Even when using HTTPS, isn’t the first “handshake” with the server to get the encryption key subject to interception? How can that cookie or data, which then permits the HTTPS connection, first be established over wi-fi securely?

Thanks.
Chuck

Reply | Quote

isn’t the first “handshake” with the server to get the encryption key subject to interception?

Only if the server is using old protocols that don’t authenticate the server / client. Any recent web site should not have this issue.
To see if you have a valid connection to a web site, view the certificate and check the hierarchy. For example, the Windows Secrets certificate is validated by GeoTrust, which my computer already trusts because their certificate is installed as part of Windows. See attached screenshot.

cheers, Paul

38631-Capture

Reply | Quote

isn’t the first “handshake” with the server to get the encryption key subject to interception? How can that cookie or data, which then permits the HTTPS connection, first be established over wi-fi securely?

SSL/TLS uses something called ‘public key cryptography’ which enables public exchange of data that can be used to generate a secure private key (this may sound impossible, but trust me, the maths works). If you’re interested search for “Diffie-Hellman key exchange” (warning: second year undergraduate number theory may be required). When I taught classes in this stuff, I used to demonstrate by getting two people to call out numbers to each other and show how they can be used to generate a secret, shared key that no-one else can calculate from the public information.

Reply | Quote