How to stay safe at public WiFi spots

Discuss

21 Responses to “How to stay safe at public WiFi spots”

  1. David Llopis says:

    While we’re on the topic:
    Never, ever, ever log in to your bank account from a public *computer*, since it’s more likely compromised than not.

  2. Thalia says:

    Side note: California Bar Association recently provided an opinion that said that using open WiFi for client confidential information is a breach of your legal duty to your clients. I expect medical and other professionals to follow. SSL, VPN, or avoid open access points.

  3. Anonymous says:

    so how do i secure my wifi ipad in an airport?

    • David Llopis says:

      A lot of sites support HTTPS: just add an “s” and see what happens. Facebook & Google support it, for example.
      Otherwise, you’ll need to set yourself up with a VPN somehow, which the article gets into. All Apple products support L2TP, PPTP, and IPSec VPNs.

      • flosofl says:

        Unfortunately my iDevices don’t support OpenVPN, which is what I used when traveling prior to my acquisition of said iDevices. I still have my OpenVPN server running for when I’m abroad with my MBPro (which is rarer and rarer), but I now use DD-WRT as a PPTP VPN server (and SPI firewall) for the phone and tablet. I turned off the radios ont the WRT54GL and use my Airport Extreme in Ethernet bridge mode (basically it’s an AP/gigabit switch now) to keep that 5GHz 802.11n goodness.

        I will say as far as SSL goes if an attacker has compromised an end point network(more likely in a cafe or hotel than a bank), MiM SSL can be, well… I won’t say trivial, but not too difficult either. VPNs aren’t as vulnerable. PPTP is not as secure as the others, but I’m willing to accept the risk for the type of network activity I do on the iThings.

  4. ihaterogers says:

    After reading the above article by Glen, I wanted to secure the email connection between Outlook on my computer and Rogers’ email servers. I researched the port numbers needed from http://www.rogershelp.com and eventually found my way to this url:

    http://help.yahoo.com/l/ca/rogers/mail/classic/pop/pop-14.html

    [From the link above]

    [begin quote]

    Use these settings to access Rogers Yahoo! Mail using your favorite email reader.

    Note: If you can’t add new POP or new SMTP servers in your mail reader program, you need to change your current mail settings to access your Rogers Yahoo! Mail account. Write down your current settings first—you may need to revert to them later if you want to use the same program to send and receive messages from your other email addresses.

    Incoming mail server settings
    • POP server: pop.broadband.rogers.com
    • Use SSL
    • Port: 995

    Outgoing mail server (SMTP) settings
    • SMTP server: smtp.broadband.rogers.com
    • Use SSL
    • Port: 465
    • Use authentication

    Account Name/Login Name:

    Your Rogers Yahoo! Mail ID (your email address without the “@rogers.com”, for example, “jo.bloggs”)
    Email Address: Your Rogers Yahoo! Mail address (for example, jo.bloggs@rogers.com

    Password: Your Rogers Yahoo! Mail password

    [end quote]

    I expect this link to be taken down in short order now that I have pointed out to Rogers Tech Support that indeed it should be possible to configure a client side email reader to access the email servers using SSL, according to their own support documentation. Most of Rogers competitors allow this and in today’s age of internet privacy concerns, encrypted data exchange between websites and email servers is a must!

    Rogers, however, doesn’t see it this way. As confirmed by the 2nd level tech support and a management representative, Rogers has deliberately chosen not to allow (Ie. They are actively blocking such connections) secure email connections to their servers (hosted by yahoo – more on this in a moment). For some reason that Rogers will not elaborate on, Rogers feels that an internal policy decision that has created and perpetuates a glaring security weakness is not worth revisiting. One has to ask why?

    I set up a free Yahoo email account and pointed Outlook to the Yahoo email server with full SSL enabled. I was able to send and receive email from this account, so Yahoo does have the ability to use SSL email connections. I called Bell and was told that they too allow SSL connections to their email servers.

    I think it is abhorred behavior from a major internet provider to deliberately prevent customers from taking basic steps to secure their personal email from prying eyes. I was informed that if enough customers request that this policy be changed, Rogers will revisit their flawed decision. I’m not going to hold my breath. Rogers is a lumbering leviathan and it will probably take legal action to force them to alter their course…

  5. r0b0 says:

    In theory, ssl (and https) should protect you from spoofing. But for the paranoid, there’s always a but to every theory. For instance, read this – http://patrol.psyced.org/

  6. tylerkaraszewski says:

    One other advantage to a VPN or similar (SSH tunneling) setup that you may not think of, but I’ve found useful:

    If you’re traveling abroad, but forward your network traffic back through the US (or wherever your home country is), it avoids a whole lot of annoying messages from places like your bank, or even Facebook, that lock you out of your account as a security measure, simply because you’re accessing it from another country. Also, many sites do localization based not on your browser’s language settings, but your IP address (which is annoying), so you can, for instance, take an computer with an English OS and English web browser to Greece, and all of a sudden half the internet (even parts that are normally in English) are now appearing for you in Greek. This is also avoided by tunneling all your traffic back through your home country.

    • sergeirichard says:

      A quick aside…

      Also, many sites do localization based not on your browser’s language settings, but your IP address (which is annoying), so you can, for instance, take an computer with an English OS and English web browser to Greece, and all of a sudden half the internet (even parts that are normally in English) are now appearing for you in Greek.

      This notoriously happens with Google searches, which will always use Google’s local servers. If security isn’t your concern, you can get around this – in Firefox at least – with a search plugin to always use Google.com.

  7. milkman says:

    Tyler good addition! I agree completely as an IT Engineering guy. You could even go as far as setting up a Linux box at home for free[ish] and use Cygwin (or similar) to appear at home.

  8. David Llopis says:

    Todd, either you’re an über hacker or a blowhard—either way the risk I’m exposing myself to by logging into my bank from the cafe down the street is small enough that I’m comfortable ignoring it.

  9. GeekMan says:

    I’ve got a hot security tip for you. If you’re away from a home/office, don’t log into your bank account over public Wi-Fi.

  10. limepies says:

    my number one question about network security is about 3g networks. is it secure enough to do banking or what from a smartphone? how tight is 3g, is it like a ‘personal’ network or more along the lines of a completely open wireless network where anyone can acces your information?

  11. Anonymous says:

    My bank uses SSL/TLS, so I have no qualms about logging in to it with my laptop/phone on any network.

    • Todd Knarr says:

      Anon: remember that when you’re on someone else’s network, they control things like DNS. Which means when you type in “http://account.mybank.com/” you go to the server they decide you should go to, not the server your bank’s set up. If they do it right using a valid SSL certificate, you’ll never see any warning that you aren’t talking to the machine you think you’re talking to. I take advantage of this on my network to send domains like doubleclick.net into a “404 Not Found” black hole (and no, setting your own DNS servers won’t bypass this), if I can do it a bad guy can too.

      • tylerkaraszewski says:

        That is not how HTTPS works. You cannot field a valid SSL cert for “https://www.bankofamerica.com/” unless you are Bank of America (if you can, it’s through far more sophisticated attacks than DNS hijacking). You will see a warning about a domain name mis-match if the certificate in use is actually for toddknarr.com and is being used on a spoofed “bankofamerica.com”.

        Sure, you can spoof “http://www.bankofamerica.com”, but when you make it “HTTPS” it will throw warnings at you.

        • Todd Knarr says:

          Actually I can spoof “www.bankofamerica.com”. There’s two ways to go about it, one of which was used to gain signing-capable certificates in the name of Microsoft itself (yes, all the OU, CN and other information matched Microsoft) from Verisign.

          The other’s a bit more complex, but it can be made easier by a login page that asks users to install the WiFi operator’s certificate into the browser to insure a secure login process.

          • tylerkaraszewski says:

            Sure, go ahead and do it then.

            Set up your spoof site, and then tell me which DNS servers you want me to use. I’ll set my laptop to use those DNS servers, and then type “https://www.bankofamerica.com” into the address bar of my browser. If I end up at a page that says “Tyler Karaszewski you owe me $100!” *without* my browser giving me a warning about an invalid security certificate, I’ll paypal $100 to the account of your choice.

            I will not pay you if it only works for “http” and not “https”. I will not pay you if I see a warning about your certificate.

            The “hack” you’re referring to (the one that’s *not* “a bit more complex”) requires you to convince VeriSign or another Certificate Authority that you’re actually Microsoft (or in the case of this challenge, Bank of America). Because someone was once able to do this for Microsoft 10 years ago hardly means you’re going to be able to replicate it now.

            The “more complex” hack requires using a more confusing and alarming dialog (installing a new certificate by hand) than the dialog it’s trying to avoid (the ‘invalid certificate’ warning).

  12. Anonymous says:

    Or sign up for zipline, and not give it a second thought..

    http://www.atenlabs.com/zipline

  13. David Llopis says:

    (Anon here)
    “The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.”
    http://en.wikipedia.org/wiki/HTTP_Secure#Main_idea

  14. David Llopis says:

    More specifically, if the network tries a DNS bait-and-switch, then the certificates won’t match up, and my browser will balk at the malicious server.

Leave a Reply