Ask HN: How do you secure yourself on public WiFi?

86 points by whyleyc ↗ HN
Following on from the FireSheep post (http://news.ycombinator.com/item?id=1827928) how do HNers secure their InterWebs usage whilst on Public WiFi ?

It seems like VPN is a good way to go - I'm particularly interested to hear whether anyone can recommend any good VPN providers ?

The following were mentioned in the FireSheep post:

  WiTopia (http://www.witopia.net)
  OpenVPN (http://openvpn.net/)
Does anyone have any experience with them or others ?

75 comments

[ 2.9 ms ] story [ 160 ms ] thread
Ideally I'd rather not have to configure my own VPN server, but if I have to then so be it.
What I do:

I have a reachable personnal computer with an ssh server. Then on my local machine I do:

    ssh -D 9050 username@host
Then in your web browser you should simply use localhost:9050 as SOCKS proxy. Now you're safe about the WiFi sniffers.

I made a short post about this:

http://goo.gl/zTQM

Also, if you use firefox, there is a handy addon called "multiproxy switch" which makes handling lots of different proxies much easier.
Thank you. I didn't knew this one. It will be very useful.
I have a very cheap, small, Linux VPS for ssh tunneling via SOCKS proxy. It's a couple bucks a month, and it can also host my blog/app prototype/whatever when I get around to putting it up.
I loaded Tomato on my Linksys router, then enabled SSH. I proxy through that when on public wifi. This is the best method for me because my Linksys router is always on and uses very little power.

It's also setup so I can use remote desktop through the proxy to my desktop at home. I wrote up some instructions on how I did it here:

http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...

(comment deleted)
Easy, I open up a terminal and type:

    start_vpn
It's a script which fires up an openvpn connection to a vps I have.

Getting openvpn working took about a day of hacking around on my vps and my mac. (just read the openvpn tutorial and follow the steps.) I still haven't gotten openvpn working on Windows but it's not something I've never needed.

(comment deleted)
I just use Viscosity which is a menubar app that lets you easily connect to an OpenVPN connection (you punch in the address, authentication type, etc and it lets you just click the server name from your menubar to connect).

I don't host my own server though, I use http://witopia.net I think I pay like $50-60/yr. But they give you a bunch of servers to connect to worldwide: http://cl.ly/2zEY

For the past 4 or 5 years I've been using SSH tunneling. I set up a location in OS X network preferences using the exact technique described in this comment http://news.ycombinator.com/item?id=1828631. I usually tunnel through my router at home which runs DD-WRT. I use SSH Tunnel manager to manage the tunnel http://projects.tynsoe.org/en/stm/.

Once it's set up, all you need to do is switch your network location to the tunnel location before you leave the house, then when you want to get online, press the button for the appropriate tunnel in SSH Tunnel Manager.

Thanks - I'd missed that comment you mentioned. Any thoughts on the pros and cons of using this vs a dedicated VPN ?
This is much easier to set up and works well. The router or server you are tunneling to needs no extra configuration beyond having ssh set up. On a VPS it will already be running and with router firmware like DD-WRT or Tomato it's just a checkbox in the settings.

VPN makes more sense if you need to access things on another network, like shared drives, and can be difficult to configure.

I've been working completely mobile and using tunneling for years. It works well. Set sshd on the router/server to use port 443 and you won't have issues with port restrictions.

I've got a similar setup using SSH Tunnel Manager to tunnel to a co-located Linux machine running squid proxy. All my applications used the proxy connection via the tunnel (browsers, IM clients, etc.).

Took some initial configuration time to get things setup but now its just one click in the SSH Tunnel Manager widget to get things going anytime I'm working remote.

VPN may be easier but an SSH tunnel gets it done.

You don't need to run squid to use an SSH tunnel as a proxy. If you set up a dynamic tunnel (not sure how to do this in SSH Tunnel Manager but it's fairly straightforward in putty) you point your clients at the local side and use it as a SOCKS proxy.
I used a FreeBSD box to setup Racoon and friends and wound up with a pretty decent setup that used certificates for logging in and was compatible with the built in OS X VPN support (L2TP + IPSec). The resulting solution is painless enough to deal with that I use it whenever I'm on wifi, even at home.

You pay the price with a pretty complicated setup (assuming you're not already an IPSec guru, which I certainly am not), though.

My long answer is here: http://www.h-i-r.net/2008/08/defcon-paranoia.html

The short answer: I back up my data. I encrypt all sensitive data on my laptop and don't access it in uncontrolled environments. I tunnel everything (usually with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3) Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin for example) isn't going through the tunnel, it can't even connect out.

It's worth mentioning that I usually operate this way all the time, whether I'm in a risky environment like DefCon or HOPE conferences, or my favorite small coffee shop. Tools like ProxySwitcher, small shell scripts, network locations and stuff that others have mentioned can be used by moderately-savvy folks to make the tunnel setup as painless as possible.

Is there any way to do this at the network device level (on Linux) so that individual applications don't have to be configured to use the proxy? That's the main source of my reluctance to do this.
In Linux, most applications respect the http_proxy environment variable. It's the closest thing Linux has to a system-wide proxy setting as found in the more mainstream platforms.
This is actually how I use Chromium with a proxy right now, but it requires that I launch it from the command line and manually specify the http_proxy (and https_proxy) variables (/usr/bin/env http_proxy="http://127.0.0.1:8080 https_proxy="https://127.0.0.1:8080 /usr/bin/chromium). I suppose I could set up some kind of script to launch Chromium (and all other applications) that would check if I'm on my home network and launch all apps with that variable if not, but that seems like a really ugly hack.
Executed properly, it might be an awesome hack!
In case this gives you an idea: in my linux laptop I just have two different users in the laptop, one that is configured to use a local tor proxy and another "non protected". Depending of if I'm out in the open or at home I use one of another. When I need some data from my protected user when in "unprotected mode" I sftp:// myself, but usually I do it the other way (unprotected data from protected mode). Much simpler, I think...
chromium --proxy-server=socks5://127.0.0.1:8080 is what I use, but chromium can also use your desktop environment's settings. On my laptop it allows me to make different proxy settings an define 'locations' that are easy to switch between.
That seems like a lot of work. Not that I'm opposed to doing it if necessary, but an automated solution (even if it were graphical) would be wonderful. In fact, it would be great if Wicd could somehow handle all this.
There doesn't appear to be a network-manager SSH VPN plugin, which is a shame. I would love to be able to easily create a VPN with any of my servers...
I bought a cheap VPS at linode.com, installed and configured pptpd and set up a PPTP connection to the VPS on my mac (using standard Network Preferences panel). When I need a secure connection I just connect over PPTP to the VPS. This enables pretty secure connection from the place with wireless access to the VPS for all tcp protocols (http, smtp, etc).
As a side note: Facebook has SSL access, but Facebook Chat doesn't work with it.

I use HTTPS Everywhere, and for any sites that don't use SSL (cough SLASHDOT cough) I just use non-standard passwords and take the risk, and be aware that what I say over unencrypted IM might be intercepted (though it's unlikely).

I own iPod Touch and I often check my email at university (through both Safari and Mail.app). Is there any good solution for iOS devices?
iOS supports L2TP VPN tunelling, so if you can get to a box that will provide this for you everything will be fine. Setting the server end up on Linux and OS X is pretty easy, the bit that trips up most people when they first try this is making sure that the access point or router that is upstream from your VPN endpoint knows to pass the IPsec packets straight through.
Are there any standard, bird's-eye-view references on IT security?
For those who don't want to setup their own vpn, you can try hotspotshield. It's free but they display a ad frame as you browse.

I setup vpn on my dd-wrt router.

I'm sure this is not the perfect answer since hotspotshield redirect somehow google search pages and force ads on every page. But you can get the ads away with a simple rule in .hosts file. Privoxy can add another layer of ad protection.
I guess my question would be: What additional threat do you thing public wifi poses, as opposed to any other internet access? IMHO, you have to assume that any unencrypted traffic over the internet could be sniffed, etc.

The only additional threats I can see would be threats against your PC directly, rather than your traffic.

Am I wrong?

As I understand it unsecured public WiFi is significantly more threatening when compared to standard hard-wired Ethernet as all your traffic is visible to any other user connected to the same network with a packet sniffer.

It's much, much harder (but not impossible) to do this on a hard-wired connection - there's a useful discussion as to why here: http://news.ycombinator.com/item?id=1828201

Your personal machine isn't going to be connected through "modern enterprise-grade switches like you would find in a data center," so ARP spoofing is a totally legitimate attack.
Much of that discussion is crap. They're wasting effort bikeshedding about local network sniffing. You have to assume that anything of value sent over the internet might be sniffed or at least could be sniffed by a well placed attacker. The last hop connection between your PC and the AP is hardly the only point at which your data is vulnerable. To assume otherwise is foolhardy.

That's why I said that the only additional risks I can see of an public Wifi is local attacks directly against your machine such as someone port scanning your laptop to look for vulnerable service or open fileshares, etc.

It's much more unlikely that there is a sniffer between your ISP's routers and the target servers for interesting traffic than an attacker listening to your AP traffic. Your ISPs have a vested, primary business interest in keeping their network and peer traffic secure. The coffee shop could care less if people hack each other's Twitter over their AP.

Think about it, say you want to grab somebody's credentials for a popular website. Do you a) hack into their ISP or b) follow them to a coffeeshop and open up Firesheep. What's the easiest angle you are going to take? Local network sniffing isn't the trivial example of sniffing, it's the most vulnerable and probably most exploited target. (Just ask Google.)

It's much easier for an attacker with few resources to go fishing for passwords, etc. over an open WiFi connection than it is for that person to somehow gain physical access to an ISP and install a packet sniffer.

So, the number of people who could conceivably be eavesdropping goes from a few (unscrupulous IT workers and law enforcement) to very many (everyone who can figure out a WiFi packet sniffer).

Small number of eavesdroppers, but also more sophisticated and dangerous ones. :-)
You're over-simplifying a bit. Public WiFi is a bit more risky, though, because the barrier to entry for sniffing last-mile infrastructure is so low that anyone can do it.

At my home and office you have to contend with WPA2-Enterprise (it's easy to set up at home, so I did). You'd need to get hard-wired access to my home, and pull some ARP trickery to sniff my last-mile infrastructure. We have 802.1x on the Ethernet ports at the office, so no dice there.

You're right, to a point. And the effective response is to make sure you're always protected as well as you can, instead of going into a "shields up!" situation only when your perceived risk is higher.

Yes. For an active attack, see airpwn - http://www.evilscheme.org/defcon/ If you think that's rather benign, consider the ssl cert checking flaw (http://hackaday.com/2009/07/29/black-hat-2009-breaking-ssl-w...). Put the two together, with a bit of paranoia, and the result is I never surf unsecured wifi without some sort of protection.
I guess I don't so much disagree with the idea of being careful on an unsecure public wifi, as I am concerned that so many people seem to think they only have to concerned about the unsecured wifi, not all the other hops on their connection. You know what I mean?
I don't think people here are suggesting that this is the only vector of attack against your system, rather that given the proliferation of unsecured WiFi networks it's just one of the more common.

When someone brings out the "ARP poisoning" add-on for Firefox maybe it will fuel debate on other types of attack :)

Usually I just avoid using public wifi. Tethering is practical enough these days. Worse case I have a few VPN endpoints to fall back on but if I'm going to be using HTTPS sites I don't even bother connecting.
I also tether a lot. Usually, the speed is better and more reliable than the over-crowded crap provided by businesses. The added layer of protection is just icing on the cake most of the time.
I have a marcopolo setting on my mac that, if none of my usual networks are found, fires up an ssh tunnel to a vps I have just for that, and turns on my socks proxy.

This takes me remembering to do it out of the equation

I ssh to one of my servers with -D to make a tunnel available via SOCKS5. I could have ssh make a tun device instead, but I'm normally only using git, ssh, tsock'd irssi, or a web browser through SOCKS.
Conceptually, why do all options involve a server? If I somehow can securely "tunnel" to my server, I first have to tunnel through the WiFi hotspot, right? Am I not free to browse, safely, after securing this first step? (Sorry for the vagueness... This is as far as I understand these concepts.)
The original problem is that sending HTTP requests and such directly on the WiFi hotspot connection sends it as plaintext. Thus it readable by anybody. With an SSH tunnel, all that plaintext is actually encrypted before it sent out over the WiFi hotspot, which protects it from eavesdroppers over that segment of the connection.
Thank you for the explanation!
I don't do anything unencrypted (no sites that don't support ssl, no ftp or telnet, etc). If I absolutely have to do something potentially insecure, I set up an ssh tunnel through my vps slice...I tend to avoid this if possible, because its both a pain-in-the-ass and very slow.
Other than ssh tunneling, I tried http://vyprvpn.com when it was offered together with giganews, and it was pretty fast, if a bit costly.
I'm using http://vyprvpn.com as it comes free with my Giganews account.
Same here. Works fine when I'm on the road. I suppose I could setup my own vpn through my server, but since this already meets my needs, why bother?
SSH, with SOCKS tunneling (and the FoxyProxy extension with Firefox, although I normally use Google Chrome). Works on Windows/Mac OS X/Linux. Note that this doesn't necessarily fix DNS sniffing and whatnot.

If I was paranoid, I'd bother to set up a VPN and use that.

If I'm extremely paranoid, I use Tor (which may have some security concerns).

(comment deleted)
Set

  network.proxy.socks_remote_dns to true
in about:config for Firefox to do DNS requests over SOCKS.
I use an L2TP/IPSEC VPN on a Linode VPS. It works great with OS X and iOS devices - I've not tried anything else. There's a simple toggle switch on iOS in Settings to activate the VPN, or a one-click menu item in OSX.

It's pretty easy to set up, if you're comfortable with Linux. I'm using it on Ubuntu 9.10, and I followed the guide here:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/