Ask HN: How do you secure yourself on public WiFi?
Following on from the FireSheep post (http://news.ycombinator.com/item?id=1827928) how do HNers secure their InterWebs usage whilst on Public WiFi ?
It seems like VPN is a good way to go - I'm particularly interested to hear whether anyone can recommend any good VPN providers ?
The following were mentioned in the FireSheep post:
WiTopia (http://www.witopia.net)
OpenVPN (http://openvpn.net/)
Does anyone have any experience with them or others ?
75 comments
[ 2.9 ms ] story [ 160 ms ] threadI have a reachable personnal computer with an ssh server. Then on my local machine I do:
Then in your web browser you should simply use localhost:9050 as SOCKS proxy. Now you're safe about the WiFi sniffers.I made a short post about this:
http://goo.gl/zTQM
I downloaded "ProxySwitcher" for Chrome for easy switching between the proxy and direct connection:
https://chrome.google.com/extensions/detail/caehdcpeofiiigpd...
It's also setup so I can use remote desktop through the proxy to my desktop at home. I wrote up some instructions on how I did it here:
http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...
Getting openvpn working took about a day of hacking around on my vps and my mac. (just read the openvpn tutorial and follow the steps.) I still haven't gotten openvpn working on Windows but it's not something I've never needed.
I don't host my own server though, I use http://witopia.net I think I pay like $50-60/yr. But they give you a bunch of servers to connect to worldwide: http://cl.ly/2zEY
Once it's set up, all you need to do is switch your network location to the tunnel location before you leave the house, then when you want to get online, press the button for the appropriate tunnel in SSH Tunnel Manager.
VPN makes more sense if you need to access things on another network, like shared drives, and can be difficult to configure.
I've been working completely mobile and using tunneling for years. It works well. Set sshd on the router/server to use port 443 and you won't have issues with port restrictions.
Took some initial configuration time to get things setup but now its just one click in the SSH Tunnel Manager widget to get things going anytime I'm working remote.
VPN may be easier but an SSH tunnel gets it done.
You pay the price with a pretty complicated setup (assuming you're not already an IPSec guru, which I certainly am not), though.
The short answer: I back up my data. I encrypt all sensitive data on my laptop and don't access it in uncontrolled environments. I tunnel everything (usually with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3) Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin for example) isn't going through the tunnel, it can't even connect out.
It's worth mentioning that I usually operate this way all the time, whether I'm in a risky environment like DefCon or HOPE conferences, or my favorite small coffee shop. Tools like ProxySwitcher, small shell scripts, network locations and stuff that others have mentioned can be used by moderately-savvy folks to make the tunnel setup as painless as possible.
http://tsocks.sourceforge.net/faq.php
I use HTTPS Everywhere, and for any sites that don't use SSL (cough SLASHDOT cough) I just use non-standard passwords and take the risk, and be aware that what I say over unencrypted IM might be intercepted (though it's unlikely).
I setup vpn on my dd-wrt router.
The only additional threats I can see would be threats against your PC directly, rather than your traffic.
Am I wrong?
It's much, much harder (but not impossible) to do this on a hard-wired connection - there's a useful discussion as to why here: http://news.ycombinator.com/item?id=1828201
That's why I said that the only additional risks I can see of an public Wifi is local attacks directly against your machine such as someone port scanning your laptop to look for vulnerable service or open fileshares, etc.
Think about it, say you want to grab somebody's credentials for a popular website. Do you a) hack into their ISP or b) follow them to a coffeeshop and open up Firesheep. What's the easiest angle you are going to take? Local network sniffing isn't the trivial example of sniffing, it's the most vulnerable and probably most exploited target. (Just ask Google.)
So, the number of people who could conceivably be eavesdropping goes from a few (unscrupulous IT workers and law enforcement) to very many (everyone who can figure out a WiFi packet sniffer).
At my home and office you have to contend with WPA2-Enterprise (it's easy to set up at home, so I did). You'd need to get hard-wired access to my home, and pull some ARP trickery to sniff my last-mile infrastructure. We have 802.1x on the Ethernet ports at the office, so no dice there.
You're right, to a point. And the effective response is to make sure you're always protected as well as you can, instead of going into a "shields up!" situation only when your perceived risk is higher.
When someone brings out the "ARP poisoning" add-on for Firefox maybe it will fuel debate on other types of attack :)
This takes me remembering to do it out of the equation
If I was paranoid, I'd bother to set up a VPN and use that.
If I'm extremely paranoid, I use Tor (which may have some security concerns).
It's pretty easy to set up, if you're comfortable with Linux. I'm using it on Ubuntu 9.10, and I followed the guide here:
http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/