

Ask HN: How do you secure yourself on public WiFi? - whyleyc

Following on from the FireSheep post (http://news.ycombinator.com/item?id=1827928) how do HNers secure their InterWebs usage whilst on Public WiFi ?<p>It seems like VPN is a good way to go - I'm particularly interested to hear whether anyone can recommend any good VPN providers ?<p>The following were mentioned in the FireSheep post:<p><pre><code>  WiTopia (http://www.witopia.net)
  OpenVPN (http://openvpn.net/)
</code></pre>
Does anyone have any experience with them or others ?
======
ax0n
My long answer is here: <http://www.h-i-r.net/2008/08/defcon-paranoia.html>

The short answer: I back up my data. I encrypt all sensitive data on my laptop
and don't access it in uncontrolled environments. I tunnel everything (usually
with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop
that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3)
Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin
for example) isn't going through the tunnel, it can't even connect out.

It's worth mentioning that I usually operate this way all the time, whether
I'm in a risky environment like DefCon or HOPE conferences, or my favorite
small coffee shop. Tools like ProxySwitcher, small shell scripts, network
locations and stuff that others have mentioned can be used by moderately-savvy
folks to make the tunnel setup as painless as possible.

~~~
w1ntermute
Is there any way to do this at the network device level (on Linux) so that
individual applications don't have to be configured to use the proxy? That's
the main source of my reluctance to do this.

~~~
ax0n
In Linux, most applications respect the http_proxy environment variable. It's
the closest thing Linux has to a system-wide proxy setting as found in the
more mainstream platforms.

~~~
w1ntermute
This is actually how I use Chromium with a proxy right now, but it requires
that I launch it from the command line and manually specify the http_proxy
(and https_proxy) variables (/usr/bin/env http_proxy="<http://127.0.0.1:8080>
https_proxy="<https://127.0.0.1:8080> /usr/bin/chromium). I suppose I could
set up some kind of script to launch Chromium (and all other applications)
that would check if I'm on my home network and launch all apps with that
variable if not, but that seems like a really ugly hack.

~~~
dan_netwalker
In case this gives you an idea: in my linux laptop I just have two different
users in the laptop, one that is configured to use a local tor proxy and
another "non protected". Depending of if I'm out in the open or at home I use
one of another. When I need some data from my protected user when in
"unprotected mode" I sftp:// myself, but usually I do it the other way
(unprotected data from protected mode). Much simpler, I think...

------
yogsototh
What I do:

I have a reachable personnal computer with an ssh server. Then on my local
machine I do:

    
    
        ssh -D 9050 username@host
    

Then in your web browser you should simply use localhost:9050 as SOCKS proxy.
Now you're safe about the WiFi sniffers.

I made a short post about this:

<http://goo.gl/zTQM>

~~~
jbeluch
Also, if you use firefox, there is a handy addon called "multiproxy switch"
which makes handling lots of different proxies much easier.

~~~
yogsototh
Thank you. I didn't knew this one. It will be very useful.

------
carbon8
For the past 4 or 5 years I've been using SSH tunneling. I set up a location
in OS X network preferences using the exact technique described in this
comment <http://news.ycombinator.com/item?id=1828631>. I usually tunnel
through my router at home which runs DD-WRT. I use SSH Tunnel manager to
manage the tunnel <http://projects.tynsoe.org/en/stm/>.

Once it's set up, all you need to do is switch your network location to the
tunnel location before you leave the house, then when you want to get online,
press the button for the appropriate tunnel in SSH Tunnel Manager.

~~~
JoeBracken
I've got a similar setup using SSH Tunnel Manager to tunnel to a co-located
Linux machine running squid proxy. All my applications used the proxy
connection via the tunnel (browsers, IM clients, etc.).

Took some initial configuration time to get things setup but now its just one
click in the SSH Tunnel Manager widget to get things going anytime I'm working
remote.

VPN may be easier but an SSH tunnel gets it done.

~~~
iuguy
You don't need to run squid to use an SSH tunnel as a proxy. If you set up a
dynamic tunnel (not sure how to do this in SSH Tunnel Manager but it's fairly
straightforward in putty) you point your clients at the local side and use it
as a SOCKS proxy.

------
theBobMcCormick
I guess my question would be: What additional threat do you thing public wifi
poses, as opposed to any other internet access? IMHO, you have to assume that
any unencrypted traffic over the internet could be sniffed, etc.

The only additional threats I can see would be threats against your PC
directly, rather than your traffic.

Am I wrong?

~~~
whyleyc
As I understand it unsecured public WiFi is significantly more threatening
when compared to standard hard-wired Ethernet as all your traffic is visible
to any other user connected to the same network with a packet sniffer.

It's much, much harder (but not impossible) to do this on a hard-wired
connection - there's a useful discussion as to why here:
<http://news.ycombinator.com/item?id=1828201>

~~~
theBobMcCormick
Much of that discussion is crap. They're wasting effort bikeshedding about
local network sniffing. You have to assume that anything of value sent over
the internet might be sniffed or at least could be sniffed by a well placed
attacker. The last hop connection between your PC and the AP is hardly the
only point at which your data is vulnerable. To assume otherwise is foolhardy.

That's why I said that the only additional risks I can see of an public Wifi
is local attacks directly against your machine such as someone port scanning
your laptop to look for vulnerable service or open fileshares, etc.

~~~
pak
It's much more unlikely that there is a sniffer between your ISP's routers and
the target servers for interesting traffic than an attacker listening to your
AP traffic. Your ISPs have a vested, primary business interest in keeping
their network and peer traffic secure. The coffee shop could care less if
people hack each other's Twitter over their AP.

Think about it, say you want to grab somebody's credentials for a popular
website. Do you a) hack into their ISP or b) follow them to a coffeeshop and
open up Firesheep. What's the easiest angle you are going to take? Local
network sniffing isn't the trivial example of sniffing, it's the most
vulnerable and probably most exploited target. (Just ask Google.)

------
ronnier
I loaded Tomato on my Linksys router, then enabled SSH. I proxy through that
when on public wifi. This is the best method for me because my Linksys router
is always on and uses very little power.

It's also setup so I can use remote desktop through the proxy to my desktop at
home. I wrote up some instructions on how I did it here:

[http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...](http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys_router)

------
scraplab
I use an L2TP/IPSEC VPN on a Linode VPS. It works great with OS X and iOS
devices - I've not tried anything else. There's a simple toggle switch on iOS
in Settings to activate the VPN, or a one-click menu item in OSX.

It's pretty easy to set up, if you're comfortable with Linux. I'm using it on
Ubuntu 9.10, and I followed the guide here:

<http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/>

------
runjake
SSH, with SOCKS tunneling (and the FoxyProxy extension with Firefox, although
I normally use Google Chrome). Works on Windows/Mac OS X/Linux. Note that this
doesn't necessarily fix DNS sniffing and whatnot.

If I was paranoid, I'd bother to set up a VPN and use that.

If I'm extremely paranoid, I use Tor (which may have some security concerns).

~~~
fragmede
Set

    
    
      network.proxy.socks_remote_dns to true
    

in about:config for Firefox to do DNS requests over SOCKS.

~~~
runjake
Thank you!!!

------
retroafroman
I have a very cheap, small, Linux VPS for ssh tunneling via SOCKS proxy. It's
a couple bucks a month, and it can also host my blog/app prototype/whatever
when I get around to putting it up.

------
jsz0
Usually I just avoid using public wifi. Tethering is practical enough these
days. Worse case I have a few VPN endpoints to fall back on but if I'm going
to be using HTTPS sites I don't even bother connecting.

~~~
ax0n
I also tether a lot. Usually, the speed is better and more reliable than the
over-crowded crap provided by businesses. The added layer of protection is
just icing on the cake most of the time.

------
epochwolf
Easy, I open up a terminal and type:

    
    
        start_vpn
    

It's a script which fires up an openvpn connection to a vps I have.

Getting openvpn working took about a day of hacking around on my vps and my
mac. (just read the openvpn tutorial and follow the steps.) I still haven't
gotten openvpn working on Windows but it's not something I've never needed.

~~~
mikeyur
I just use Viscosity which is a menubar app that lets you easily connect to an
OpenVPN connection (you punch in the address, authentication type, etc and it
lets you just click the server name from your menubar to connect).

I don't host my own server though, I use <http://witopia.net> I think I pay
like $50-60/yr. But they give you a bunch of servers to connect to worldwide:
<http://cl.ly/2zEY>

~~~
fragmede
There's also Tunnelblick as a free and open source alternative to Viscosity -
<http://code.google.com/p/tunnelblick/>

------
mitchellhislop
I have a marcopolo setting on my mac that, if none of my usual networks are
found, fires up an ssh tunnel to a vps I have just for that, and turns on my
socks proxy.

This takes me remembering to do it out of the equation

------
grotos
I own iPod Touch and I often check my email at university (through both Safari
and Mail.app). Is there any good solution for iOS devices?

~~~
evgen
iOS supports L2TP VPN tunelling, so if you can get to a box that will provide
this for you everything will be fine. Setting the server end up on Linux and
OS X is pretty easy, the bit that trips up most people when they first try
this is making sure that the access point or router that is upstream from your
VPN endpoint knows to pass the IPsec packets straight through.

------
zaa
I bought a cheap VPS at linode.com, installed and configured pptpd and set up
a PPTP connection to the VPS on my mac (using standard Network Preferences
panel). When I need a secure connection I just connect over PPTP to the VPS.
This enables pretty secure connection from the place with wireless access to
the VPS for all tcp protocols (http, smtp, etc).

------
ez77
Are there any standard, _bird's-eye-view_ references on IT security?

------
gaoshan
I give an example of my quick and dirty solution here:
<http://news.ycombinator.com/item?id=1828631>

For more robust solutions I set up my own openvpn instance on a home server
which I can use that from any coffee shop and I have a Witopia account (which
I use when abroad as they have servers all over the world which speeds things
up a bunch). I make the greatest use of Witopia from within China as they have
servers in Hong Kong.

------
tomfakes
Here's a different approach to this problem - Take your home network with you!

I recently signed up for Clearwire's CLEAR service. They have a MiFi component
that does "4G" with fallback to 3G if necessary. This gives me up to about
3MBs, with portability (up to 3 hours on battery). There is no data limit for
"4G", and you get 5GB per month on the 3G fallback network.

Anywhere I travel inside the US, I'm using my home network, and isolated from
public networks.

------
iuguy
For quick and dirty connections out, I use PuTTY to Set up a dynamic local SSH
tunnel to a host of mine on the Internet. Then I use the tunnel as a SOCKS
proxy. It's fairly straightforward to set up.

For remote access and Internet access over wifi for non-SOCKSable stuff I use
Strongswan. I have a small scale darknet set up with it (just me and a few
friends) so it's already there for me, but I wouldn't recommend it unless you
know your stuff.

------
chip
For those who don't want to setup their own vpn, you can try hotspotshield.
It's free but they display a ad frame as you browse.

I setup vpn on my dd-wrt router.

~~~
karatchov
I'm sure this is not the perfect answer since hotspotshield redirect somehow
google search pages and force ads on every page. But you can get the ads away
with a simple rule in .hosts file. Privoxy can add another layer of ad
protection.

------
poink
I used a FreeBSD box to setup Racoon and friends and wound up with a pretty
decent setup that used certificates for logging in and was compatible with the
built in OS X VPN support (L2TP + IPSec). The resulting solution is painless
enough to deal with that I use it whenever I'm on wifi, even at home.

You pay the price with a pretty complicated setup (assuming you're not already
an IPSec guru, which I certainly am not), though.

------
PStamatiou
I use a simple OpenVPN or L2TP/IPSec provider + client app on OS X. Minimal
setup and I can switch it on/off easily. I reviewed the one I use earlier this
year, though this it now outdated because at the time they didn't offer
OpenVPN and that was my biggest beef with it: [http://paulstamatiou.com/how-
toreview-surf-securely-with-vyp...](http://paulstamatiou.com/how-toreview-
surf-securely-with-vyprvpn)

------
symesc
I use Witopia from Canada.

In addition to helping secure my connection to the Internet at all times, it
enables access to online services that are otherwise unavailable.

These services include BBC iPlayer out of the UK, and Hulu and other streaming
services from the US, like sporting events.

I have found Witopia to be extremely reliable and fast.

I recommend their service.

------
ez77
Conceptually, why do all options involve a server? If I somehow can securely
"tunnel" to my server, I first have to tunnel through the WiFi hotspot, right?
Am I not free to browse, safely, after securing this first step? (Sorry for
the vagueness... This is as far as I understand these concepts.)

~~~
staktrace
The original problem is that sending HTTP requests and such directly on the
WiFi hotspot connection sends it as plaintext. Thus it readable by anybody.
With an SSH tunnel, all that plaintext is actually encrypted before it sent
out over the WiFi hotspot, which protects it from eavesdroppers over that
segment of the connection.

~~~
ez77
Thank you for the explanation!

------
EvanK
I don't do anything unencrypted (no sites that don't support ssl, no ftp or
telnet, etc). If I absolutely have to do something potentially insecure, I set
up an ssh tunnel through my vps slice...I tend to avoid this if possible,
because its both a pain-in-the-ass and very slow.

------
whyleyc
Ideally I'd rather not have to configure my own VPN server, but if I have to
then so be it.

------
m0shen
I run a <http://www.pfsense.com/> firewall w/ VPN server and proxy enabled at
home. My portable system is setup to deny everything that doesn't hit the
proxy.

Very similar to ax0ns setup.

------
jmreid
I've been trying out sshutttle
<[http://github.com/apenwarr/sshuttle>](http://github.com/apenwarr/sshuttle>).
It only tunnels TCP traffic, so you still have DNS and UDP traffic on the
local network.

------
mukyu
I ssh to one of my servers with -D to make a tunnel available via SOCKS5. I
could have ssh make a tun device instead, but I'm normally only using git,
ssh, tsock'd irssi, or a web browser through SOCKS.

------
petdog
Other than ssh tunneling, I tried <http://vyprvpn.com> when it was offered
together with giganews, and it was pretty fast, if a bit costly.

~~~
Hates_
I'm using <http://vyprvpn.com> as it comes free with my Giganews account.

~~~
tallanvor
Same here. Works fine when I'm on the road. I suppose I could setup my own vpn
through my server, but since this already meets my needs, why bother?

------
lacerus
I use and recommend ipredator.se, the piratebay VPN, for 5 EUR per month.

------
sundar22in
Runnig a proxy from home which uses HTTPS might help.

------
shin_lao
VPN to our OpenBSD box.

------
lhnn
As a side note: Facebook has SSL access, but Facebook Chat doesn't work with
it.

I use HTTPS Everywhere, and for any sites that don't use SSL (cough SLASHDOT
cough) I just use non-standard passwords and take the risk, and be aware that
what I say over unencrypted IM might be intercepted (though it's unlikely).

