Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you secure yourself on public WiFi?
86 points by whyleyc on Oct 25, 2010 | hide | past | web | favorite | 71 comments
Following on from the FireSheep post (http://news.ycombinator.com/item?id=1827928) how do HNers secure their InterWebs usage whilst on Public WiFi ?

It seems like VPN is a good way to go - I'm particularly interested to hear whether anyone can recommend any good VPN providers ?

The following were mentioned in the FireSheep post:

  WiTopia (http://www.witopia.net)
  OpenVPN (http://openvpn.net/)
Does anyone have any experience with them or others ?



My long answer is here: http://www.h-i-r.net/2008/08/defcon-paranoia.html

The short answer: I back up my data. I encrypt all sensitive data on my laptop and don't access it in uncontrolled environments. I tunnel everything (usually with OpenSSH Dynamic Proxy) and then I run a firewall ruleset on my laptop that: 1) Permits tunneling to my server, 2) Permits anything on localhost, 3) Blocks all other incoming or outgoing traffic. Meaning if some program (Pidgin for example) isn't going through the tunnel, it can't even connect out.

It's worth mentioning that I usually operate this way all the time, whether I'm in a risky environment like DefCon or HOPE conferences, or my favorite small coffee shop. Tools like ProxySwitcher, small shell scripts, network locations and stuff that others have mentioned can be used by moderately-savvy folks to make the tunnel setup as painless as possible.


Is there any way to do this at the network device level (on Linux) so that individual applications don't have to be configured to use the proxy? That's the main source of my reluctance to do this.


You probably want to use tsocks. It LD_PRELOADs the socket related functions and does the necessary work.

http://tsocks.sourceforge.net/faq.php


In Linux, most applications respect the http_proxy environment variable. It's the closest thing Linux has to a system-wide proxy setting as found in the more mainstream platforms.


This is actually how I use Chromium with a proxy right now, but it requires that I launch it from the command line and manually specify the http_proxy (and https_proxy) variables (/usr/bin/env http_proxy="http://127.0.0.1:8080 https_proxy="https://127.0.0.1:8080 /usr/bin/chromium). I suppose I could set up some kind of script to launch Chromium (and all other applications) that would check if I'm on my home network and launch all apps with that variable if not, but that seems like a really ugly hack.


In case this gives you an idea: in my linux laptop I just have two different users in the laptop, one that is configured to use a local tor proxy and another "non protected". Depending of if I'm out in the open or at home I use one of another. When I need some data from my protected user when in "unprotected mode" I sftp:// myself, but usually I do it the other way (unprotected data from protected mode). Much simpler, I think...


chromium --proxy-server=socks5://127.0.0.1:8080 is what I use, but chromium can also use your desktop environment's settings. On my laptop it allows me to make different proxy settings an define 'locations' that are easy to switch between.


Executed properly, it might be an awesome hack!



That seems like a lot of work. Not that I'm opposed to doing it if necessary, but an automated solution (even if it were graphical) would be wonderful. In fact, it would be great if Wicd could somehow handle all this.


There doesn't appear to be a network-manager SSH VPN plugin, which is a shame. I would love to be able to easily create a VPN with any of my servers...


What I do:

I have a reachable personnal computer with an ssh server. Then on my local machine I do:

    ssh -D 9050 username@host
Then in your web browser you should simply use localhost:9050 as SOCKS proxy. Now you're safe about the WiFi sniffers.

I made a short post about this:

http://goo.gl/zTQM


Great - Just tested, and it seems to work well (fooling FireSheep).

I downloaded "ProxySwitcher" for Chrome for easy switching between the proxy and direct connection:

https://chrome.google.com/extensions/detail/caehdcpeofiiigpd...


Also, if you use firefox, there is a handy addon called "multiproxy switch" which makes handling lots of different proxies much easier.


Thank you. I didn't knew this one. It will be very useful.


For the past 4 or 5 years I've been using SSH tunneling. I set up a location in OS X network preferences using the exact technique described in this comment http://news.ycombinator.com/item?id=1828631. I usually tunnel through my router at home which runs DD-WRT. I use SSH Tunnel manager to manage the tunnel http://projects.tynsoe.org/en/stm/.

Once it's set up, all you need to do is switch your network location to the tunnel location before you leave the house, then when you want to get online, press the button for the appropriate tunnel in SSH Tunnel Manager.


I've got a similar setup using SSH Tunnel Manager to tunnel to a co-located Linux machine running squid proxy. All my applications used the proxy connection via the tunnel (browsers, IM clients, etc.).

Took some initial configuration time to get things setup but now its just one click in the SSH Tunnel Manager widget to get things going anytime I'm working remote.

VPN may be easier but an SSH tunnel gets it done.


You don't need to run squid to use an SSH tunnel as a proxy. If you set up a dynamic tunnel (not sure how to do this in SSH Tunnel Manager but it's fairly straightforward in putty) you point your clients at the local side and use it as a SOCKS proxy.


Thanks - I'd missed that comment you mentioned. Any thoughts on the pros and cons of using this vs a dedicated VPN ?


This is much easier to set up and works well. The router or server you are tunneling to needs no extra configuration beyond having ssh set up. On a VPS it will already be running and with router firmware like DD-WRT or Tomato it's just a checkbox in the settings.

VPN makes more sense if you need to access things on another network, like shared drives, and can be difficult to configure.

I've been working completely mobile and using tunneling for years. It works well. Set sshd on the router/server to use port 443 and you won't have issues with port restrictions.


I guess my question would be: What additional threat do you thing public wifi poses, as opposed to any other internet access? IMHO, you have to assume that any unencrypted traffic over the internet could be sniffed, etc.

The only additional threats I can see would be threats against your PC directly, rather than your traffic.

Am I wrong?


As I understand it unsecured public WiFi is significantly more threatening when compared to standard hard-wired Ethernet as all your traffic is visible to any other user connected to the same network with a packet sniffer.

It's much, much harder (but not impossible) to do this on a hard-wired connection - there's a useful discussion as to why here: http://news.ycombinator.com/item?id=1828201


Your personal machine isn't going to be connected through "modern enterprise-grade switches like you would find in a data center," so ARP spoofing is a totally legitimate attack.


Much of that discussion is crap. They're wasting effort bikeshedding about local network sniffing. You have to assume that anything of value sent over the internet might be sniffed or at least could be sniffed by a well placed attacker. The last hop connection between your PC and the AP is hardly the only point at which your data is vulnerable. To assume otherwise is foolhardy.

That's why I said that the only additional risks I can see of an public Wifi is local attacks directly against your machine such as someone port scanning your laptop to look for vulnerable service or open fileshares, etc.


It's much more unlikely that there is a sniffer between your ISP's routers and the target servers for interesting traffic than an attacker listening to your AP traffic. Your ISPs have a vested, primary business interest in keeping their network and peer traffic secure. The coffee shop could care less if people hack each other's Twitter over their AP.

Think about it, say you want to grab somebody's credentials for a popular website. Do you a) hack into their ISP or b) follow them to a coffeeshop and open up Firesheep. What's the easiest angle you are going to take? Local network sniffing isn't the trivial example of sniffing, it's the most vulnerable and probably most exploited target. (Just ask Google.)


You're over-simplifying a bit. Public WiFi is a bit more risky, though, because the barrier to entry for sniffing last-mile infrastructure is so low that anyone can do it.

At my home and office you have to contend with WPA2-Enterprise (it's easy to set up at home, so I did). You'd need to get hard-wired access to my home, and pull some ARP trickery to sniff my last-mile infrastructure. We have 802.1x on the Ethernet ports at the office, so no dice there.

You're right, to a point. And the effective response is to make sure you're always protected as well as you can, instead of going into a "shields up!" situation only when your perceived risk is higher.


It's much easier for an attacker with few resources to go fishing for passwords, etc. over an open WiFi connection than it is for that person to somehow gain physical access to an ISP and install a packet sniffer.

So, the number of people who could conceivably be eavesdropping goes from a few (unscrupulous IT workers and law enforcement) to very many (everyone who can figure out a WiFi packet sniffer).


Small number of eavesdroppers, but also more sophisticated and dangerous ones. :-)


Yes. For an active attack, see airpwn - http://www.evilscheme.org/defcon/ If you think that's rather benign, consider the ssl cert checking flaw (http://hackaday.com/2009/07/29/black-hat-2009-breaking-ssl-w...). Put the two together, with a bit of paranoia, and the result is I never surf unsecured wifi without some sort of protection.


I guess I don't so much disagree with the idea of being careful on an unsecure public wifi, as I am concerned that so many people seem to think they only have to concerned about the unsecured wifi, not all the other hops on their connection. You know what I mean?


Oh absolutely. And heres why: http://www.wired.com/threatlevel/2008/08/revealed-the-in/ . In short, the researchers demonstrated that they could poison the upstream provider for Defcon's internet, such that all Defcon traffic went first through their server, before reaching the internet at large.


I don't think people here are suggesting that this is the only vector of attack against your system, rather that given the proliferation of unsecured WiFi networks it's just one of the more common.

When someone brings out the "ARP poisoning" add-on for Firefox maybe it will fuel debate on other types of attack :)


I loaded Tomato on my Linksys router, then enabled SSH. I proxy through that when on public wifi. This is the best method for me because my Linksys router is always on and uses very little power.

It's also setup so I can use remote desktop through the proxy to my desktop at home. I wrote up some instructions on how I did it here:

http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...


I use an L2TP/IPSEC VPN on a Linode VPS. It works great with OS X and iOS devices - I've not tried anything else. There's a simple toggle switch on iOS in Settings to activate the VPN, or a one-click menu item in OSX.

It's pretty easy to set up, if you're comfortable with Linux. I'm using it on Ubuntu 9.10, and I followed the guide here:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/


SSH, with SOCKS tunneling (and the FoxyProxy extension with Firefox, although I normally use Google Chrome). Works on Windows/Mac OS X/Linux. Note that this doesn't necessarily fix DNS sniffing and whatnot.

If I was paranoid, I'd bother to set up a VPN and use that.

If I'm extremely paranoid, I use Tor (which may have some security concerns).


Set

  network.proxy.socks_remote_dns to true
in about:config for Firefox to do DNS requests over SOCKS.


Thank you!!!


I have a very cheap, small, Linux VPS for ssh tunneling via SOCKS proxy. It's a couple bucks a month, and it can also host my blog/app prototype/whatever when I get around to putting it up.


Usually I just avoid using public wifi. Tethering is practical enough these days. Worse case I have a few VPN endpoints to fall back on but if I'm going to be using HTTPS sites I don't even bother connecting.


I also tether a lot. Usually, the speed is better and more reliable than the over-crowded crap provided by businesses. The added layer of protection is just icing on the cake most of the time.


Easy, I open up a terminal and type:

    start_vpn
It's a script which fires up an openvpn connection to a vps I have.

Getting openvpn working took about a day of hacking around on my vps and my mac. (just read the openvpn tutorial and follow the steps.) I still haven't gotten openvpn working on Windows but it's not something I've never needed.


I just use Viscosity which is a menubar app that lets you easily connect to an OpenVPN connection (you punch in the address, authentication type, etc and it lets you just click the server name from your menubar to connect).

I don't host my own server though, I use http://witopia.net I think I pay like $50-60/yr. But they give you a bunch of servers to connect to worldwide: http://cl.ly/2zEY


There's also Tunnelblick as a free and open source alternative to Viscosity - http://code.google.com/p/tunnelblick/


I have a marcopolo setting on my mac that, if none of my usual networks are found, fires up an ssh tunnel to a vps I have just for that, and turns on my socks proxy.

This takes me remembering to do it out of the equation


I own iPod Touch and I often check my email at university (through both Safari and Mail.app). Is there any good solution for iOS devices?


iOS supports L2TP VPN tunelling, so if you can get to a box that will provide this for you everything will be fine. Setting the server end up on Linux and OS X is pretty easy, the bit that trips up most people when they first try this is making sure that the access point or router that is upstream from your VPN endpoint knows to pass the IPsec packets straight through.


I bought a cheap VPS at linode.com, installed and configured pptpd and set up a PPTP connection to the VPS on my mac (using standard Network Preferences panel). When I need a secure connection I just connect over PPTP to the VPS. This enables pretty secure connection from the place with wireless access to the VPS for all tcp protocols (http, smtp, etc).


Are there any standard, bird's-eye-view references on IT security?


I give an example of my quick and dirty solution here: http://news.ycombinator.com/item?id=1828631

For more robust solutions I set up my own openvpn instance on a home server which I can use that from any coffee shop and I have a Witopia account (which I use when abroad as they have servers all over the world which speeds things up a bunch). I make the greatest use of Witopia from within China as they have servers in Hong Kong.


Here's a different approach to this problem - Take your home network with you!

I recently signed up for Clearwire's CLEAR service. They have a MiFi component that does "4G" with fallback to 3G if necessary. This gives me up to about 3MBs, with portability (up to 3 hours on battery). There is no data limit for "4G", and you get 5GB per month on the 3G fallback network.

Anywhere I travel inside the US, I'm using my home network, and isolated from public networks.


I use a simple OpenVPN or L2TP/IPSec provider + client app on OS X. Minimal setup and I can switch it on/off easily. I reviewed the one I use earlier this year, though this it now outdated because at the time they didn't offer OpenVPN and that was my biggest beef with it: http://paulstamatiou.com/how-toreview-surf-securely-with-vyp...


For quick and dirty connections out, I use PuTTY to Set up a dynamic local SSH tunnel to a host of mine on the Internet. Then I use the tunnel as a SOCKS proxy. It's fairly straightforward to set up.

For remote access and Internet access over wifi for non-SOCKSable stuff I use Strongswan. I have a small scale darknet set up with it (just me and a few friends) so it's already there for me, but I wouldn't recommend it unless you know your stuff.


I used a FreeBSD box to setup Racoon and friends and wound up with a pretty decent setup that used certificates for logging in and was compatible with the built in OS X VPN support (L2TP + IPSec). The resulting solution is painless enough to deal with that I use it whenever I'm on wifi, even at home.

You pay the price with a pretty complicated setup (assuming you're not already an IPSec guru, which I certainly am not), though.


For those who don't want to setup their own vpn, you can try hotspotshield. It's free but they display a ad frame as you browse.

I setup vpn on my dd-wrt router.


I'm sure this is not the perfect answer since hotspotshield redirect somehow google search pages and force ads on every page. But you can get the ads away with a simple rule in .hosts file. Privoxy can add another layer of ad protection.


I use Witopia from Canada.

In addition to helping secure my connection to the Internet at all times, it enables access to online services that are otherwise unavailable.

These services include BBC iPlayer out of the UK, and Hulu and other streaming services from the US, like sporting events.

I have found Witopia to be extremely reliable and fast.

I recommend their service.


Conceptually, why do all options involve a server? If I somehow can securely "tunnel" to my server, I first have to tunnel through the WiFi hotspot, right? Am I not free to browse, safely, after securing this first step? (Sorry for the vagueness... This is as far as I understand these concepts.)


The original problem is that sending HTTP requests and such directly on the WiFi hotspot connection sends it as plaintext. Thus it readable by anybody. With an SSH tunnel, all that plaintext is actually encrypted before it sent out over the WiFi hotspot, which protects it from eavesdroppers over that segment of the connection.


Thank you for the explanation!


I don't do anything unencrypted (no sites that don't support ssl, no ftp or telnet, etc). If I absolutely have to do something potentially insecure, I set up an ssh tunnel through my vps slice...I tend to avoid this if possible, because its both a pain-in-the-ass and very slow.


Ideally I'd rather not have to configure my own VPN server, but if I have to then so be it.


I've been trying out sshutttle <http://github.com/apenwarr/sshuttle>. It only tunnels TCP traffic, so you still have DNS and UDP traffic on the local network.


I run a http://www.pfsense.com/ firewall w/ VPN server and proxy enabled at home. My portable system is setup to deny everything that doesn't hit the proxy.

Very similar to ax0ns setup.


I ssh to one of my servers with -D to make a tunnel available via SOCKS5. I could have ssh make a tun device instead, but I'm normally only using git, ssh, tsock'd irssi, or a web browser through SOCKS.


Other than ssh tunneling, I tried http://vyprvpn.com when it was offered together with giganews, and it was pretty fast, if a bit costly.


I'm using http://vyprvpn.com as it comes free with my Giganews account.


Same here. Works fine when I'm on the road. I suppose I could setup my own vpn through my server, but since this already meets my needs, why bother?


I use and recommend ipredator.se, the piratebay VPN, for 5 EUR per month.


Runnig a proxy from home which uses HTTPS might help.


VPN to our OpenBSD box.


As a side note: Facebook has SSL access, but Facebook Chat doesn't work with it.

I use HTTPS Everywhere, and for any sites that don't use SSL (cough SLASHDOT cough) I just use non-standard passwords and take the risk, and be aware that what I say over unencrypted IM might be intercepted (though it's unlikely).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: