Page 1 of 2

Security on the client side while using hotspots

PostPosted: Thu Sep 30, 2004 1:33 pm
by siliconjunkie
In surfing the various wireless-related forums on the web, when discussing the topic of wireless security, most conversations seem to focus on AP security (and rightly so, I suppose). What I am curious about is security on the client side of things.

There are a lot of places in my area that offer free wireless access to their customers (many coffeeshops, several bars, and even a few laundamats). Most of these places allow this access via a wide open (no WEP) AP.

My concern is that without at least WEP in the mix, what is there to stop some "31337 haX0r" from sitting in the corner sipping a cappuchino with a laptop running an 802.11b sniffer and having him grab, say, my POP3 password or my netstumbler.org forums password when i login?

The soulution I have come up with for now is to set up my Win2K box at home to recieve VPN connections, and then after establishing the 802.11b connection while at a free hotspot, I then create a secure tunnel through the VPN at my house. I then surf through that, but as you can imagine, there is quite a performance hit compared to simply connecting to the insecure AP and surfing.

So the questions I am posing to the community here are:

1) Is what I described above the best method of securing myself on the client side of things? When I say "best", I mean not only security-wise, but performance-wise (i understand that being more secure when using public APs will require some amount of performace loss (like VPNing) or inconvenience (changing firewall settings, etc...)

2) If not, what do you suggest? (I would love to know about some kind of software package that is designed to address wireless security on the client side of things, but maybe there is something else I am missing?

3) Am I being too "tinfoil" hattish (ie: am I making a mountain out of a mole hill in regards to worrying about someone sniffing traffic at free APs or am I misunderstnading the security risks)?

PostPosted: Thu Sep 30, 2004 2:52 pm
by renderman
Your being tinfoil hat enough. You never know what sort of crap people are doing. One of my guilty pleasures is to run driftnet and dsniff in the background (/dev/null'd of course) and just see what goes by.

Regular web surfing is'nt a big issue if it's for sports scores and news, unless you start going to sites requiring authentication. I'd tunnel everything I could that needed authentication (email, secure sites, etc) through the tunnel home. The performance hit is well worth the safety. Though you might want to consider some level of security that it's actually *your* box your connecting to and not a man-in-the-middle (airsnarf)

There's not really much you can do in terms of 3rd party security other than a VPN since a public hotspot by definition needs to be open.

My road connecting setup is: Firewalled laptop, ssh tunnel to home system with S/KEY one time passwords, do everything on remote workstation using VNC tunneled over SSH. The only traffic is in the SSH tunnel :)

PostPosted: Thu Sep 30, 2004 2:55 pm
by PaPPy
siliconjunkie wrote:3) Am I being too "tinfoil" hattish (ie: am I making a mountain out of a mole hill in regards to worrying about someone sniffing traffic at free APs or am I misunderstnading the security risks)?



Have you ever seen the movie "the core"??? Its been done many of times. and unless you have some way to encrypt ur info leaving your and decrypted on the server/website, anyone running a sniffer program will capture it all. So security or performance?

PostPosted: Thu Sep 30, 2004 4:32 pm
by audit
try http://anonymizer.com/index.cgi

That's what I use to tunnel http traffic when traveling, it's cheap and just works.

PostPosted: Thu Sep 30, 2004 7:00 pm
by peekitty
siliconjunkie wrote:In surfing the various wireless-related forums on the web, when discussing the topic of wireless security, most conversations seem to focus on AP security (and rightly so, I suppose).
You're absolutely correct, client side security is not addressed much. Another aspect of that is that when you join a public hotspot, you also open yourself up to active attacks on your local machine. It's good that software firewalls are almost ubiquitous - which comes back to why client side security is not frequently discussed. The circle of life continues..

PostPosted: Thu Sep 30, 2004 8:04 pm
by siliconjunkie
renderman wrote:Though you might want to consider some level of security that it's actually *your* box your connecting to and not a man-in-the-middle (airsnarf)
THATS the type of thing that creeps me out. The whole AirPWN thing got me concerned with connecting at public spots...the idea of someone intercepting HTTP traffic at a public hotspot and injecting goatse jpgs is one thing, but potentially intercepting and redirecting what i believe to be TUNNELED traffic is totally scary. I have my VPN settings configured to a particular IP address, and also set to drop any connection which isnt encrypted and I have a software firewall installed. Beyond that, I'm not exactly sure what other steps I can take to ensure a secure connection.


You know, I never thought about that. I always thought that Anonymizer just provided anonymous surfing, I didn't realize that their paid service also provided SSL. Thanks for the info. How is the latency on the service (the free service seems to lag a bit)?


peekitty wrote:It's good that software firewalls are almost ubiquitous
Yeah, firewalls help to some degree, but I'm more worried about somebody just sniffing my packets right out of the air than I am them "breaking into" my machine per se.

A few more resources

PostPosted: Wed Oct 06, 2004 3:47 pm
by siliconjunkie
For any of you out there following this thread who are interested in a bit more security when using public wifi i found 2 sites that offer free HTTPS proxies that are useful for encrypting your surfing when using a network whos security you cannot verify:

The Cloak is a cool site that offers both free and paid services. The HTTPS service uses 256 bit encryption. The service is transparent (links on surfed pages are recoded to direct you thru the proxy) and there are no ads (which is nice) but free users are subject to a limited about of data transfer during a given time period (this varies based on traffic at the time). I had no problem checking mail and surfing slashdot and a few news sites before I used up my freebie time for the 5 hour period. It was also VERY fast (i noticed almost no difference between using the proxy and not)

Proxify is a cool one as well. Free usage is not as limited as The Cloak, but you will be forced to view some ads at the top of every proxied page.

PostPosted: Sat Nov 06, 2004 4:12 am
by biolizard89-2
siliconjunkie wrote:For any of you out there following this thread who are interested in a bit more security when using public wifi i found 2 sites that offer free HTTPS proxies that are useful for encrypting your surfing when using a network whos security you cannot verify:

The Cloak is a cool site that offers both free and paid services. The HTTPS service uses 256 bit encryption. The service is transparent (links on surfed pages are recoded to direct you thru the proxy) and there are no ads (which is nice) but free users are subject to a limited about of data transfer during a given time period (this varies based on traffic at the time). I had no problem checking mail and surfing slashdot and a few news sites before I used up my freebie time for the 5 hour period. It was also VERY fast (i noticed almost no difference between using the proxy and not)

Proxify is a cool one as well. Free usage is not as limited as The Cloak, but you will be forced to view some ads at the top of every proxied page.


Or, if you don't want to see ads or pay anything, just use an SSL CGIProxy. There are tons floating around on the Internet.
http://www.zensur.freerk.com/#4.5.3
I'm a total n00b, so don't flame me if I'm being an idiot.

PostPosted: Sat Nov 06, 2004 12:45 pm
by Josh208
biolizard89-2 wrote:Or, if you don't want to see ads or pay anything, just use an SSL CGIProxy. There are tons floating around on the Internet.
http://www.zensur.freerk.com/#4.5.3
I'm a total n00b, so don't flame me if I'm being an idiot.


No flame... and I wouldn't call you an idiot, but this hardly seems like a good idea to me. It appears as though anybody could set up their own proxy and advertise it here. What's to stop them from snooping the traffic of their users? If security is the goal, I'd stick with well known/trusted providers.

PostPosted: Fri Jan 14, 2005 3:46 am
by L Y R
renderman wrote:Regular web surfing is'nt a big issue if it's for sports scores and news, unless you start going to sites requiring authentication. I'd tunnel everything I could that needed authentication (email, secure sites, etc) through the tunnel home. The performance hit is well worth the safety. Though you might want to consider some level of security that it's actually *your* box your connecting to and not a man-in-the-middle (airsnarf)

There's not really much you can do in terms of 3rd party security other than a VPN since a public hotspot by definition needs to be open.

My road connecting setup is: Firewalled laptop, ssh tunnel to home system with S/KEY one time passwords, do everything on remote workstation using VNC tunneled over SSH. The only traffic is in the SSH tunnel :)


Not sure what all the fuss is about, if you are connecting to an SSL web page which most password and sensetive pages are, your data is encrypted. while traveling over wireless or wired it makes no difference, Just like a sniffer can pick up information traveling in the air, so can a man in the middle pick up information over the core internet. Wireless aspect makes it all the more public and accessable, thought not more breakable.

Advice is]Always [/B]update your antiviruses, always update your OS patches. enable your soft firewall, and ONLY give senstive data over CERTIFIED and secure SSL pages. As with Filesharing, I would not advise that in a coffeshop, unless its not sensitive data

Am I missing something, Because I hear all the hype, yet I have not yet seen a case where passwords have been decrypted over the air while traveling to an SSL destination. But believe me the day SSL is cracked, we either have to move like lightning to 256k encryption, or Game over for Internet as we see it.

use 802.1x

PostPosted: Mon May 30, 2005 10:24 pm
by deltamind
and do an authentication against the server provided by Radiuz. It's free.


--------------------------------------------------------------------------
Brain M
http://www.wirelessorbit.com

PostPosted: Tue May 31, 2005 5:01 am
by Starpoint
L Y R wrote:Not sure what all the fuss is about, if you are connecting to an SSL web page which most password and sensetive pages are, your data is encrypted. while traveling over wireless or wired it makes no difference, Just like a sniffer can pick up information traveling in the air, so can a man in the middle pick up information over the core internet. Wireless aspect makes it all the more public and accessable, thought not more breakable.

Advice is]Always [/B]update your antiviruses, always update your OS patches. enable your soft firewall, and ONLY give senstive data over CERTIFIED and secure SSL pages. As with Filesharing, I would not advise that in a coffeshop, unless its not sensitive data

Am I missing something, Because I hear all the hype, yet I have not yet seen a case where passwords have been decrypted over the air while traveling to an SSL destination. But believe me the day SSL is cracked, we either have to move like lightning to 256k encryption, or Game over for Internet as we see it.


I used to know of a company that offered hardware encryption on the NIC. Their NIC's would anything from 128 bit up to 4kbit encryption on all data at the nic.

When I find their info will post.

currently the only 256bit encrytion device I know of is dlink. they offer a 256 bit on their wifi routers.

I am sure there are more.

PostPosted: Tue May 31, 2005 5:03 am
by streaker69
Starpoint wrote:I used to know of a company that offered hardware encryption on the NIC. Their NIC's would anything from 128 bit up to 4kbit encryption on all data at the nic.

When I find their info will post.

currently the only 256bit encrytion device I know of is dlink. they offer a 256 bit on their wifi routers.

I am sure there are more.


3com had a NIC out a couple years ago that had onboard hardware encryption. I believe they were calling it the Typhoon. I only saw one at a show in NY, but never saw one sitting on a shelf for sale anywhere, but it was probably such a specialized thing they wouldn't retail it.

passwords and cookies?

PostPosted: Sun Jun 12, 2005 8:29 am
by odoyle81
L Y R wrote:Not sure what all the fuss is about, if you are connecting to an SSL web page which most password and sensetive pages are, your data is encrypted. while traveling over wireless or wired it makes no difference, Just like a sniffer can pick up information traveling in the air, so can a man in the middle pick up information over the core internet. Wireless aspect makes it all the more public and accessable, thought not more breakable.

Advice is]Always [/B]update your antiviruses, always update your OS patches. enable your soft firewall, and ONLY give senstive data over CERTIFIED and secure SSL pages. As with Filesharing, I would not advise that in a coffeshop, unless its not sensitive data


I understand the importance of using SSL when logging into banks or email. I was wondering if someone could clarify something for me though. Alot of sites uses cookies when you click on "remember me". It seems when I access the sites after doing this, it doesn't send a username or password (encrypted or otherwise), and I was wondering how this worked. I guess I don't understand how cookies are communicating with the website..

Thanks..

PostPosted: Sun Jun 12, 2005 8:40 am
by Dutch
odoyle81 wrote:I understand the importance of using SSL when logging into banks or email. I was wondering if someone could clarify something for me though. Alot of sites uses cookies when you click on "remember me". It seems when I access the sites after doing this, it doesn't send a username or password (encrypted or otherwise), and I was wondering how this worked. I guess I don't understand how cookies are communicating with the website..

Thanks..

This is a freebie : http://www.google.com/search?q=how+cookies+work
Before posting again, please read all the posts in the Welcome Desk section. That might keep you out of trouble here...

Dutch