SoylentNews is people
SoylentNews
Another story from Ars Technica:
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.
Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.
It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
(Score: 3, Insightful) by wantkitteh on Tuesday June 16 2015, @10:06AM
Open Wifi has none. That is all.
(Score: 2) by mojo chan on Wednesday June 17 2015, @11:55AM
That's the point of using a VPN. Even on open wifi your traffic is protected.
This problem is easily fixable by a number of methods. What worries me is that they mentioned HideMyAss as an example. HideMyAss handed over user data from their logs when the police just asked for it. They won't "hide your ass" at all. Try Mulvad instead.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 2) by wantkitteh on Wednesday June 17 2015, @12:59PM
I think you might have missed the point, many applications are set to do all sorts of automatic stuff as soon as they detect a live internet connection. If there's no wifi encryption, that leaves a gap between the connection being established and the VPN being setup that these applications will send information in the clear - ok, most of them will encrypt their own data, but you can still tell where they're going and make a good guess at what they contain, mostly being login credentials. The secondary issue is that preventing all network traffic from using anything other than the VPN may interfere with the web access login requirements many wifi services have. So, while using a VPN is a solution when done properly, it's also a problem in it's own right a lot of the time, and most people don't use VPNs properly in the first place - and probably don't realise that.
(Score: 2) by mojo chan on Thursday June 18 2015, @10:35AM
No, I got that. It's easily fixable. For example, the Mulvad client app can block internet access until the VPN has been established. So you open the client, it blocks everything except itself, and then you connect to wifi. As soon as wifi is connected the VPN client begins connecting, and only once the VPN is active are other apps allowed to access the internet.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 2) by wantkitteh on Thursday June 18 2015, @10:54AM
That's pretty cool - I'm remembering them, thanks. Question - is the no-VPN automatic traffic blocking system smart enough to selectively allow web traffic through when the wifi link you're trying to establish requires a web login? Pretty much any chain of cafes I pitch up in has some kind of auth with a web front end, usually redirected to a central login server somewhere. That could be quite challenging to selectively allow traffic to prior to the VPN setup.
(Score: 2) by mojo chan on Thursday June 18 2015, @12:20PM
It doesn't help with captive portals, unfortunately. Quite often I find that if I just ignore the portal the VPN works anyway, and if not even after using the portal the VPN is blocked (as is everything else other than HTTP).
const int one = 65536; (Silvermoon, Texture.cs)