Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Even with a VPN, Open Wi-Fi Can Expose Information

posted by janrinok on Tuesday June 16 2015, @10:03AM   Printer-friendly
from the nothing-is-perfect dept.

darkfeline writes:

Another story from Ars Technica:

By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.

Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.

It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.

But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.

In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.

 
This discussion has been archived. No new comments can be posted.
Even with a VPN, Open Wi-Fi Can Expose Information | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by NCommander on Tuesday June 16 2015, @10:30AM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday June 16 2015, @10:30AM (#196806) Homepage Journal

    The author of this article has no idea how VPNs work if they're seriously going to make this point. VPNs encrypt traffic point-to-point, but does nothing for the last mile; its broadly similar to tor in this regard. If I'm using a VPN, and I want to access my email, AND my email server doesn't support encryption, then the last mile (from the VPN endpoint to the mailserver) will be unencrypted. Furthermore, I'm unaware of any open standard protocol that send login credentials without completing some sort of handshake; at a minimum, the captive portal would have to complete a TCP handshake, then emulate a protocol to successfully capture stuff; it is just not randomly broadcast into the void.

    POP3 and IMAP, assuming you're not using STARTTLS/SSL beforehand, the captive portal would still need to open a port, and listen on port 110/143 and respond to the HELO message that is sent before sending authentication information. XMPP/Jabber requires a complicated series of XML messages to login.

    VPNs are a handy tool, but unless you actually understand the technology, you're going to blow off a foot, and look like an idiot doing so in one fell swoop.

    --
    Still always moving
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Tuesday June 16 2015, @02:31PM

    by Anonymous Coward on Tuesday June 16 2015, @02:31PM (#196867)

    The author of this article has no idea how VPNs work

    It is pretty clear from reading the article that he has an intimate knowledge of how VPNs work. Maybe the title of the article will provide a cluse as to the issue he's addressing? The part about Open Wi-Fi is a pretty good indicator that the threat he is talking about is Wi-Fi sniffing.

    VPNs are a handy tool, but unless you actually understand the technology, you're going to blow off a foot, and look like an idiot doing so in one fell swoop.

    That is a problem with the tool, not the user. After all, the entire point of computers is to make it easier for the user to accomplish their goals. The fact that the only tool available is still brittle and incomplete doesn't make the user an idiot. Imagine if every car worked the same way. If brakes didn't work within the first 5 seconds of acceleration. Would that make drivers idiots too?