Another story from Ars Technica:
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.
Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.
It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
(Score: 2) by MichaelDavidCrawford on Tuesday June 16 2015, @10:50AM
Lately I find that wifi spot access points don't permit their client devices to communicate with each other. That prevents me from connecting to my iphone from my macbook pro. If you jailbreak your idevice, you can use theos to write ios apps without dealing with the reanimated undead corpse of steve jobs, but that no longer works at starbucks.
While I can see how that would prevent me from mounting the windows shares of my fellow cafe patrons, it's not like any of their packets are actually encrypted, it's just that the access point doesn't route the client packets to each other.
That is, I expect I could still sniff their packets with wireshark or so, I just couldn't get a TCP connection.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Tuesday June 16 2015, @12:00PM
Is it possible to configure your Macbook to act as (WPA) access point to which you then can directly connect with your iPhone? That way you'd not need to rely on any external network at all for this.
(Score: 2) by MichaelDavidCrawford on Tuesday June 16 2015, @12:08PM
yes I forgot to mention - that's called an "Ad Hoc Network" and works just fine.
Yes I Have No Bananas. [gofundme.com]