SoylentNews is people
SoylentNews
Another story from Ars Technica:
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.
Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.
It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
(Score: 4, Informative) by Justin Case on Tuesday June 16 2015, @11:06AM
The cure for ignorance is knowledge, not magic bullets.
> By now, any sentient IT person knows the perils of open Wi-Fi.
Yes, but I guess this wasn't written by a sentient IT person, because:
> Those free connections in cafes and hotels don't encrypt network traffic
NO connections encrypt your traffic. That's up to you.
> others on the network can read your traffic and possibly hijack your sessions
Yeah, and this has nothing to do with open Wi-Fi. They can, and routinely do, attack wired connections too. You've been told since your first training-wheels tour of the Internet that without https, all bets are off.
> Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
And if any of those are sending ID/password over a connection that it not encrypted (e.g. https) you've already decided you don't care who sees your junk. Again, wireless and VPN don't bear on the situation here.
> In this period before your VPN takes over, what might be exposed depends on what software you run. ... If they check automatically
Your computer should be obeying your instructions. Not racing off to do its own thing without your permission. Letting children play unsupervised on the superhighway is begging for trouble.
> Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL
Wrong. SSL encrypts the URL. Perhaps you meant the DNS hostname. Well I'm sorry Mr. Sentient IT Person but a hostname is not a URL despite the efforts of browser makers to confuse you into that false belief by dumbing down the interface and hiding how things work. I guess they fooled you too, along with all the non-sentient non-IT people out there.
(Score: 1, Informative) by Anonymous Coward on Tuesday June 16 2015, @12:39PM
> NO connections encrypt your traffic. That's up to you.
Uptight nerd completely misses point in rush to demonstrate his own superiority.
The article is talking about WEP/WPA/etc versus in the clear. In other words encrypted over the air.
There is a solution for this problem, it is called EAP-UNAUTH-TLS or more colloquially Open Secure Wireless. [riosec.com]
(Score: 2) by frojack on Wednesday June 17 2015, @07:17AM
There is a solution for this problem, it is called EAP-UNAUTH-TLS or more colloquially Open Secure Wireless.
Which is available .... Exactly Nowhere!
So how exactly does that count as a solution?
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday June 18 2015, @03:28AM
> Which is available .... Exactly Nowhere!
What is it with the uptight nerds, engaging their mouths before engaging their brains?
It is been in available in the FreeBSD hostapd since 2012. [w1.fi]
That's the same hostapd that's also in Debian, Redhat, OpenWRT, DD-WRT, etc.