12

I should apologize first- this post could seem a lot to ask for, but I am starting to go around in circles. I am interested in securing my laptop for when I use public wireless hotspots, as I am a business traveler and frequent airports a lot. I have to do a large amount of online banking, visiting secure https websites.

What steps can I take to secure my connection from my actual laptop? I have researched the following terms, but it's all starting to become a bit hazy:

  • WPA2, this works at the hardware level, but if the hotspot network doesn't provide it then I cannot choose to use it, WPA or WEP.

  • VPN This would allow me to make a tunnel from my machine to a VPN server (or proxy server?) on the internet, tunnel my traffic through without being read.

  • IPSec is this used to create a VPN?? I understand it works at the machine level, rather than application level (like SSL) so does this make it less secure? I presume only less secure from rootkits?

  • SSL is this used to create a VPN?? I also assume this is what implements "https"

  • TLS is this used to create a VPN?? I also assume this is what implements "https". I think I saw somewhere that TLS is the successor to SSL?

  • SSH, yet again, is this used to create a VPN?

  • DNSSEC part of my operating system (say on windows 7 or server 2008) which can help prevent DNS caching attacks?

So if I created a VPN, rented out a VPN server/proxy server outside the internet, used my VPN tunnelling (by which of the above protocols?) to connect to my VPN server and put my internet traffic through the public wifi, via this server, instead of the normal access point, I could get secure access? I think I also read you can create the VPN authentication using EAP, but a more recent upgrade to EAP, like EAP-TLS (is that the same as TLS referred to above??).

Have I missed anything out?

Kindle Q
  • 155
  • 8
Paul
  • 161
  • 5

3 Answers3

7

WPA2, this works at hardware level, but if the hotspot network doesn't provide it then I cannot choose to use it, WPA or WEP.

WPA2 is better encryption than WEP. WEP is trivial to crack -- not much more work than solving the "encryption" puzzle in the Sunday paper.

VPN This would allow me to make a tunnel from my machine to a VPN server (or proxy server?) on the internet, tunnel my traffic through without being read.

Yes.

IPSec is this used to create a VPN?? I understand it works at the machine level, rather than application level (like SSL) so does this make it less secure? I presume only less secure from rootkits?

IPsec could be used to create a VPN, but it's just one option.

SSL is this used to create a VPN?? I also assume this is what implements "https"

SSL could be used to create a VPN, but it's just one option.

TLS is this used to create a VPN?? I also assume this is what implements "https". I think I saw somewhere that TLS is the successor to SSL?

This is correct -- you can think of TLS as a "new and improved" SSL.

SSH, yet again, is this used to create a VPN?

SSH could be used to create a VPN, but it's just one option.

DNSSEC part of my operating system (say on windows 7 or server 2008) which can help prevent DNS caching attacks?

DNSSEC would help protect you from DNS attacks, but a lack of widespread deployment limits its usefulness.


So if I created a VPN, rented out a VPN server/proxy server outside the internet, used my vpn tunnelling (by which of the above protocols?) to connect to my vpn server and put my internet traffic through the public wifi, via this server, instead of the normal access point, I could get secure access?

In my opinion, the easiest way to solve your problem would be to rent a VPS and run only an SSH server there. Connect to the server via SSH from your laptop then run a SOCKS 5 proxy over the SSH tunnel. After purchasing your wifi access, switch your browser's proxy to the local end of the tunnel, and your web traffic will be encrypted between your laptop and the VPS. (Keep in mind that if you are visiting http (not https), your traffic won't be encrypted after it leaves your VPS, but at the very least it's not sniffable on your local wifi.)

There may be "canned" services out there that offer this setup for people like you. (A quick search reveals, for example, Guardster -- though for $20/month you could get a VPS at Linode with 200GB of transfer and 20GB of storage.)

bstpierre
  • 4,888
  • 1
  • 21
  • 34
  • Thank you for your replies- I really appreciate them. I understand that TLS and SSH are quite vulnerable at the beginning of the authentication process because of the higher level layer at which they encrypt? So if you were to begin authentication, the first packet could be intercepted across the wifi and an attacker could pretend to be the server I thought i was authenticating to? This isnt possible on IPSec because the encryption is done at a lower level? – Paul Dec 26 '11 at 00:42
  • @Jason: What you're talking about is called a man-in-the-middle ("MITM") attack. I'm not sure if IPsec is less vulnerable to MITM than SSL, but you might find it instructive to read about SSL in [this question](http://security.stackexchange.com/a/21/2980) -- I think the answers by AviD and Tronic are instructive. For SSH, if an attacker pretends to be your VPS, you will get a message from your SSH client telling you that the attacker's key does not match your server's key -- i.e. you will be aware of the attack and you can drop the connection before sending any confidential data. – bstpierre Dec 26 '11 at 01:31
  • WPA / WEP / etc. are totally irrelevant if you don't trust the people controlling the access point. Besides, most encrypted public WiFi setups will use WPA2-PSK (i.e. there's one shared "wifi password" for the network), and [due to a design flaw, it doesn't protect users from each other, even though it tries to by generating separate session keys for each station](http://security.stackexchange.com/a/143274/66337). – Peter Cordes Nov 23 '16 at 09:10
5

I think you're looking in the wrong direction. There are two aspects to consider: the security of your laptop, and the security of your connections.

For the security of your connections, what matters is that you are using SSL (or TLS — treat it as a synonym of SSL) with a correct certificate. An HTTPS connection means HTTP (the usual web protocol) over SSL. SSL provides end-to-end confidentiality and integrity protection, so it doesn't matter whether you are browsing from a “secure” network or from a public wifi hotspot.

What does “correct certificate” mean? A certificate is a website's “identity card”, providing a cryptographic means for your browser to verify that the website is who it claims to be. If the certificate verification didn't happen, you would have no way to know whether the SSL connection was going to the legitimate website or to a man-in-the-middle. In a good first approximation, you need to check three things to know that you have a secure connection to the desired website:

  • The URL must begin with https://, and browsers will typically show a padlock icon next to the URL.
  • If you see any scary warning, the connection is not secure. (A scary warning could be due to server misconfiguration too, and this is unfortunately more common than it should be. But if you see a scary warning when attempting to connect to your bank, I don't advise bypassing the warning.)
  • You must be connecting to the right URL in the first place. This means you should always connect to your bank from a bookmark, not by typing the URL (risk of typo) and never ever by clicking in an email or web link that you're not 200% sure comes from the bank (42nd National Bank is probably not a legitimate site).

A VPN doesn't add much security over an HTTPS connection. A VPN protects the connection from your laptop to the VPN endpoint, which includes the point at which attacks are most likely (the local network where your laptop is plugged into or the wifi hotspot that it's connected to), but HTTPS provides end-to-end confidentiality and integrity anyway. VPNs have their uses, but they're esentially irrelevant for web banking:

  • An enterprise VPN connects your laptop to your enterprise network. The main point is to make securing the enterprise network a lot easier: anyone trying to connect to a server on the enterprise network must have passed some form of authentication already, either physically on the premises or logically by possessing the VPN key/password.
  • A VPN can provide a bit of privacy at the location where your laptop is connecting from: anyone snooping there will only see your VPN traffic as a whole, instead of individual connections which are undecipherable (if using SSL correctly) but whose endpoint is clearly identified.
  • A VPN can let you connect to sites that are blocked by an enterprise, ISP or government firewall, as long as those sites are visible from the VPN endpoint.

As far as securing a connection from your laptop is concerned, WEP and WPA(2) are completely irrelevant. They are technologies for securing a wifi access point; a laptop connecting to that access point doesn't benefit from them in any useful fashion.

IPsec, SSL/TLS, SSH can be technologies underlying a secure connection such as a VPN, but they're not really relevant at your level. They compete on ease of set up, possibility of piercing through firewalls, performance, but not on security.

DNSSEC today isn't widely deployed. Until then, assume that DNS is insecure, and rely on SSL to tell you whether you're connecting to the right site. Connection hijacking could happen at the IP level anyway.

Finally, none of these are relevant to securing your computer against external or internal attacks. For external attacks tried by someone on the local network, what matters is not what protocols you actively use but what protocols you have open on your machine. The defense is not to run services that you don't use, to have sane firewall settings (most laptops don't need to accept any form of incoming connection) and to keep your operating system and applications up to date. The biggest attack vector nowadays is through content that you have retrieved, e.g. a web page that attempts to exploit a bug in your web browser. The defense against these is not to download risky files such as executable, to avoid browsing dodgy sites or clicking on links in suspicious emails, and to keep your operating system and applications up to date.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
0

I respectfully disagree with 'Gilles' on the point about how HTTPS is more secured than a VPN and how a VPN is irrelevant for web banking.

HTTPS provides end-to-end confidentiality and integrity anyway. VPNs have their uses, but they're esentially irrelevant for web banking

Here are some news articles of how peoples' user accounts are regularly hacked and compromised on bank sites that use the best HTTPS connections in the industry - http://bit.ly/zGWYS4

In most of these cases, the accounts were compromised while on a https connection. A simple google search can return tools that anyone can use to dabble in wifi hacks and attacks.

SSL and HTTPS are essentially broken. Anyone can get an SSL issued for their site, with any information on it - that doesn't necessarily mean that the site is secured or that it has any systems/mechanisms of protecting user data installed.

VPN's have come a long way over the past decade. Today, they can encrypt every data packet going in and out of your laptop, including IM's, emails, web browsing, system applications and programs that access the internet etc. They can also scrub all your web activity for viruses, phishing attacks, spam, loggers and spoofs before sending the packets back to your machine.

Big corps have the money and resources to deploy the best VPN systems for their employees; tech-geeks and hackers have also had the ability to use proxy servers for a long time now as well. The end-users/end-consumers haven't had a simple, secured, easy-to-use online security or personal VPN product until very recently. Once you have a VPN, you do not need to worry about whether the sites you are visiting are secured or not. ALL your online activity and connections are secured by-default.

A VPN can make you invisible on any wifi network anywhere in the world - you can choose to connect to any server in the VPN provider's network - bypassing a local/company/country firewall, access geo-location specific sites such as Netflix, Skype while travelling outside the US.

Today there are three legs or aspects of protecting yourself and your data - an Anti-Virus and/or Firewall, your Backup solution and a VPN.

Some highly recommended personal vpn providers today are: Private WiFi, SurfBouncer, WiTopia and BlackLogic. I have tried 3 of them and Private WiFi is by far the most stable and easiest to setup. They also have 24x7 live US based customer support. I travel a lot for business as well and that's precisely why I got it.

Hope that helps.

DDEV
  • 9
  • 1
  • 1
    Firstly, I believe you're conflating in-transit with at-rest security. Using TLS and|or a VPN would protect information in transit; **if a bank or other organization fails to protect data at rest, it could be stolen _regardless_ of what kind of in-transit security was used.** – Blacklight Shining Oct 18 '15 at 20:22
  • 1
    Secondly, you seem to be claiming that using a VPN will magically secure any traffic anywhere. It won't. **Tunneling via a VPN encrypts traffic between the VPN client and the VPN server only.** Using a VPN won't protect your traffic once it leaves the VPN server bound for your bank's website or whatever. To be really secure, you need end-to-end encryption provided by something like TLS between you and the real endpoint. Gilles explained this in more detail. – Blacklight Shining Oct 18 '15 at 20:24
  • 1
    Thirdly, **VPNs do not make you invisible.** If you tunnel over a VPN, anyone who can get between you and the VPN server can still see that you're talking with that server. They won't (necessarily) be able to figure out what you're _really_ doing (e.g. that you're banking online), but they can still tell that you're doing _something_ (and can employ traffic analysis tactics to try to narrow down what you're doing). – Blacklight Shining Oct 18 '15 at 20:26
  • 2
    Fourthly, while anyone _can_ generate a TLS certificate with any information they like, no sane client software will trust it just because it exists. In general, the certificate would have to be issued by a reputable CA for a client to trust it, and no reputable CA will issue a certificate to someone without first verifying that they own the domains the certificate is for, etc. In short, **no, you cannot get a _valid_ (as in browser-trusted) certificate with any information you like on it.** – Blacklight Shining Oct 18 '15 at 20:32