4

Given the risks of shared wi-fi as stated here, here and here, I would like to ask what are good practices for someone who is always traveling.

While having your own wi-fi with a strong WPA2 password may solve your problem well for your computer at home, if you need to constantly travel to other cities and countries with your laptop then it's no longer a good option.

What would be best solutions for someone who wants to be independent and secure in his internet connections while on the move?

In one of those links VPN and SOCKS were recommended. If one of those happen to be part of the solution, specific suggestions on how to choose and implement it would be most welcome.

Strapakowsky
  • 3,049
  • 8
  • 26
  • 31
  • By the way, is using just any open wi-fi and tunnel everything through a personal trustworthy VPN a sufficient enough solution? Or even then using a third party's wi-fi is a risk, and better have your own connection? – Strapakowsky Dec 29 '12 at 06:30

6 Answers6

3

The best way is to simply encrypt your traffic from/to the country. Using a VPN tunnel, or a SSH socks5 tunnel are the two most common solutions. They will encrypt the traffic from your laptop to the server, before it reaches the internet. Of course someone could sniff the servers traffic, but it would be out of reach to whatever country you're visiting.

You can get a VPN account from many different providers for a monthly/yearly fee if you don't want to set up a server yourself (which is quite difficult). They will provide step-by-step guides to get you going, and it's really easy to get it installed. Many of them also promises anonymity.

A SSH-tunnel requires that you have access to a shell account. You can easily set up a SSH-server in your own home. It would encrypt the traffic from your laptop to your home network before it reaches the internet. The traffic will seem as it came from your home network. This is the simplest solution if you want to do it yourself, and you can specify the applications that should run through your secure tunnel, wheras with a VPN-account everything will run through the tunnel.

My own solution is to run all my browsing traffic through a ssh tunnel, and have a portable, slimmed firefox installation that I use when I want to browse around for fun (youtube, reddit, ...).

If you don't use a tunnel, make sure you only login to websites using secure https. Never download and run any files using your unsafe connection. Use a safe dns provider such as opendns or google dns to protect yourself from dns-spoofing. Preferably an encrypted DNS-provider. I'm not sure if encrypted DNS is very common (but I know that opendns provides it).

Some email providers, such as gmail, use full HTTPS by default. While others like yahoo only use HTTPS during the log in. Keep that in mind aswell (and enable it if you are using hotmail because it's not enabled by default).

I could expand indefinitely on this subject. But if your knowledge is slim, just get a monthly VPN account from a safe provider. This is the safest and easiest solution to protect yourself.

If you decide to get a VPN-account, I recommend that you do some research before choosing which one. Here is a link to torrentfreak with a list of VPN providers.

https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

Michael
  • 146
  • 2
3

As I'm paranoid, I use mixed solution, using OpenVPN, SSH and direct connections from my laptop, to Internet.

Tree level: Private = VPN + SSH, Public-pro = Proxy/VPN and Public-pub = direct.

  • I've installed a OpenVPN server at my fixed IP address, at my office, but this VPN open a restricted access to a intranet sub-network, from where I need to satisfy SSH access to reach my own private server.
  • In my intra sub-network, there is somes Proxy-servers (for http, https, ftp, imap, smtp, irc and anonymized http) which could be reached by VPN but no need of ssh.
  • For every non-pro activities on my laptop, there is an alternative user which don't have acces to VPN and/or SSH-to-my-server. This user use his own configuration $HOME and has no acces to other things on my laptop.
  • If i'm suspecting bad things, I use an USB Debian Live (in my pocket) to boot my laptop and work in read-only for whole session.

Nota: My intra sub-network is near my DMZ but is not IN my DMZ, and is nor in my local network, but some limited and monitored access exists.

2

It depends which country you are going to - my model is to harden the laptop itself and treat any internet connection as untrusted (see above answers about SSH and tunnelling)

However, I don't use WiFi - I take a small bag of USB 3G dongles and use them for pretty much anything and will only jump on someone elses wifi/network if I really have to. Try and ensure you have 3G dongles that are not bound to a network provider (i.e. unlocked) and have more than one of them.

In most countries you can pick up pre-pay anonymous SIM cards for next to nothing and top up accordingly. I find that 3G style connections are not as good in the USA, but most other countries have full connectivity and, especially in the far east and europe can get 1 to 3mbs speeds most of the time.

In some countries it is worth taking extra precautions: - Try not to run updates - or download software

Huawei dongles just plug and play with Linux in case you were wondering. I use them everyday.

Callum Wilson
  • 2,543
  • 11
  • 16
1

The general approach is to tunnel your connection through one that you trust. I use an SSH tunnel to my machine at home in the UK when I'm in the Far East.

If you don't have a server at home, you can set one up for free on AWS (they have a free tier, 1 micro node for 1 year, perfect for this sort of thing).

Then it's just a case of running an ssh -D 4444 username@server and configuring your browser to use the proxy on localhost 4444 for everything.

lynks
  • 10,646
  • 5
  • 29
  • 54
1

Easy and simple to use:

Get yourself a laptop with wireless wan capability, ssd laptop are really affordable and does make a difference regarding encryption performance. Use a vpn service from your favorite store, and surf the internet from a read-only virtual machine and kill it when you are done. Some wwan provider even provide the capability to prepaid your internet access. From that point of view even the transaction itself could be anonymized.

Depending on the context computer themselves are just tool and it is important to remember not to attach to much importance about keeping the same material over and over.

happy
  • 225
  • 1
  • 6
  • 2
    Instead of killing the virtual machine, you can take a snapshot and go back to that point at the end of your use. – smttsp Jan 17 '13 at 11:18
0

If you have a new server machine or a cloud computing account (Amazon EC2, Azure, Digital Ocean, Google Cloud, Vultr, Hetzner etc.) you actually can easily set up an own private VPN server for required number of users in any of the available deployment zones using an open source tool named algo – https://github.com/trailofbits/algo

Aldekein
  • 101
  • 1
  • 2
  • 1
    "easily"? That's a nice set of preconfigured scripts, but that is not for the average user at all. Nearly all of the set up steps requires an expert. So, I'm not sure that this adds anything to the accepted answer which simply says "set up a VPN server in the cloud". – schroeder Jan 20 '22 at 10:32