Public wifi security protocols

Question

I should apologize first- this post could seem a lot to ask for, but I am starting to go around in circles. I am interested in securing my laptop for when I use public wireless hotspots, as I am a business traveler and frequent airports a lot. I have to do a large amount of online banking, visiting secure https websites.

What steps can I take to secure my connection from my actual laptop? I have researched the following terms, but it's all starting to become a bit hazy:

• WPA2, this works at the hardware level, but if the hotspot network doesn't provide it then I cannot choose to use it, WPA or WEP.

• VPN This would allow me to make a tunnel from my machine to a VPN server (or proxy server?) on the internet, tunnel my traffic through without being read.

• IPSec is this used to create a VPN?? I understand it works at the machine level, rather than application level (like SSL) so does this make it less secure? I presume only less secure from rootkits?

• SSL is this used to create a VPN?? I also assume this is what implements "https"

• TLS is this used to create a VPN?? I also assume this is what implements "https". I think I saw somewhere that TLS is the successor to SSL?

• SSH, yet again, is this used to create a VPN?

• DNSSEC part of my operating system (say on windows 7 or server 2008) which can help prevent DNS caching attacks?

So if I created a VPN, rented out a VPN server/proxy server outside the internet, used my VPN tunnelling (by which of the above protocols?) to connect to my VPN server and put my internet traffic through the public wifi, via this server, instead of the normal access point, I could get secure access? I think I also read you can create the VPN authentication using EAP, but a more recent upgrade to EAP, like EAP-TLS (is that the same as TLS referred to above??).

Have I missed anything out?

Answer 1

WPA2, this works at hardware level, but if the hotspot network doesn't provide it then I cannot choose to use it, WPA or WEP.

WPA2 is better encryption than WEP. WEP is trivial to crack -- not much more work than solving the "encryption" puzzle in the Sunday paper.

VPN This would allow me to make a tunnel from my machine to a VPN server (or proxy server?) on the internet, tunnel my traffic through without being read.

Yes.

IPSec is this used to create a VPN?? I understand it works at the machine level, rather than application level (like SSL) so does this make it less secure? I presume only less secure from rootkits?

IPsec could be used to create a VPN, but it's just one option.

SSL is this used to create a VPN?? I also assume this is what implements "https"

SSL could be used to create a VPN, but it's just one option.

TLS is this used to create a VPN?? I also assume this is what implements "https". I think I saw somewhere that TLS is the successor to SSL?

This is correct -- you can think of TLS as a "new and improved" SSL.

SSH, yet again, is this used to create a VPN?

SSH could be used to create a VPN, but it's just one option.

DNSSEC part of my operating system (say on windows 7 or server 2008) which can help prevent DNS caching attacks?

DNSSEC would help protect you from DNS attacks, but a lack of widespread deployment limits its usefulness.

---

So if I created a VPN, rented out a VPN server/proxy server outside the internet, used my vpn tunnelling (by which of the above protocols?) to connect to my vpn server and put my internet traffic through the public wifi, via this server, instead of the normal access point, I could get secure access?

In my opinion, the easiest way to solve your problem would be to rent a VPS and run only an SSH server there. Connect to the server via SSH from your laptop then run a SOCKS 5 proxy over the SSH tunnel. After purchasing your wifi access, switch your browser's proxy to the local end of the tunnel, and your web traffic will be encrypted between your laptop and the VPS. (Keep in mind that if you are visiting http (not https), your traffic won't be encrypted after it leaves your VPS, but at the very least it's not sniffable on your local wifi.)

There may be "canned" services out there that offer this setup for people like you. (A quick search reveals, for example, Guardster -- though for $20/month you could get a VPS at Linode with 200GB of transfer and 20GB of storage.)

Answer 2

I think you're looking in the wrong direction. There are two aspects to consider: the security of your laptop, and the security of your connections.

For the security of your connections, what matters is that you are using SSL (or TLS — treat it as a synonym of SSL) with a correct certificate. An HTTPS connection means HTTP (the usual web protocol) over SSL. SSL provides end-to-end confidentiality and integrity protection, so it doesn't matter whether you are browsing from a “secure” network or from a public wifi hotspot.

What does “correct certificate” mean? A certificate is a website's “identity card”, providing a cryptographic means for your browser to verify that the website is who it claims to be. If the certificate verification didn't happen, you would have no way to know whether the SSL connection was going to the legitimate website or to a man-in-the-middle. In a good first approximation, you need to check three things to know that you have a secure connection to the desired website:

• The URL must begin with https://, and browsers will typically show a padlock icon next to the URL.
• If you see any scary warning, the connection is not secure. (A scary warning could be due to server misconfiguration too, and this is unfortunately more common than it should be. But if you see a scary warning when attempting to connect to your bank, I don't advise bypassing the warning.)
• You must be connecting to the right URL in the first place. This means you should always connect to your bank from a bookmark, not by typing the URL (risk of typo) and never ever by clicking in an email or web link that you're not 200% sure comes from the bank (42nd National Bank is probably not a legitimate site).

A VPN doesn't add much security over an HTTPS connection. A VPN protects the connection from your laptop to the VPN endpoint, which includes the point at which attacks are most likely (the local network where your laptop is plugged into or the wifi hotspot that it's connected to), but HTTPS provides end-to-end confidentiality and integrity anyway. VPNs have their uses, but they're esentially irrelevant for web banking:

• An enterprise VPN connects your laptop to your enterprise network. The main point is to make securing the enterprise network a lot easier: anyone trying to connect to a server on the enterprise network must have passed some form of authentication already, either physically on the premises or logically by possessing the VPN key/password.
• A VPN can provide a bit of privacy at the location where your laptop is connecting from: anyone snooping there will only see your VPN traffic as a whole, instead of individual connections which are undecipherable (if using SSL correctly) but whose endpoint is clearly identified.
• A VPN can let you connect to sites that are blocked by an enterprise, ISP or government firewall, as long as those sites are visible from the VPN endpoint.

As far as securing a connection from your laptop is concerned, WEP and WPA(2) are completely irrelevant. They are technologies for securing a wifi access point; a laptop connecting to that access point doesn't benefit from them in any useful fashion.

IPsec, SSL/TLS, SSH can be technologies underlying a secure connection such as a VPN, but they're not really relevant at your level. They compete on ease of set up, possibility of piercing through firewalls, performance, but not on security.

DNSSEC today isn't widely deployed. Until then, assume that DNS is insecure, and rely on SSL to tell you whether you're connecting to the right site. Connection hijacking could happen at the IP level anyway.

Finally, none of these are relevant to securing your computer against external or internal attacks. For external attacks tried by someone on the local network, what matters is not what protocols you actively use but what protocols you have open on your machine. The defense is not to run services that you don't use, to have sane firewall settings (most laptops don't need to accept any form of incoming connection) and to keep your operating system and applications up to date. The biggest attack vector nowadays is through content that you have retrieved, e.g. a web page that attempts to exploit a bug in your web browser. The defense against these is not to download risky files such as executable, to avoid browsing dodgy sites or clicking on links in suspicious emails, and to keep your operating system and applications up to date.

Answer 3

I respectfully disagree with 'Gilles' on the point about how HTTPS is more secured than a VPN and how a VPN is irrelevant for web banking.

HTTPS provides end-to-end confidentiality and integrity anyway. VPNs have their uses, but they're esentially irrelevant for web banking

Here are some news articles of how peoples' user accounts are regularly hacked and compromised on bank sites that use the best HTTPS connections in the industry - http://bit.ly/zGWYS4

In most of these cases, the accounts were compromised while on a https connection. A simple google search can return tools that anyone can use to dabble in wifi hacks and attacks.

SSL and HTTPS are essentially broken. Anyone can get an SSL issued for their site, with any information on it - that doesn't necessarily mean that the site is secured or that it has any systems/mechanisms of protecting user data installed.

VPN's have come a long way over the past decade. Today, they can encrypt every data packet going in and out of your laptop, including IM's, emails, web browsing, system applications and programs that access the internet etc. They can also scrub all your web activity for viruses, phishing attacks, spam, loggers and spoofs before sending the packets back to your machine.

Big corps have the money and resources to deploy the best VPN systems for their employees; tech-geeks and hackers have also had the ability to use proxy servers for a long time now as well. The end-users/end-consumers haven't had a simple, secured, easy-to-use online security or personal VPN product until very recently. Once you have a VPN, you do not need to worry about whether the sites you are visiting are secured or not. ALL your online activity and connections are secured by-default.

A VPN can make you invisible on any wifi network anywhere in the world - you can choose to connect to any server in the VPN provider's network - bypassing a local/company/country firewall, access geo-location specific sites such as Netflix, Skype while travelling outside the US.

Today there are three legs or aspects of protecting yourself and your data - an Anti-Virus and/or Firewall, your Backup solution and a VPN.

Some highly recommended personal vpn providers today are: Private WiFi, SurfBouncer, WiTopia and BlackLogic. I have tried 3 of them and Private WiFi is by far the most stable and easiest to setup. They also have 24x7 live US based customer support. I travel a lot for business as well and that's precisely why I got it.

Hope that helps.