52

There are many open Wi-Fi hotspots scattered around from cafes to airports.

I understand that a non-passworded Wi-Fi leaves traffic unencrypted and therefore available for hackers to read. I also know about a man-in-the-middle attack where the Wi-Fi hotspot is malicious.

I therefore always use a VPN connection to encrypt my traffic while using open Wi-Fi hotspots to avoid these attacks.

But the article Even with a VPN, open Wi-Fi exposes users states that even with a VPN connection, an open Wi-Fi hotspot is still insecure. It states:

In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.

But at the same time the article feels like a disguised advert concluding with (what feels like) a sales pitch for something called Passpoint which I have never heard of:

The Wi-Fi Alliance has had a solution for this problem nearly in place for years, called Passpoint.

Can an open Wi-Fi hotspot be considered secure when using a VPN connection or should you NEVER use open hotspots?

Peter Mortensen
  • 877
  • 5
  • 10
User1
  • 3,041
  • 5
  • 23
  • 30
  • 30
    The article isn't saying a VPN is insecure over an open wifi hotspot. It's saying that *before* you've established a VPN connection, any non-secure connections will be out in the open. An outbound firewall configured to block all connections until a VPN tunnel is established could fix this hole. – tangrs Feb 16 '16 at 12:07
  • "What background should I give in my question? Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: [...]". See our [help/on-topic]. I encourage you to edit your question to clarify: secure for what purpose? Secure is not a yes-or-no, binary question, so it normally doesn't make sense to ask if something is secure without providing enough context to assess the likely threats and what level of protection is needed. – D.W. Feb 17 '16 at 03:08
  • I use SSH to tunnel all my traffic (AWS EC2 server + Putty). Do you reckon it's equally safe as VPN? I'd say it is. – The Onin Feb 17 '16 at 06:41
  • So what they're really saying is "If you use a VPN, open wifi is not secure when you're not using a VPN." – barbecue Feb 18 '16 at 14:50
  • The final question is "Can an open Wi-Fi hotspot be considered secure when using a VPN connection" and really the answer is no. The open wifi connection is inherently insecure, and there's no way to make it secure. You can create your own more secure channel by using a VPN, but that security doesn't "rub off" on the wifi connection as a whole and make all other communications secure. – barbecue Feb 18 '16 at 15:23

8 Answers8

64

This is actually exactly the type of environment VPNs were designed to work in: when you cannot trust the local network.

If set up properly (i.e. making sure all traffic goes through the VPN and using a secure mutual authentication scheme) it will pretty well protect your connection.

This, however, requires the whole thing to be designed properly.

  1. Obviously, your VPN must be set up so that ALL your communication goes through the encrypted channel, not just the part that is aimed at the internal network behind it (which is sometimes the case with corporate firewalls or if you're using SSH).
  2. Avoid using SSL VPN unless you're using a pinned certificate for the server: you'll want to avoid having to perform PKI validation of the server's host name since it can be rather delicate.
  3. Understand the limitation: you will not be able to "mask" the fact that you're using a VPN, you will not mask the volume and pattern of your exchange (which can be to some extent used to identify the type of service you're using) and your connection will ONLY be secure up to the VPN exit point: everything between that point and the destination server will not be protected by the VPN (although it can also be encrypted on its own).
  4. There is no guarantee against a state actor who would be willing to spend dedicated resources to penetrate your security.
psmears
  • 900
  • 7
  • 9
Stephane
  • 18,557
  • 3
  • 61
  • 70
  • 4
    I think the point of the article is that to even connect to the open-wifi network, you need to be able to connect a browser to authenticate with the network, accept the TOS, and perhaps register an email address. That means that for at least the browser traffic during this period, you're NOT going through the VPN. If your browser window has a bunch of sites open (or plugins, etc), then that traffic will also not be going through the VPN. – Steve Sether Feb 16 '16 at 15:55
  • 5
    Between the time you connect to the wifi and the time you boot up your VPN, you may have data transmitted. What might be exposed during this time will depend on the router's setup. For those with a capture page, some will simply issue a redirect for all HTTP traffic, and drop anything else. Others may pass non-HTTP data. SOHO routers will of course just pass through the traffic. Everything not riding on an encrypted channel is for the taking. The key is to make sure anything that might transmit stuff you don't want available to be explicitly turned off until you have the VPN Up. – David Baucum Feb 16 '16 at 19:26
  • 2
    For pre-VPN connectivity, public/private network settings can help. You can severely restrict access while on "public" or unknown networks. I know Windows usually asks to categorize any new network you connect to. If the computers firewall was setup right, it should block any outgoing connections on a public network, except the VPN. When the VPN is established, it becomes a private network and the other applications can connect over the private network. – kevingreen Feb 16 '16 at 20:47
  • Not intended as a sales pitch but... I use Mullvad (which wraps OpenVPN). One of the config options allows you to define that all traffic is blocked while the application is open, but the VPN not established. As long as I have the app open, I can connect to any network and be sure no data will leak. Of course, that doesn't guard against stupidity (failing to open the app) but I like to be able to use non-VPN connections for trusted networks without having to reconfigure... – Basic Feb 17 '16 at 23:53
15

The article is correct, and a real threat exists in the initial period before the VPN is set up. It's a chicken and egg problem. The VPN configuration doesn't matter in this case, since to establish the VPN connection in the first place, you must first have an internet connection. Many/Most open internet points require you to register with them by entering in a secret code, or an email address, or merely accept the Terms of Service. This requires a non-VPN connection.

Generally that means having a browser open that talks directly to your local network rather than through the VPN. When started, browsers often bring up the last page they went to, and re-submit any parameters. So if you were to open your browser and it were to open a series of pages you last visited, you could leak information if those sites were http and not https.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 2
    An insightful point/answer. But it would be helpful if you also talked a bit about the most effective ways (in your estimation) to deal with mitigating this forced-porthole problem. Using a browser solely for the purpose of interacting with these pre-VPN pages? Carefully limited changes to a VPN-only firewall config? Other means? – mostlyinformed Feb 17 '16 at 00:17
  • Assuming, of course, that to our end user just refraining from using unsecured wifi altogether isn't a palatable option. – mostlyinformed Feb 17 '16 at 00:22
  • Unless you're using very dodgy websites, the browser should not leak any confidential data over HTTP. – user1751825 Feb 17 '16 at 03:35
  • 1
    @user1751825 Submitting a URL over http will most definitely leak information. Whether it's "confidential" is a matter of perspective. What if someone caught a politician going to www.gayporn.com/categories/barelylegal/search?bigdicks You can call that "dodgy" if you like, but the point remains. – Steve Sether Feb 17 '16 at 14:57
  • @halfinformed I don't have any good answers to that. Browsers are built to transmit information to websites and rely on the website to provide the security. Relying on users to know all the tricks is just a bad idea. – Steve Sether Feb 17 '16 at 22:19
8

Generally, no, it will not be secure.

It might be mostly secure if hotspot in question is not captive portal but truly open WiFi, and your local firewall is configured to drop ALL traffic which is not VPN traffic destined for your VPN server (so no traffic whatsoever can flow between your computer and any computer but VPN server), and you have connected your VPN before in secure environment and have saved and will verify its key (like ssh does, for example) instead of depending on PKI (like HTTPS does by default). And of course if you are not state-level person-of-interest as they can do side-channel attacks on both you and your VPN server (and probably crack the VPN anyway or use backdoor implemented in it) and much other fun stuff. But Joe Random probably won't be able to steal your bank account in this case if your software is not buggy.

However, (at least around here) most such hotspots are captive portals, which means they would not allow use before you at least click on their webpage and accept terms of use and stuff; and that is insecure - not only would you have to make an exception to pass web traffic unencrypted (potentially compromising any windows open in your web browser, profiles sync etc), but your browser would also by definition need to render whatever the captive portal (or any attacker spoofing it) throw at it, making you vulnerable to any browser or plugin bug (of which there are neverending streams). This is much higher risk, especially as airports and such are very sweet targets for such individuals.

But then again, if you surf around random sites on the Internet with javascript and flash enabled, you are already engaged in risky activity, so this might not increase your risk significantly (but then again, it might).

There is no such thing as "secure", only "probably secure enough for this or that purpose".

Matija Nalis
  • 2,115
  • 12
  • 18
7

Adding to the already excellent answers. To protect your activity in a Wifi Hotspot with a VPN currently there are two advised technologies, OpenVPN and IPsec. IPsec takes more time to be configured properly, however it is supported natively by more devices.

ipsec security: Don’t stop using IPsec just yet

Always use Perfect Forward Secrecy (“pfs=yes” wich is the default in libreswan IPsec) and avoid PreSharedKeys (authby=secret which is not the default in libreswan IPsec).

It should be also noted that as the other comments also mention, all the traffic should go through the VPN. Or to employ the technical term, the VPN should not be configured as permitting split tunnelling.

Split tunneling

Split tunneling is a computer networking concept which allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections.

In the same vein, it is rather important that the VPN also answers to DNS requests. To prevent clients that have hardcoded DNS servers, either intentionally or through other problems (including malware), the VPN should intercept DNS requests and direct them to the VPN itself (or a DNS server trusted by the VPN).

iptables -t nat -A PREROUTING -p udp --dport 53 -s VNP_NETWORK/24 ! -d VPN_DNS -j DNAT --to-destination VPN_DNS:53
iptables -t nat -A PREROUTING -p tcp --dport 53 -s VPN_NETWORK/24 ! -d VPN_DNS -j DNAT --to-destination VPN_DNS:53

The client machine itself has to be fairly secure both in up to date updates, and using a firewall to withstand direct attacks.

As for the several comments about the perils of before the VPN, OS/X and iOS have profiles where you can define on-demand VPN, e.g. a packet does not leave the machine without the VPN going up.

Rui F Ribeiro
  • 1,736
  • 8
  • 15
4

If you want to be 100% safe, then don't use an open wifi. I use open wifi only in desperate times when stuck out in foreign lands but only for a quick google or whatsapp.

Using a VPN allows for a secure tunnel which obviously is good, but it's the steps you take to ensure you made that tunnel without anyone seeing you, depending on how the VPN is set up you can still get a MitM attack using a VPN. It just depends on your configuration.

Once your device is on a network and using a VPN, you are still on that network. Your presence is still there. You still have the risk of that. It's hard to say, though if you run IPTABLES and locked out all ports to your device (other than the 100% required) then you could help secure yourself there. There are many ways to keep yourself safe on an open airway. Though there are also more ways to make mistakes.

see : Are VPNS vulnerable to active man in the middle attacks?

TheHidden
  • 4,265
  • 3
  • 21
  • 40
4

The risks of open wifi

The features that make the whole point of wireless access points for consumers offer parallel hackers new opportunities, such as the fact that no authentication is required to establish a network connection. Such situations give them a great opportunity indeed free access to insecure devices on the same network.

They are also able to get between you and the point of connection, a configuration that represents the greatest threat for Free wifi security. So instead of communicating directly with the access point, you send your information to hackers, who then relay them.

Meanwhile, hackers can access each of the information you send over the Internet: important emails, credit card data or credentials to access your corporate network. Once hackers have the information, they may, at their option, to access your systems on your behalf.

Hackers are also able to use a wifi insecure connection to deliver malware. If you allow file sharing on a network, the attacker can easily install infected software on your computer. Some ingenious hackers even managed to hack the connection point itself, thus managing to open a popup window during the connection process to offer an upgrade of a popular software. When the user clicks on the window, malware is installed.

Mobile wireless connectivity becoming increasingly common, one must expect an increase in security problems on the Internet and risks to public wifi networks. This does mean that you should avoid free wifi and stay glued to your desk. The vast majority of pirates will simply prey on easy targets. So it is usually enough to take some precautions to keep your information safe.

Use a virtual private network (VPN)

A VPN (virtual private network) is required when you access your corporate network via an unsecured connection, like a wireless access point. Even if a hacker manages to place in the middle of your connection, the data on it will be strongly encrypted. Since most pirates prefer easy prey, they do not embarrass stolen information requiring tedious decryption process.

Use SSL connections

While it is unlikely that you have a VPN connection while browsing on the Internet in general, nothing prevents you to add a level of encryption to your communications. Enable the "Always use HTTPS" on websites that you visit frequently or that prompt you to enter credentials. Remember that the pirates are well aware that users use the same login and password for forums, their bank or corporate network. Sending these credentials without encryption and may open a breach in which a clever hacker will be eager to rush. Most Web sites that require the opening of an account or identification data entry offer the "HTTPS" option in their settings.

Disable Sharing

When you connect to the Internet in a public place, it is unlikely that you want to share anything. In this case, you can disable the sharing option in System Preferences or Control Panel, depending on your operating system, or let Windows turn it off for you by choosing the option "Public" the first time you connect to a new unsecured network.

Let the wireless feature turned off when you do not need

Even if you do you are not actively connected to a network, the wireless equipment equipping your computer continues to transmit data over the network or networks located at some distance. Security measures have been put in place for this to minimum communication mode does not compromise the security of your data. However, all wireless routers are far from identical and hackers can sometimes be resourceful. If you use your computer only for work on a Word or Excel document, let the disabled wifi functionality. Moreover, the battery life will be even longer.

GAD3R
  • 2,211
  • 3
  • 15
  • 38
  • How to enable the "Always use HTTPS"? I guess you mean *https everywhere* extension for Firefox or Chrome. – Cœur Feb 16 '16 at 13:47
  • You can try the " HTTPS Everywhere extension" for Google Chrome. – GAD3R Feb 16 '16 at 13:54
  • 1
    @GAD3R some very good points here about `Network Sharing` while connected to an `Open Wi-Fi` network. Thanks for sharing – User1 Feb 16 '16 at 16:28
  • "tedious decryption process" suggests it's possible, just time consuming. This isn't really accurate. If the data is encrypted with the correct algorithm and bit-length, it cannot be hacked with currently existing computer hardware. – user1751825 Feb 17 '16 at 03:30
  • 1
    "tedious decryption process" is quite correct. No matter which encryption algorithm is used, a brute-force cracking method can always be attempted. Given enough computing power and enough time, a brute force method will succeed. Guaranteed. – Brent Kirkpatrick Apr 17 '16 at 13:53
3

So the question is: can an open wifi hotspot be considered secure when using a VPN or should you NEVER use open hotspots?

Analysis

Connecting to an open hotspot is not unlike connecting directly to a local hub where everyone on it can see all traffic, which is then connected directly to the Internet without any firewall between.

Thus, all open hotspots should be considered hostile.

The obvious solution: Bring your own firewall, AND use a VPN.


Option A: Hardware based

  • Use a hardware firewall such as a small pfSense (open source) box, or a Ubiquiti Edgerouter Lite, or another similar device

    • Have a site to site or client side VPN set up on that device that automatically connects

    • Have an "untrusted" port on that device that is locked down to ONLY allow communications to the captive portal IP address

      • Use this port first, to get past the captive portal, from a device or Virtual Machine with no other purpose than to do this (and possibly allow DNS redirect).

      • Change the rules for this port from captive portal to captive portal; only enable DNS when you can't go by straight IP.

    • Have a trusted port on that device that is locked down to ONLY allow communications via the VPN, and to log into the device itself.

      • Once the captive portal is bypassed, use this port. If the VPN connection is interrupted, this port simply loses internet connectivity.

Option B: virtual machine based with USB hardware

  • Same as Option A,

    • except instead of hardware, virtual machines (VMs) are used

    • Hotspot is accessed with a USB Wifi card that is connected directly to the pfSense or other virtual machine firewall and VPN device

    • Only other VMs get network connectivity, and those other VM's are connected by host-only networking.

    • Any other networking on the host hardware is disabled.


Option C: Quick and dirty cheating to reduce exposure

  • NOT as good as A or B; you aren't using you own real firewall here.

  • On a trusted network, make sure that your particular VPN redirects communications even when it's trying (and failing) to connect, i.e. that it's not letting applications talk to the raw Internet while it's attempting to start up but can't because there's no network yet

  • Have a USB wifi card; connect first to a device or virtual machine used for nothing but getting past captive portal

    • And get past the captive portal
  • On your real machine, disable all other networking as above.

  • On your real machine, have the VPN set to redirect ALL communications - including DNS.

  • Start the VPN on the real machine

  • Move the USB Wifi card to the real machine; captive portals tend to operate by MAC address, so, in theory, the VPN will then connect correctly

  • Be careful the VPN doesn't shut down, allowing your communications to go out over the internet.

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
-1

Assuming that your computer is properly configured and secure, then VPN through public WiFi should be totally fine. The data is encrypted, so it should be impossible for any 3rd party to eavesdrop.

As others have suggested though, public WiFi should really be a last resort. If possible use your own 4G cellular connection. Public WiFi is usually rubbish anyway, and generally much slower than a good 4G connection.

user1751825
  • 905
  • 4
  • 10