17

I'm always using Wi-Fi networks, since I move a lot. But I don't think I can afford a VPN for the moment (I know they're cheap) to protect myself against KRACK when connecting to those Wi-Fi networks.

So is there a way that can help me that doesn't make usage of a VPN?

Peter Mortensen
  • 877
  • 5
  • 10
user161476
  • 179
  • 1
  • 3
  • What is your use case of Wi-Fi. What are you trying to protect and who would be trying to attack you specifically? – M'vy Oct 17 '17 at 13:09
  • 4
    Windows fixed the bug. Are you on Windows? – Mark Buffalo Oct 17 '17 at 14:41
  • 2
    ProtonVPN offers a free tier: https://protonvpn.com/ – Ajedi32 Oct 17 '17 at 16:40
  • 4
    So you're saying that you connect to a lot of open Wifi networks anyway? Then KRACK basically changes nothing for you. If not, please be more specific what you mean by "I move a lot" and "those Wifi networks" (with examples). – Bergi Oct 17 '17 at 16:47
  • 2
    @Bergi indeed KRACK would be the least of my worries when using public wifi. Public wifi networks are usually either completely unencrypted or use PSK which is only secure when the pre-shared key is actually a secret. – Peter Green Oct 17 '17 at 17:14
  • @PeterGreen I've seen a lot WPA2-encrypted wifi networks where simply the password is made public. – Bergi Oct 17 '17 at 17:26
  • (This is meant a comment but I don't ahve enough reputation to make one) No, don't use OperaVPN their privacy policy states that they log everything https://www.opera.com/privacy – user161492 Oct 17 '17 at 14:28
  • Related: [Does using a VPN protect against KRACK?](https://security.stackexchange.com/q/171431/141087) – Stevoisiak Oct 17 '17 at 19:46
  • [hide.me](https://hide.me/) service also offers few free VPNs. – kenorb Oct 18 '17 at 11:16
  • Which system are you on? – kenorb Oct 18 '17 at 11:16

6 Answers6

27

Using a secure connection such as HTTPS helps against the attack. HTTPS Everywhere can help you ensure that HTTPS is used as much as possible:

  1. Install the browser addon HTTPS Everywhere from the Electronic Frontier Foundation's official website: https://EFF.org/https-everywhere
  2. Once done, click on the blue "S" icon of HTTPS Everywhere and tick on the box corresponding to "Block all unencrypted requests"

And that's it. However note that many websites may not work since they do not support HTTPS and/or don't have corresponding rulesets in HTTPS Everywhere*, so this is a better solution if you connect most of the time to HTTPS websites.

I also don't recommend free VPNs since they're more often than not malicious, and there's no way for you to be sure that they don't sniff on your traffic.

* : If you want to contribute more of those rulesets you may do so at their Github repository: https://github.com/EFForg/https-everywhere

Luc
  • 31,973
  • 8
  • 71
  • 135
user161477
  • 21
  • 1
  • 3
  • Just because the URL begins with HTTPS doesn't mean you are protected, though. Note that [this section of the KRACK website](https://www.krackattacks.com/#demo) indicates a lot of vulnerabilities when HTTPS is used improperly. – NH. Oct 17 '17 at 15:21
  • 5
    Unfortunately, this solution only protects your browser traffic. There may be other network traffic subject to interception and tampering. For web browsing though, this is indeed probably sufficient. – Ajedi32 Oct 17 '17 at 16:41
  • 18
    On the free VPN: 90% of the time, If you are not paying for a service, then **you** (or your data) is the product being sold. – Mindwin Oct 17 '17 at 16:54
  • So this advice addresses web browsing, but what about non-HTTP/HTTPS connections. Such as SMTP and even SSH? – Giacomo1968 Oct 17 '17 at 23:15
  • @JakeGould SSH is encrypted and safe. SMTP also has secured extensions, but securing SMTP is akin to parking your car at a tightly guarded parking lot just to drive it to a restaurant and give your keys to a valet. – John Dvorak Oct 18 '17 at 08:05
10

If you can't afford VPN then make your own, if it is possible. It is relatively easy to set up, especially if have experience from before.

Here is a nice script for beginners which will make the whole process easier.

https://github.com/Angristan/OpenVPN-install

Or:

wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

And then:

./openvpn-install.sh

There is another one from Nyr: https://github.com/Nyr/openvpn-install

Peter Mortensen
  • 877
  • 5
  • 10
Mirsad
  • 10,005
  • 8
  • 33
  • 53
  • 10
    While this may be more affordable than using an existing VPN, it's not necessarily free as you still need a server of your own to run the service on. – JAB Oct 17 '17 at 17:38
  • 2
    Someone can use his own computer or some old machine which can be founded in a basement. – Mirsad Oct 17 '17 at 22:59
  • 1
    You could spin up an AWS instance and have it free for the first year, so long as you don't exceed the free bandwidth allowance each month. – さりげない告白 Oct 18 '17 at 04:22
6

Yes, install the TOR browser as it is a free VPN, and the traffic is encrypted until an exit node.

Any .onion websites are end-to-end encrypted, and HTTPS websites are also end-to-end encrypted. However, the contents of any HTTP websites will still be visible to exit node operators, as anyone can run such a node.

Peter Mortensen
  • 877
  • 5
  • 10
Chloe
  • 1,668
  • 3
  • 15
  • 30
  • 4
    It’s not a VPN. It’s a reasonably secure browser bundle. Exit node operators are to some extent evil, so there’s that - this may be a worse problem than exotic KRACKALACKATTACK – user2497 Oct 17 '17 at 21:32
5

For mobile devices, use Opera VPN. For your laptop, see: VPN integrated in Opera for better online privacy.

I doubt it changes route to a dedicated VPN interface on the browser ‘vpn’, but it’s better than nothing. You’ll need something like OpenVPN to set up a real tunnel, though.

The speed is adequate, and there are options for compression. It’s free, of course, and blocks ads - if you want it to.

kenorb
  • 799
  • 4
  • 8
  • 27
user2497
  • 580
  • 2
  • 7
  • 3
    But understand the Opera VPN only applies to content within windows of that Opera app. Other apps are *not* included in the VPN connection. – Basil Bourque Oct 17 '17 at 18:58
  • @Michael And they likely sell traffic info, but so what? US ISPs do that. If OP wants to protect his traffic, opera provides for free. – user2497 Oct 18 '17 at 21:26
0
  • Use 3G/4G network if you have.
  • Purchase a data bundle from your ISP until the security update is released
  • Do not use Wi-Fi on Android or old Linux machines since they are the most vulnerable.
  • Make it a habit to always check for HTTPS.
  • Encrypt your data before sending sensitive data.
Luc
  • 31,973
  • 8
  • 71
  • 135
Jonah
  • 19
  • 2
  • 1
    "Do not use Android or Linux machines since they are highly vulnerable.", what is the alternative to use? – Mirsad Oct 17 '17 at 16:04
  • 4
    Linux machines aren't inherently vulnerable. An increasing number of distributions already rolled out patches for wpa_supplicant, including Debian (including security backports), Arch, and others. Due to Android being seldom updated, Android-based phones are more at risk. – ElementW Oct 17 '17 at 19:04
  • 2
    Most Linux machines are already patched. Android on the other hand... Also, "highly vulnerable" is a little exaggerated. If you use Android for 3g that's fine. Updated the post for correctness. – Luc Oct 17 '17 at 19:18
  • 1
    Alternatives, devices that don't use wpa_supplicant. Since Linux has released patches, then it should be fine. 41% of Android devices are vulnerable according to the official release. I suppose it is quite high in terms of percentage. – Jonah Oct 18 '17 at 03:49
0

The first thing you should do is update your devices if possible. Patches are coming as soon as possible, but in the short interim Cert has a list of patches currently available.

The reason patching your devices keep you safe is that it is a backwards compatible fix. If the device only installs the certificate once, it will be immune to a replay attack.

The other good part is that these attacks are EXTREMELY targeted so you're probably safe without doing anything while waiting for a patch, but until then it's best to use HTTPS as much as possible, use an encrypted VPN you setup yourself, or avoid using wi-fi on un-patched devices if possible if this is an absolute concern.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38