26
11
I frequently need to access secure resources (gmail, banking, remote desktop, etc) while on public wifi hotspots. What can I do to ensure that nobody can sniff my passwords or my other browsing activity?
kenwarner
Posted 2009-08-04T15:43:09.013
Reputation: 1 987
12
It's a bit complicated but you can setup a VPN at home and connect to that. That way all your traffic is encrypted.
http://www.bauer-power.net/2008/07/setup-simple-vpn-server-using-windows.html
Nifle
Posted 2009-08-04T15:43:09.013
Reputation: 31 337
2what kind of performance hit is there with this approach? – kenwarner – 2009-08-04T17:33:16.907
1Usually not very big unless your home server or laptop is very old. The main bottleneck would probably be the wifi since the traffic has to go laptop->wifi->home->www->home->wifi->laptop – Nifle – 2009-08-04T17:49:08.457
i guess that's moreso what i meant. i wouldn't imagine there would be a lot of CPU processing involved, just the delay in jumping through hoops. will definitely be trying this when i get home. i saw something that some routers have built-in VPN capabilities too. – kenwarner – 2009-08-04T19:04:25.487
19
Make sure that all of your connections are using SSL. For example use https://gmail.com instead of http://gmail.com. Same goes for your bank, etc.
heavyd
Posted 2009-08-04T15:43:09.013
Reputation: 54 755
9And make sure that the SSL certificates are valid. If accessing a known site, like Gmail gives you a notification about the certificate validity, don't go any further! It's not very hard for an evil hacker to offer you his own self-signed certificate and pretend to be the site you're trying to access. – Kaitsu – 2009-08-04T18:04:53.630
a very important point. it's almost trivially easy for any script-kiddie to do this. – Ian – 2009-08-04T21:00:22.663
And make sure that form submit actions are https. – jtimberman – 2009-08-05T00:18:51.730
Using https for all webmail sites all the time is advisable (if they don't support it, don't use them). This will at least encrypt data between you and your own inbox. Remember that email is otherwise not encrypted! – MGOwen – 2009-09-23T02:46:02.990
5
The first thing I would recommend is to have your personal firewall turned on. The next thing you want to consider is that you should not enter sensitive information into your browser unless the connection to the website is encrypted. Each browser has a small icon at the bottom to indicate when the connection is encrypted. You can click on this little icon to get more information about the identity of the certificate owner.
As long as you maintain an encrypted session to your website, sniffing the traffic will not prove to be all that useful. Just make sure you keep track of when the site is encrypted and when it is not. If there is ever any doubt as to whether you will be safe, then it is better to err on the side of caution.
Axxmasterr
Posted 2009-08-04T15:43:09.013
Reputation: 7 584
1if a website doesn't offer a https connection, is there anything else i can do to use that site without potentially being compromised? – kenwarner – 2009-08-04T15:48:14.790
2Nothing more to be done unfortunately. http always goes across the wire in the clear. – Axxmasterr – 2009-08-04T15:50:28.233
2I'm usually using my home machine over RDP from the outside for things that can't be encrypted. Also you can set up a VPN server or proxy in a trusted location. – Joey – 2009-08-04T16:36:44.623
Re: RDP. There are a lot of steps to get it to run securely. See http://www.mobydisk.com/techres/securing_remote_desktop.html ... even then, I'd prefer SSH tunneling or a VPN.
– Chris W. Rea – 2009-08-04T16:57:07.193cwrea: This is between two Windows 7 machines here. Note that RDP security has come a long way since Windows XP. – Joey – 2009-08-04T17:26:04.397
Johannes: Agreed. – Chris W. Rea – 2009-08-04T18:09:32.090
2
In little things, you can force GMail to use secured connection :
Login to Gmail > Go to Settings > General > Browser Connection > Always use https
Gnoupi
Posted 2009-08-04T15:43:09.013
Reputation: 7 909
1
One more thing to be aware of - certain public WiFi locations get you to pay by credit card before you can access the internet. This can be common in hotels.
When you try and browse to the internet you are re-directed to a page where you can enter credit card details and then gain access to the internet.
Beware that some scammers have actually caught onto this and created dummy hotspots (pretending to be a hotel or whatever) to collect credit card information.
Michael Galos
Posted 2009-08-04T15:43:09.013
Reputation: 755
0
A slightly more involved but good solution is to run a PPTP Server from a home PC.
It's easy to setup in Windows, and will encrypt and forward any and all traffic through your Home PC and then out to the internet from your home ISP connection.
There is a performance impact, but for email, and standard web applications, it's not prohibitive on modern hardware.
Keck
Posted 2009-08-04T15:43:09.013
Reputation: 2 048
0
If you're using a public wifi at a business or educational institution you are affiliated with, it's likely they will also provide a VPN server for you to login to with your network credentials.
Despite being reasonably common practise this went pretty much unused at my University.
RJFalconer
Posted 2009-08-04T15:43:09.013
Reputation: 9 791
2also, a lot of applications these days access the internet outside the browser. There's no way to know if these apps are using https – kenwarner – 2009-08-04T15:50:12.167