 |
 |
Coffee shop Wi-Fi security. Why do I need VPN?
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Canaduh
Status:
Offline
|
|
I keep coming across articles and forums posts about how it's essential that you use VPN when accessing the internet via public Wi-Fi at coffee shops, airports, etc.
Why is it "essential" to use VPN? I thought Macs are inherently secure and that router encryption was only needed to keep others from sharing your internet connection for free . I use https when accessing my webmail and other online accounts. Isn't information encrypted when using https sites? How am I at risk using public Wi-Fi without VPN? What can someone access from my computer or public web surfing?
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
As long as you're using encryption for your sensitive data you're probably safe. We just had a thread about it.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Canaduh
Status:
Offline
|
|
Originally Posted by Big Mac 
As long as you're using encryption for your sensitive data you're probably safe. We just had a thread about it.
I did a search of the forum, but MacNN's search function never works for me anymore; it just returns an error. If you have a link to the thread, please post it here.
|
|
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Administrator  Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
The "essential" part has to do with a number of things, including the assumption that "everyone" is using a Windows computer and that they've intentionally opened it up so that anyone can browse it from the computer's network connection. A VPN does indeed protect you from a lot of things, but just saying "use a VPN" doesn't even tell you how you're supposed to do this.
If you're just surfing news and these forums and the like at the coffee shop, no worries. Likewise, if you are doing any shopping online, as long as you get an SSL connection (the little padlock icon at the bottom of your browser screen), you're fine. Anything else would be VERY shaky. Why? The traffic between your computer and the unencrypted access point is plain text-not protected in the least. Who cares if you're chiming in on the side of Aqua versus "something new and special" in 10.5? And with SSL connections, your whole connection, including the WiFi part, is secured by the Secure Sockets Layer.
The reason Windows users are warned to use VPNs has to do with the fact that bad guys like to haunt public hot spots and fish for dupes. They can watch your traffic and catch things like your adapter's MAC address, and they can also try to intrude to "harvest data" like any personal data you might have on the computer. This is an effective strategy; it works all the time. But it needn't. All it takes is retaining the SP2 default "locked down" condition, and the computer won't allow anyone to browse it. Yes, your MAC address is out there-but it's out there at home too. Your personal stuff shouldn't be, and as long as ANY computer is set to NOT allow file sharing while in public, the user is pretty safe.
|
Glenn -----OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jun 1999
Location: Las Vegas, NV, USA
Status:
Offline
|
|
How can you set up a VPN between your computer and an arbitrary access point? A VPN requires setup at both ends of the network connection.
|
|
|
| |
|
|
|
|
|
|
|
Administrator Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by chabig
How can you set up a VPN between your computer and an arbitrary access point? A VPN requires setup at both ends of the network connection.
I think the basic idea is that you have your home network pimped out as both a VPN endpoint and a proxy. That's all I can figure-and it's pretty silly if I'm right.
|
Glenn -----OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2006
Location: The deep backwoods of the PNW
Status:
Offline
|
|
Originally Posted by ghporter
I think the basic idea is that you have your home network pimped out as both a VPN endpoint and a proxy. That's all I can figure-and it's pretty silly if I'm right.
Correct - some higher-end home wireless routers have built-in VPN servers. You can also run a software VPN server (Linux is excellent for this) so you have something to connect to when you're on public Internet access.
Otherwise, if your school or employer has VPN access for students/employees, you can use that.
If you don't want to go all out with the VPN stuff, your best bet is to avoid doing anything confidential (like online banking) on public networks. You can never be too certain, and even though OS X is less likely to be attacked on a public network, what operating system you use doesn't matter once the packets are being sent/received over the Internet.
|
|
Sell or send me your vintage Mac things if you don't want them.
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Jan 2005
Status:
Offline
|
|
Originally Posted by shifuimam
Correct - some higher-end home wireless routers have built-in VPN servers. You can also run a software VPN server (Linux is excellent for this) so you have something to connect to when you're on public Internet access.
Otherwise, if your school or employer has VPN access for students/employees, you can use that.
If you don't want to go all out with the VPN stuff, your best bet is to avoid doing anything confidential (like online banking) on public networks. You can never be too certain, and even though OS X is less likely to be attacked on a public network, what operating system you use doesn't matter once the packets are being sent/received over the Internet.
What linux software creates VPN access? is this a server software?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jun 1999
Location: Las Vegas, NV, USA
Status:
Offline
|
|
Right. So having a VPN at home and on the road means that you can connect securely to your home computer, and only your home computer. You have no protection as you surf websites, download email, etc. I think some people give too much credit to VPNs.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Originally Posted by chabig
Right. So having a VPN at home and on the road means that you can connect securely to your home computer, and only your home computer. You have no protection as you surf websites, download email, etc. I think some people give too much credit to VPNs.
A VPN can't encrypt all your data to every website you visit, because most websites aren't configured for it. A VPN is good for encrypting your traffic over a particular path. For example, you're in a hotel or on a public wifi network and don't want that ISP or network owner to sniff your packets or see your browsing details in their logs. It's also useful to bypass firewalls. As long as there is one port open, you can get services that many hotels and some ISPs block: bittorrent, for example, and certain SMTP servers or ports.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2003
Location: Asia
Status:
Offline
|
|
One potential danger at a wireless hotspot is the evil twin: Some bad guy sips his latté while hosting the evil twin wireless network on his laptop, often using a name similar to the hotspot's own. One ploy is to host fake but real-looking login pages of common domains. So you think you are logging on to your webmail or ebanking account, but in reality you are giving your login credentials to the bad guys.
A good way to avoid this and other treachery is to surf via an SSH SOCKS proxy. This is easier to do than many realize, just requiring a bit of setup. If you have your home computer up and running and remote access turned on, you can use SSH (secure shell) to securely log onto it and at the same time set it up as a SOCKS proxy. Then just set Firefox to surf using the proxy. The result is an encrypted tunnel between your laptop and home computer, and your web traffic exits on your home (trusted) network.
First setup your home Mac:
1. Make sure all user accounts on your home Mac have a strong password
2. be sure you have turned on OS X's built in firewall and turn on "remote access".
3. If your home Mac is behind a router, you will also need to give it a manual internal IP address and to set up port forwarding on your router to forward port 22 to that manual internal IP address.
4. You will need to leave your home Mac running (turn off sleep and set it to restart if there is a power failure).
5. You will need to know the external address of your home Mac, so note it, and if your isp regularly changes it, you will need to purchase a service that regularly informs you of your home Macs current IP address.
On your laptop:
1. set Firefox to use a SOCKS proxy on 127.0.0.1 port 2001. You can choose a different port if more convenient, but the low number ports are reserved and will require adding sudo to your login command. Either SOCKS version 4/4a or 5 should work, but if one doesnt work on your setup, try the other. (BTW: there are a number of Firefox plugins that will allow you to switch proxy settings easily).
2. Also it is a good idea to resolve DNS requests remotely through the SOCKS proxy, rather than locally (to avoid rogue DNS lookups), to make it so: in Firefox enter about :config in the address field, press enter and then set network.proxy.socks_remote_dns = true.
Once set up as above, you start up the proxy from your remote Mac using the terminal application and the login command:
ssh [email protected] -D 2001
where username is your short username, xx.xx.xx.xx is your home Macs external ip address and the port number is the same as chosen in the Firefox setup. You will need to enter your password (which secure shell encrypts before sending). Leave the terminal window open for the duration of your connection.
Now fireup Firefox and surf as normal, but your web traffic will be proxied and encrypted between your remote and home Mac, exiting on your home (trusted) network. Check your ip address with ipchicken.com to verify.
Yes, there is some risk in having remote access setup on your home Mac which is constantly on the internet (you wouldnt want a hacker logging in). Strong passwords can help deter the bad guys, but for further security, one could also change the port on which ssh works to a non standard port or use encryption keys instead of passwords. Google for details.
(
Last edited by rjt1000; Oct 13, 2007 at 11:13 AM.
)
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2002
Location: Minneapolis, MN U.S.A.
Status:
Offline
|
|
Originally Posted by rjt1000
One potential danger at a wireless hotspot is the evil twin: Some bad guy sips his latté while hosting the evil twin wireless network on his laptop, often using a name similar to the hotspot's own. One ploy is to host fake but real-looking login pages of common domains. So you think you are logging on to your webmail or ebanking account, but in reality you are giving your login credentials to the bad guys.
A good way to avoid this and other treachery is to surf via an SSH SOCKS proxy. This is easier to do than many realize, just requiring a bit of setup. If you have your home computer up and running and remote access turned on, you can use SSH (secure shell) to securely log onto it and at the same time set it up as a SOCKS proxy. Then just set Firefox to surf using the proxy. The result is an encrypted tunnel between your laptop and home computer, and your web traffic exits on your home (trusted) network.
First setup your home Mac:
1. Make sure all user accounts on your home Mac have a strong password
2. be sure you have turned on OS X's built in firewall and turn on "remote access".
3. If your home Mac is behind a router, you will also need to give it a manual internal IP address and to set up port forwarding on your router to forward port 22 to that manual internal IP address.
4. You will need to leave your home Mac running (turn off sleep and set it to restart if there is a power failure).
5. You will need to know the external address of your home Mac, so note it, and if your isp regularly changes it, you will need to purchase a service that regularly informs you of your home Macs current IP address.
On your laptop:
1. set Firefox to use a SOCKS proxy on 127.0.0.1 port 2001. You can choose a different port if more convenient, but the low number ports are reserved and will require adding sudo to your login command. Either SOCKS version 4/4a or 5 should work, but if one doesnt work on your setup, try the other. (BTW: there are a number of Firefox plugins that will allow you to switch proxy settings easily).
2. Also it is a good idea to resolve DNS requests remotely through the SOCKS proxy, rather than locally (to avoid rogue DNS lookups), to make it so: in Firefox enter about :config in the address field, press enter and then set network.proxy.socks_remote_dns = true.
Once set up as above, you start up the proxy from your remote Mac using the terminal application and the login command:
ssh [email protected] -D 2001
where username is your short username, xx.xx.xx.xx is your home Macs external ip address and the port number is the same as chosen in the Firefox setup. You will need to enter your password (which secure shell encrypts before sending). Leave the terminal window open for the duration of your connection.
Now fireup Firefox and surf as normal, but your web traffic will be proxied and encrypted between your remote and home Mac, exiting on your home (trusted) network. Check your ip address with ipchicken.com to verify.
Yes, there is some risk in having remote access setup on your home Mac which is constantly on the internet (you wouldnt want a hacker logging in). Strong passwords can help deter the bad guys, but for further security, one could also change the port on which ssh works to a non standard port or use encryption keys instead of passwords. Google for details.
Great post, thx.
What are the pros and cons of this approach? I've been considering purchasing the Linksys RV042 VPN router. Would one be faster than the other? Other than price, would I notice the difference once setup?
Again, thx.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top