WEP Wifi when travelling

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

WEP Wifi when travelling

Post by kwan2 »

hello, I am going to be staying at a hotel, that uses a common shared password for all their routers, the owners have WEP security only on it. The owners are not willing to upgrade.

If I were to use a VPN, on my laptop, does that provide me with adequate security , (for email ? for any banking ?)

my other choice is to pay $80 /month for my own DSL line, when I'm not really stoked to do.


thx
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
DSInvestor
Posts: 11647
Joined: Sat Oct 04, 2008 11:42 am

Re: WEP Wifi when travelling

Post by DSInvestor »

I don't do any banking on any public wifi network. What about using mobile 3G/4G service or using your cellphone to create a personal hotspot?
Wiki
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: WEP Wifi when travelling

Post by telemark »

Given the way email is transmitted, you should never assume that it's anything but public. For banking, nothing is completely secure, but a VPN is probably as good or better than your home connection. Even https is probably good enough.

Do make sure your firewall is active with no incoming connections allowed. Gibson Research has a good site here where you can test that.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: WEP Wifi when travelling

Post by Ged »

I agree with the others here - email is not secure, period. Banking over public WiFi should be done, if at all in conjunction with a trusted VPN because of various technical flaws that are cropping up now and then with HTTPS implementations.
User avatar
Topic Author
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: WEP Wifi when travelling

Post by kwan2 »

thanks for the replies, I'm not technical enough to understand if a VPN over WEP is "secure" , other than to know WPA2 is best, maybe I should not use WEP at all? or

where in the security stack the VPN takes over, and what sniffing software could see, if I was on a VPN, or inject into my computer, if anything. thx again.
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
mnvalue
Posts: 1107
Joined: Sun May 05, 2013 2:22 pm

Re: WEP Wifi when travelling

Post by mnvalue »

Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.

That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.

Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.

In all cases, if you get any certificate warnings, never bypass them.
User avatar
Doom&Gloom
Posts: 5417
Joined: Thu May 08, 2014 3:36 pm

Re: WEP Wifi when travelling

Post by Doom&Gloom »

mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.

That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.

Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.

In all cases, if you get any certificate warnings, never bypass them.
Thanks for the detailed post. I learned something that I mistakenly thought I already knew.
User avatar
Topic Author
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: WEP Wifi when travelling

Post by kwan2 »

so using a VPN, like at a starbucks, or a hotel, doesn't increase security?

whether its WEP or WPA2 , etc ?


mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.

That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.

Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.

In all cases, if you get any certificate warnings, never bypass them.
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
mnvalue
Posts: 1107
Joined: Sun May 05, 2013 2:22 pm

Re: WEP Wifi when travelling

Post by mnvalue »

A VPN will increase security, yes. So, if you want to use a VPN, or can use one for free, by all means, do so. But even if you're going to use a VPN, you should still use HTTPS and SSL/TLS for email. SSL still protects you against attacks or snooping from the operators of your VPN service, as well as the network between your VPN service and your bank or email provider.

Also, the discussion here is about email and banking. So we're talking about a handful of destinations that will all support SSL and, except for email, will already force its use it all the time. A VPN is signficantly more useful (more or less required) if you want to shield your other web activity from casual snooping. For example, until recently bogleheads.org was HTTP-only, so a VPN would be the only way to protect your bogleheads.org posts (and password for that matter).
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: WEP Wifi when travelling

Post by TravelGeek »

mnvalue wrote: That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
And make sure the login screen itself is using https. Probably true for most banks, but not for all businesses. Take, for example, United Airlines. The login screen itself uses by default http (it works with https, too). Once you are logged in and thus have transmitted your credentials for any listener in clear-text, then it switches to https.

If you use VPN, everything your computer sends over the wire (or wifi) is encrypted, whether email or http traffic. The person in the hotel room next door on the same WEP-"encrypted" network will just see gibberish.
User avatar
ResearchMed
Posts: 16795
Joined: Fri Dec 26, 2008 10:25 pm

Re: WEP Wifi when travelling

Post by ResearchMed »

mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.

That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.

Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.

In all cases, if you get any certificate warnings, never bypass them.
Re: "... using your trusted bookmark..."

Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.)

I get it - definitely! - about not clicking on odd or otherwise "inviting" links in email or elsewhere, but typing directly?

Added: Or typing and allowing autocomplete, and YES, looking at it to make sure it's right.

Thanks.

RM
This signature is a placebo. You are in the control group.
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: WEP Wifi when travelling

Post by magellan »

ResearchMed wrote:Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.
The issue is a vulnerability that may be present when you depend on a site to automatically redirect you to https after you type http. Flavors of the vulnerability have shown up and been patched multiple times in the past, so people are wary that the problem will crop up again. The key is to type in https from the start and don't depend on the site to automatically switch you from http to https.

A bookmark that uses https does this automatically and also eliminates the risk of a typo.
User avatar
ResearchMed
Posts: 16795
Joined: Fri Dec 26, 2008 10:25 pm

Re: WEP Wifi when travelling

Post by ResearchMed »

magellan wrote:
ResearchMed wrote:Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.
The issue is a vulnerability that may be present when you depend on a site to automatically redirect you to https after you type http. Flavors of the vulnerability have shown up and been patched multiple times in the past, so people are wary that the problem will crop up again. The key is to type in https from the start and don't depend on the site to automatically switch you from http to https.

A bookmark that uses https does this automatically and also eliminates the risk of a typo.
Thanks.

Is there any potential harm from erring by typing https:// instead of http:// for a site that isn't ordinarily https:// ?

I take it that the shortcut typing of just "<websitename>.com" is NOT safe for the reason you mentioned.

RM
This signature is a placebo. You are in the control group.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: WEP Wifi when travelling

Post by telemark »

kwan2 wrote:so using a VPN, like at a starbucks, or a hotel, doesn't increase security?

whether its WEP or WPA2 , etc ?
It's more that they protect different things. I'll explain as best I can, and perhaps someone else can correct any mistakes. Information almost never travels directly anywhere on the internet: instead it moves in a series of hops, and any one of those hops is potentially a problem. You can get some idea of how this works by running the traceroute command (on Windows, use tracert). This should show you something like this:

Code: Select all

telemark@fit3 ~ $ traceroute bogleheads.org
traceroute to bogleheads.org (71.251.199.162), 30 hops max, 60 byte packets
 1  unsecure.wifi.somehotel.com (192.168.0.1)  0.405 ms  0.464 ms  0.552 ms
 2  xyzzy.yzzyx.com (101.102.103.105)  0.415 ms  0.423 ms  0.419 ms
 3  br3.core.some-isp.net (161.33.4.7)  0.377 ms  0.376 ms  0.369 ms
 4  ip12-34-56.z789.customer.borge.net (56.46.36.26)  0.864 ms  0.863 ms  1.048 ms
 5  vb1611.rar3.paris-tx.us.xo.net (131.56.0.5)  36.089 ms  17.849 ms  21.901 ms
 6  207.88.41.226.ptr.us.xo.net (207.88.41.226)  17.486 ms  17.404 ms  17.386 ms   
 7  206.121.66.132.ptr.us.xo.net (206.121.56.132)  17.526 ms  17.525 ms  17.520 ms
 8  * * *
 9  static-71-251-199-162.nwrknj.fios.verizon.net (71.251.199.162)  73.134 ms !X  73.041 ms !X  75.576 ms !X
The first entry, the one starting with 192.168, is the local network, the one your computer connects to. Any traffic here is visible to anyone with access to the local network, meaning anyone who has cracked the password, if there is one, and also everyone who has the password legitimately, which would be all the registered guests. This is what WPA2 protects, by making the password hard to crack, but it still leaves you exposed to the other guests at the hotel. Also, your computer is directly accessible to everyone on this network, which is why you want to keep your firewall active.

A VPN encrypts all data travelling from your computer to some intermediate point: people on the local net can still see your data but they can't decipher it. If you have a VPN set up with borge.net, it would encrypt the data through the first four hops. This is a good thing and it makes you safer, but the data still has to travel the rest of the way and there's a small but non-zero chance that someone is listening somewhere along there.

Https gives you encryption all the way from your computer to the destination, but as Ged already noted, there have been recent vulnerabilities in some implementations and there's always the possibility of others we don't know about. And it appears that VPNs aren't always safe either. So there's no answer that's always going to be completely right. You have to decide how important your data is and how much trouble you want to go to to protect it. WPA2 + VPN + https is probably strongest, but it's hard to say by how much.
smackboy1
Posts: 1285
Joined: Wed Mar 14, 2007 9:41 pm

Re: WEP Wifi when travelling

Post by smackboy1 »

Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
nordsteve
Posts: 1104
Joined: Sun Oct 05, 2008 9:23 am

Re: WEP Wifi when travelling

Post by nordsteve »

mnvalue wrote:A VPN will increase security, yes.
Here's how I try to explain the same thing that telemark is explaining.

When connected via wifi at some place like a hotel, your web browsing traffic is visible to the network operators shown:

Your machine -> wifi network at hotel -> ISP-A -> (internet 1) -> ISP-B -> web site

where:

ISP-A is the ISP of the hotel
(internet 1) represents one or many intermediate networks through which your traffic passes, which can vary from moment to moment
ISP-B is the ISP of the web site

When on a VPN, your web browsing traffic is visible to operators along this path:

Your Machine -> VPN Tunnel -> VPN Network -> (internet 2) -> ISP-B -> web site

where:
VPN Tunnel traffic is visible to you and the VPN operator
VPN network is the network at the VPN provider at which the VPN terminates
(internet 2) is like (internet 1), except there's likely a different set of networks on this path.
the other networks are as defined above.

If you examine the diagram above, a VPN is secure only to the extent that you trust the operator of the VPN Network. I generally trust network operators that I'm paying more than those that I'm getting a free service from, as the latter need to do something to generate revenue.

Orthogonal to the two scenarios above, for web site access you can be sending traffic either via HTTP (plain text) or HTTPS (encrypted). HTTPS traffic is encrypted prior to leaving your machine and is decrypted as it enters the web site. This makes it much more difficult* for network operators to inspect the contents of your traffic than if it is sent via HTTP.
mnvalue wrote:A VPN is signficantly more useful (more or less required) if you want to shield your other web activity from casual snooping. For example, until recently bogleheads.org was HTTP-only, so a VPN would be the only way to protect your bogleheads.org posts (and password for that matter).
A VPN only shields your traffic from some of the network operators on the path between you and a site on the internet. Networks between the VPN provider and the web site still have access to your traffic.

* Note that I'm not saying "impossible" here. That's a whole 'nother discussion.
User avatar
ResearchMed
Posts: 16795
Joined: Fri Dec 26, 2008 10:25 pm

Re: WEP Wifi when travelling

Post by ResearchMed »

smackboy1 wrote:Try this free browser add on: HTTPS Everywhere

https://www.eff.org/Https-everywhere

http://www.zscaler.com/httpseverywhere_ie.php
Okay, I'll bite.

What are these/how do they work?
(and how do they differ from each other?)

Thanks.

RM
This signature is a placebo. You are in the control group.
lack_ey
Posts: 6701
Joined: Wed Nov 19, 2014 10:55 pm

Re: WEP Wifi when travelling

Post by lack_ey »

As far as I can tell that's just a module to enforce https on the sites that actually support https (and plain http).


Personally, a few months ago I started using a VPS (virtual private server) as a personal web proxy via an encrypted SSH tunnel. All web traffic gets routed through there, so everything between my computer and the server is encrypted. For those who are unfamiliar with the structure, it's more or less a virtualized (usually Linux) computer running on a small slice of one server's computing resources sitting in a server farm somewhere. You remotely manage and run this virtual machine yourself, meaning you can run pretty much anything except whatever the provider prohibits (like anything illegal, of course). Most common usage may be for self-managed website hosting. Obviously it costs money, though, albeit in the $15 / year range if needs and traffic aren't great. Like a VPN, everybody sees what's coming out the other side unencrypted, including the service provider, so it's hardly perfect. And like everything else, the link can go down or the server could have issues or whatever else. My server gets secondary usage as backup storage too, for what it's worth.
chaz
Posts: 13604
Joined: Tue Feb 27, 2007 1:44 pm

Re: WEP Wifi when travelling

Post by chaz »

Will open DNS crypt help?
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page
User avatar
Topic Author
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: WEP Wifi when travelling

Post by kwan2 »

somehow, I still don't quite understand.

lets say hypothetically, I use No WEP WIFI connection.

if this connection is 100% VPN, (I trust my VPN provider).


what type of security issue should I be worried about ? if any ?
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
mnvalue
Posts: 1107
Joined: Sun May 05, 2013 2:22 pm

Re: WEP Wifi when travelling

Post by mnvalue »

If you are using a VPN and trust the VPN provider, then just take normal precautions like you would at home. Use HTTPS for financial sites, etc. Don't open attachments from unknown senders. That sort of stuff.
killjoy2012
Posts: 1329
Joined: Wed Sep 26, 2012 5:30 pm

Re: WEP Wifi when travelling

Post by killjoy2012 »

1) Using HTTPS 100% of the time vs. an IPsec VPN provides pretty much equivalent security when working over open or insecure public wifi, as both encryption technologies were designed to work over insecure networks (the Internet).

2) In your use case, the VPN's advantage is that it could encrypt all your traffic over the insecure wifi regardless of whether it's HTTP, HTTPS, instant messaging, email, etc. It also protects you against slip ups, i.e. forgetting to use HTTPS when a site offers both HTTP and HTTPS. Or if you can sleep better knowing that that your network traffic was double encrypted (HTTPS and VPN), so be it. The VPN would also blind the local wifi operator as to what domains (websites) you were going to, whereas with HTTPS they could see where you went -- just no data.

3) VPNs can be more complicated than what is being portrayed in this thread. For example, most VPNs allow for split tunneling - a feature that allows you to define some network traffic to traverse the encrypted VPN tunnel, while letting other traffic work outside of the VPN. You need to know if split tunneling is enabled, and if so, what those rules are. The safest solution is to disable split tunneling all together, but then that can induce some frustration too (ease of use vs. security). For example, with a non-split tunneled VPN established, you wouldn't be able to print to local network printer or access any file shares on the local network. Bottom line - VPN isn't just VPN... you need to know what the configuration is.

4) Whether using a split-tunneled VPN or just HTTPS, either way, your PC is connected to the wireless LAN. As such, any vulnerabilities on your PC that have a network-based attack vector may be exposed. This is why you want a personal firewall that is locked down regardless of whether you're using a VPN or not. A true non-split-tunneled VPN would not have this exposure once the VPN tunnel is established, but you would be vulnerable from the time to connect to wifi... until however long it takes you to bring up the VPN.

5) And as others have said, neither HTTPS or VPN will save you from not following good security practices. e.g. if you click on a phish, you're gonna be owned regardless of using a VPN.

Personal opinion: even if the hotel had WPA2, your WPA2 wifi connected laptop is still going to be network accessible by every other guest in the hotel & the hotel IT staff... so how much did WEP vs WPA2 buy you in that case? If what you're doing is sensitive in any way, you should be using HTTPS regardless (or a VPN). I personally look at WEP/WPA/WPA2 as being more useful in trying to keep random people off of my home wifi (access control) vs. keeping my activity confidential (privacy). The risk of running an open Internet wifi connection IMO is much more on the owner/provider than on the user.
Post Reply