WEP Wifi when travelling
WEP Wifi when travelling
hello, I am going to be staying at a hotel, that uses a common shared password for all their routers, the owners have WEP security only on it. The owners are not willing to upgrade.
If I were to use a VPN, on my laptop, does that provide me with adequate security , (for email ? for any banking ?)
my other choice is to pay $80 /month for my own DSL line, when I'm not really stoked to do.
thx
If I were to use a VPN, on my laptop, does that provide me with adequate security , (for email ? for any banking ?)
my other choice is to pay $80 /month for my own DSL line, when I'm not really stoked to do.
thx
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
-
- Posts: 11647
- Joined: Sat Oct 04, 2008 11:42 am
Re: WEP Wifi when travelling
I don't do any banking on any public wifi network. What about using mobile 3G/4G service or using your cellphone to create a personal hotspot?
Re: WEP Wifi when travelling
Given the way email is transmitted, you should never assume that it's anything but public. For banking, nothing is completely secure, but a VPN is probably as good or better than your home connection. Even https is probably good enough.
Do make sure your firewall is active with no incoming connections allowed. Gibson Research has a good site here where you can test that.
Do make sure your firewall is active with no incoming connections allowed. Gibson Research has a good site here where you can test that.
Re: WEP Wifi when travelling
I agree with the others here - email is not secure, period. Banking over public WiFi should be done, if at all in conjunction with a trusted VPN because of various technical flaws that are cropping up now and then with HTTPS implementations.
Re: WEP Wifi when travelling
thanks for the replies, I'm not technical enough to understand if a VPN over WEP is "secure" , other than to know WPA2 is best, maybe I should not use WEP at all? or
where in the security stack the VPN takes over, and what sniffing software could see, if I was on a VPN, or inject into my computer, if anything. thx again.
where in the security stack the VPN takes over, and what sniffing software could see, if I was on a VPN, or inject into my computer, if anything. thx again.
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
Re: WEP Wifi when travelling
Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.
That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.
In all cases, if you get any certificate warnings, never bypass them.
That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.
In all cases, if you get any certificate warnings, never bypass them.
- Doom&Gloom
- Posts: 5417
- Joined: Thu May 08, 2014 3:36 pm
Re: WEP Wifi when travelling
Thanks for the detailed post. I learned something that I mistakenly thought I already knew.mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.
That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.
In all cases, if you get any certificate warnings, never bypass them.
Re: WEP Wifi when travelling
so using a VPN, like at a starbucks, or a hotel, doesn't increase security?
whether its WEP or WPA2 , etc ?
whether its WEP or WPA2 , etc ?
mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.
That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.
In all cases, if you get any certificate warnings, never bypass them.
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
Re: WEP Wifi when travelling
A VPN will increase security, yes. So, if you want to use a VPN, or can use one for free, by all means, do so. But even if you're going to use a VPN, you should still use HTTPS and SSL/TLS for email. SSL still protects you against attacks or snooping from the operators of your VPN service, as well as the network between your VPN service and your bank or email provider.
Also, the discussion here is about email and banking. So we're talking about a handful of destinations that will all support SSL and, except for email, will already force its use it all the time. A VPN is signficantly more useful (more or less required) if you want to shield your other web activity from casual snooping. For example, until recently bogleheads.org was HTTP-only, so a VPN would be the only way to protect your bogleheads.org posts (and password for that matter).
Also, the discussion here is about email and banking. So we're talking about a handful of destinations that will all support SSL and, except for email, will already force its use it all the time. A VPN is signficantly more useful (more or less required) if you want to shield your other web activity from casual snooping. For example, until recently bogleheads.org was HTTP-only, so a VPN would be the only way to protect your bogleheads.org posts (and password for that matter).
-
- Posts: 4902
- Joined: Sat Oct 25, 2014 3:23 pm
Re: WEP Wifi when travelling
And make sure the login screen itself is using https. Probably true for most banks, but not for all businesses. Take, for example, United Airlines. The login screen itself uses by default http (it works with https, too). Once you are logged in and thus have transmitted your credentials for any listener in clear-text, then it switches to https.mnvalue wrote: That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
If you use VPN, everything your computer sends over the wire (or wifi) is encrypted, whether email or http traffic. The person in the hotel room next door on the same WEP-"encrypted" network will just see gibberish.
- ResearchMed
- Posts: 16795
- Joined: Fri Dec 26, 2008 10:25 pm
Re: WEP Wifi when travelling
Re: "... using your trusted bookmark..."mnvalue wrote:Consider WEP equivalent to no security. Thus, you should assume that everything you transmit or receive can be intercepted and/or modified. However, you should always be making that assumption when using the Internet, even from home. Getting back to the hotel case, look at it this way... if you were plugged in with a wired connection at the hotel, there'd be no WEP or WPA2 involved. Sure it'd be more secure, but it's not secure.
That's why you use HTTPS to connect to banking websites. Make sure that your bank sites are bookmarked using https://, not http://, and only use those bookmarks to access the site. Otherwise, for example, if you go to http://vanguard.com, someone could replace that with a redirect to https://vanguard.evilsite.com that looks just like vanguard.com, but steals your password. If you make the initial connection using your trusted bookmark that uses https://, you're fine.
Likewise, as far as email goes, you should ensure that your mail client is setup to use SSL or TLS for both incoming and outgoing connections (on all accounts, if you have more than one account). Or, use webmail over https (just like the banking sites). Then, it too is protected. If your email provider doesn't support SSL or TLS, find a new provider.
In all cases, if you get any certificate warnings, never bypass them.
Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.)
I get it - definitely! - about not clicking on odd or otherwise "inviting" links in email or elsewhere, but typing directly?
Added: Or typing and allowing autocomplete, and YES, looking at it to make sure it's right.
Thanks.
RM
This signature is a placebo. You are in the control group.
Re: WEP Wifi when travelling
The issue is a vulnerability that may be present when you depend on a site to automatically redirect you to https after you type http. Flavors of the vulnerability have shown up and been patched multiple times in the past, so people are wary that the problem will crop up again. The key is to type in https from the start and don't depend on the site to automatically switch you from http to https.ResearchMed wrote:Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.
A bookmark that uses https does this automatically and also eliminates the risk of a typo.
- ResearchMed
- Posts: 16795
- Joined: Fri Dec 26, 2008 10:25 pm
Re: WEP Wifi when travelling
Thanks.magellan wrote:The issue is a vulnerability that may be present when you depend on a site to automatically redirect you to https after you type http. Flavors of the vulnerability have shown up and been patched multiple times in the past, so people are wary that the problem will crop up again. The key is to type in https from the start and don't depend on the site to automatically switch you from http to https.ResearchMed wrote:Is there a reason this is better than typing in the website address?
(Big assumption here, obviously, is that one wouldn't erroneously type ".net" or such instead of ".com" and get the [evil] wrong website. But assuming this doesn't happen, such as when something has been typed so often that muscle memory or such is doing the same thing every time, and one is not uncertain about the website address.
A bookmark that uses https does this automatically and also eliminates the risk of a typo.
Is there any potential harm from erring by typing https:// instead of http:// for a site that isn't ordinarily https:// ?
I take it that the shortcut typing of just "<websitename>.com" is NOT safe for the reason you mentioned.
RM
This signature is a placebo. You are in the control group.
Re: WEP Wifi when travelling
It's more that they protect different things. I'll explain as best I can, and perhaps someone else can correct any mistakes. Information almost never travels directly anywhere on the internet: instead it moves in a series of hops, and any one of those hops is potentially a problem. You can get some idea of how this works by running the traceroute command (on Windows, use tracert). This should show you something like this:kwan2 wrote:so using a VPN, like at a starbucks, or a hotel, doesn't increase security?
whether its WEP or WPA2 , etc ?
Code: Select all
telemark@fit3 ~ $ traceroute bogleheads.org
traceroute to bogleheads.org (71.251.199.162), 30 hops max, 60 byte packets
1 unsecure.wifi.somehotel.com (192.168.0.1) 0.405 ms 0.464 ms 0.552 ms
2 xyzzy.yzzyx.com (101.102.103.105) 0.415 ms 0.423 ms 0.419 ms
3 br3.core.some-isp.net (161.33.4.7) 0.377 ms 0.376 ms 0.369 ms
4 ip12-34-56.z789.customer.borge.net (56.46.36.26) 0.864 ms 0.863 ms 1.048 ms
5 vb1611.rar3.paris-tx.us.xo.net (131.56.0.5) 36.089 ms 17.849 ms 21.901 ms
6 207.88.41.226.ptr.us.xo.net (207.88.41.226) 17.486 ms 17.404 ms 17.386 ms
7 206.121.66.132.ptr.us.xo.net (206.121.56.132) 17.526 ms 17.525 ms 17.520 ms
8 * * *
9 static-71-251-199-162.nwrknj.fios.verizon.net (71.251.199.162) 73.134 ms !X 73.041 ms !X 75.576 ms !X
A VPN encrypts all data travelling from your computer to some intermediate point: people on the local net can still see your data but they can't decipher it. If you have a VPN set up with borge.net, it would encrypt the data through the first four hops. This is a good thing and it makes you safer, but the data still has to travel the rest of the way and there's a small but non-zero chance that someone is listening somewhere along there.
Https gives you encryption all the way from your computer to the destination, but as Ged already noted, there have been recent vulnerabilities in some implementations and there's always the possibility of others we don't know about. And it appears that VPNs aren't always safe either. So there's no answer that's always going to be completely right. You have to decide how important your data is and how much trouble you want to go to to protect it. WPA2 + VPN + https is probably strongest, but it's hard to say by how much.
Re: WEP Wifi when travelling
Try this free browser add on: HTTPS Everywhere
https://www.eff.org/Https-everywhere
http://www.zscaler.com/httpseverywhere_ie.php
https://www.eff.org/Https-everywhere
http://www.zscaler.com/httpseverywhere_ie.php
Disclaimer: nothing written here should be taken as legal advice, but I did stay at a Holiday Inn Express last night.
Re: WEP Wifi when travelling
Here's how I try to explain the same thing that telemark is explaining.mnvalue wrote:A VPN will increase security, yes.
When connected via wifi at some place like a hotel, your web browsing traffic is visible to the network operators shown:
Your machine -> wifi network at hotel -> ISP-A -> (internet 1) -> ISP-B -> web site
where:
ISP-A is the ISP of the hotel
(internet 1) represents one or many intermediate networks through which your traffic passes, which can vary from moment to moment
ISP-B is the ISP of the web site
When on a VPN, your web browsing traffic is visible to operators along this path:
Your Machine -> VPN Tunnel -> VPN Network -> (internet 2) -> ISP-B -> web site
where:
VPN Tunnel traffic is visible to you and the VPN operator
VPN network is the network at the VPN provider at which the VPN terminates
(internet 2) is like (internet 1), except there's likely a different set of networks on this path.
the other networks are as defined above.
If you examine the diagram above, a VPN is secure only to the extent that you trust the operator of the VPN Network. I generally trust network operators that I'm paying more than those that I'm getting a free service from, as the latter need to do something to generate revenue.
Orthogonal to the two scenarios above, for web site access you can be sending traffic either via HTTP (plain text) or HTTPS (encrypted). HTTPS traffic is encrypted prior to leaving your machine and is decrypted as it enters the web site. This makes it much more difficult* for network operators to inspect the contents of your traffic than if it is sent via HTTP.
A VPN only shields your traffic from some of the network operators on the path between you and a site on the internet. Networks between the VPN provider and the web site still have access to your traffic.mnvalue wrote:A VPN is signficantly more useful (more or less required) if you want to shield your other web activity from casual snooping. For example, until recently bogleheads.org was HTTP-only, so a VPN would be the only way to protect your bogleheads.org posts (and password for that matter).
* Note that I'm not saying "impossible" here. That's a whole 'nother discussion.
- ResearchMed
- Posts: 16795
- Joined: Fri Dec 26, 2008 10:25 pm
Re: WEP Wifi when travelling
Okay, I'll bite.smackboy1 wrote:Try this free browser add on: HTTPS Everywhere
https://www.eff.org/Https-everywhere
http://www.zscaler.com/httpseverywhere_ie.php
What are these/how do they work?
(and how do they differ from each other?)
Thanks.
RM
This signature is a placebo. You are in the control group.
Re: WEP Wifi when travelling
As far as I can tell that's just a module to enforce https on the sites that actually support https (and plain http).
Personally, a few months ago I started using a VPS (virtual private server) as a personal web proxy via an encrypted SSH tunnel. All web traffic gets routed through there, so everything between my computer and the server is encrypted. For those who are unfamiliar with the structure, it's more or less a virtualized (usually Linux) computer running on a small slice of one server's computing resources sitting in a server farm somewhere. You remotely manage and run this virtual machine yourself, meaning you can run pretty much anything except whatever the provider prohibits (like anything illegal, of course). Most common usage may be for self-managed website hosting. Obviously it costs money, though, albeit in the $15 / year range if needs and traffic aren't great. Like a VPN, everybody sees what's coming out the other side unencrypted, including the service provider, so it's hardly perfect. And like everything else, the link can go down or the server could have issues or whatever else. My server gets secondary usage as backup storage too, for what it's worth.
Personally, a few months ago I started using a VPS (virtual private server) as a personal web proxy via an encrypted SSH tunnel. All web traffic gets routed through there, so everything between my computer and the server is encrypted. For those who are unfamiliar with the structure, it's more or less a virtualized (usually Linux) computer running on a small slice of one server's computing resources sitting in a server farm somewhere. You remotely manage and run this virtual machine yourself, meaning you can run pretty much anything except whatever the provider prohibits (like anything illegal, of course). Most common usage may be for self-managed website hosting. Obviously it costs money, though, albeit in the $15 / year range if needs and traffic aren't great. Like a VPN, everybody sees what's coming out the other side unencrypted, including the service provider, so it's hardly perfect. And like everything else, the link can go down or the server could have issues or whatever else. My server gets secondary usage as backup storage too, for what it's worth.
Re: WEP Wifi when travelling
Will open DNS crypt help?
Chaz |
|
“Money is better than poverty, if only for financial reasons." Woody Allen |
|
http://www.bogleheads.org/wiki/index.php/Main_Page
Re: WEP Wifi when travelling
somehow, I still don't quite understand.
lets say hypothetically, I use No WEP WIFI connection.
if this connection is 100% VPN, (I trust my VPN provider).
what type of security issue should I be worried about ? if any ?
lets say hypothetically, I use No WEP WIFI connection.
if this connection is 100% VPN, (I trust my VPN provider).
what type of security issue should I be worried about ? if any ?
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
Re: WEP Wifi when travelling
If you are using a VPN and trust the VPN provider, then just take normal precautions like you would at home. Use HTTPS for financial sites, etc. Don't open attachments from unknown senders. That sort of stuff.
-
- Posts: 1329
- Joined: Wed Sep 26, 2012 5:30 pm
Re: WEP Wifi when travelling
1) Using HTTPS 100% of the time vs. an IPsec VPN provides pretty much equivalent security when working over open or insecure public wifi, as both encryption technologies were designed to work over insecure networks (the Internet).
2) In your use case, the VPN's advantage is that it could encrypt all your traffic over the insecure wifi regardless of whether it's HTTP, HTTPS, instant messaging, email, etc. It also protects you against slip ups, i.e. forgetting to use HTTPS when a site offers both HTTP and HTTPS. Or if you can sleep better knowing that that your network traffic was double encrypted (HTTPS and VPN), so be it. The VPN would also blind the local wifi operator as to what domains (websites) you were going to, whereas with HTTPS they could see where you went -- just no data.
3) VPNs can be more complicated than what is being portrayed in this thread. For example, most VPNs allow for split tunneling - a feature that allows you to define some network traffic to traverse the encrypted VPN tunnel, while letting other traffic work outside of the VPN. You need to know if split tunneling is enabled, and if so, what those rules are. The safest solution is to disable split tunneling all together, but then that can induce some frustration too (ease of use vs. security). For example, with a non-split tunneled VPN established, you wouldn't be able to print to local network printer or access any file shares on the local network. Bottom line - VPN isn't just VPN... you need to know what the configuration is.
4) Whether using a split-tunneled VPN or just HTTPS, either way, your PC is connected to the wireless LAN. As such, any vulnerabilities on your PC that have a network-based attack vector may be exposed. This is why you want a personal firewall that is locked down regardless of whether you're using a VPN or not. A true non-split-tunneled VPN would not have this exposure once the VPN tunnel is established, but you would be vulnerable from the time to connect to wifi... until however long it takes you to bring up the VPN.
5) And as others have said, neither HTTPS or VPN will save you from not following good security practices. e.g. if you click on a phish, you're gonna be owned regardless of using a VPN.
Personal opinion: even if the hotel had WPA2, your WPA2 wifi connected laptop is still going to be network accessible by every other guest in the hotel & the hotel IT staff... so how much did WEP vs WPA2 buy you in that case? If what you're doing is sensitive in any way, you should be using HTTPS regardless (or a VPN). I personally look at WEP/WPA/WPA2 as being more useful in trying to keep random people off of my home wifi (access control) vs. keeping my activity confidential (privacy). The risk of running an open Internet wifi connection IMO is much more on the owner/provider than on the user.
2) In your use case, the VPN's advantage is that it could encrypt all your traffic over the insecure wifi regardless of whether it's HTTP, HTTPS, instant messaging, email, etc. It also protects you against slip ups, i.e. forgetting to use HTTPS when a site offers both HTTP and HTTPS. Or if you can sleep better knowing that that your network traffic was double encrypted (HTTPS and VPN), so be it. The VPN would also blind the local wifi operator as to what domains (websites) you were going to, whereas with HTTPS they could see where you went -- just no data.
3) VPNs can be more complicated than what is being portrayed in this thread. For example, most VPNs allow for split tunneling - a feature that allows you to define some network traffic to traverse the encrypted VPN tunnel, while letting other traffic work outside of the VPN. You need to know if split tunneling is enabled, and if so, what those rules are. The safest solution is to disable split tunneling all together, but then that can induce some frustration too (ease of use vs. security). For example, with a non-split tunneled VPN established, you wouldn't be able to print to local network printer or access any file shares on the local network. Bottom line - VPN isn't just VPN... you need to know what the configuration is.
4) Whether using a split-tunneled VPN or just HTTPS, either way, your PC is connected to the wireless LAN. As such, any vulnerabilities on your PC that have a network-based attack vector may be exposed. This is why you want a personal firewall that is locked down regardless of whether you're using a VPN or not. A true non-split-tunneled VPN would not have this exposure once the VPN tunnel is established, but you would be vulnerable from the time to connect to wifi... until however long it takes you to bring up the VPN.
5) And as others have said, neither HTTPS or VPN will save you from not following good security practices. e.g. if you click on a phish, you're gonna be owned regardless of using a VPN.
Personal opinion: even if the hotel had WPA2, your WPA2 wifi connected laptop is still going to be network accessible by every other guest in the hotel & the hotel IT staff... so how much did WEP vs WPA2 buy you in that case? If what you're doing is sensitive in any way, you should be using HTTPS regardless (or a VPN). I personally look at WEP/WPA/WPA2 as being more useful in trying to keep random people off of my home wifi (access control) vs. keeping my activity confidential (privacy). The risk of running an open Internet wifi connection IMO is much more on the owner/provider than on the user.