Hackerspaces and VPNs?

16 views
Skip to first unread message

Edward L Platt

unread,
Oct 16, 2017, 5:18:59 PM10/16/17
to Hackerspaces General Discussion List, i3detroi...@googlegroups.com, aha...@googlegroups.com
Given the WPA2 vulnerability released today and the continuing erosion of privacy regulations in the US, I'm wondering if any hackerspaces are thinking about providing VPNs for their members. Seems like it might be a good fit.

-Ed

--
Edward L. Platt
https://elplatt.com | @elplatt | elp...@octodon.social

Tips for stopping email overload: https://hbr.org/2012/02/stop-email-overload-1

Roger S

unread,
Oct 16, 2017, 5:37:52 PM10/16/17
to i3Detroit
When you use HTTPS in your browser, isn't the data encrypted (by the browser) prior to being encrypted by WPA2?

--
You received this message because you are subscribed to the Google Groups "i3 Detroit Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to i3detroit-public+unsubscribe@googlegroups.com.
To post to this group, send email to i3detroit-public@googlegroups.com.
Visit this group at https://groups.google.com/group/i3detroit-public.
For more options, visit https://groups.google.com/d/optout.

Roger S

unread,
Oct 16, 2017, 5:43:44 PM10/16/17
to i3Detroit
Here's an interesting answer to that question from security.stackexchange.com
"

A session which is entirely over HTTPS is fairly safe, as all requests from the browser, and pages transmitted by the server are encrypted.

However, when accessed via HTTPS, many sites will only carry out the authentication step over HTTPS, and then drop back to HTTP for the rest of the session. So, your password itself is safe, but the session ID used by the server to identify you for that session is transmitted in the clear by your browser. This reduces the load on the webserver (because encryption/decryption is CPU-intensive) but makes the site much less secure. Gmail is safe because it uses HTTPS for the whole session, but Facebook and many other sites do not.

This is how tools such as Firesheep are able to hijack users' accounts when an attacker is sharing an unencrypted wireless network.

"

Andrew Meyer

unread,
Oct 17, 2017, 7:42:06 AM10/17/17
to i3detroi...@googlegroups.com
In answer to Roger's question, while many sites do this by default, using a plug in like HTTPS Everywhere from the EFF forces most sites to stay on HTTPS for the whole session. No guarantees about third-party content of course.

It is not a terrible idea to start running a VPN service. 

Edward L Platt

unread,
Oct 17, 2017, 10:24:08 AM10/17/17
to i3 Detroit Public
Wow. I hadn't realized sites weren't using https for the entire session. That is terrifying. Installing https everywhere now.
Reply all
Reply to author
Forward
0 new messages