Secure Public Wifi Browsing / CyberCafes

15 views
Skip to first unread message

Nick Reese

unread,
Dec 4, 2010, 1:01:29 PM12/4/10
to the technomads
Hey all, I wanted to know what you all had up your sleeves with regard
to internet security.

Living the technomad lifestyle I think it is something that needs to
be addressed.

Yesterday there was an awesome discussion on Hacker News on using
Amazon's EC2 service to setup a inexpensive VPN.

http://news.ycombinator.com/item?id=1966021

While that discussion is pretty advanced it does seem like a brilliant
idea to use OpenVPN to secure all your internet traffic from prying
eyes.

Along the same lines there are also several VPN providers that look
trustworthy.

I am currently leaning towards VyprVpn as it is flat rate for
unlimited. $19.99/mo.

https://www.goldenfrog.com/vyprvpn/vpn-service-provider

What do you use to protect yourselves?

Jack Bennett

unread,
Dec 4, 2010, 3:26:49 PM12/4/10
to techn...@googlegroups.com
On Sat, Dec 4, 2010 at 1:01 PM, Nick Reese <mrnic...@gmail.com> wrote:
> Hey all, I wanted to know what you all had up your sleeves with regard
> to internet security.

Is your usage of VPN a response to the recent release of Firesheep,
and the relative lack of built-in SSL security on sites like Facebook?

I ask because it's likely that while technically savvy audiences may
know about this, not everyone even knows that there's a potential
problem for those who use open wifi networks.

Thanks for the tips re: possible VPN services - it's been on my radar
as a situation to get handled in the near future :)

Best wishes,
Jack

--
jack bennett | ja...@thirtytwothousanddays.com
Get my personal growth tips at: http://thirtytwothousanddays.com/blog/feed/
Follow me on twitter at: http://twitter.com/32000days

Leonard Lin

unread,
Dec 4, 2010, 4:03:45 PM12/4/10
to techn...@googlegroups.com
This is mentioned in the thread, but when on insecure wifi, usually I
use SOCKS proxying via SSH over a VPN.

There are a few reasons for that:
* Less brittle connection, the SSH tunnel will be maintained even when
there's extended connection problems
* More secure: when the tunnel is broken, it will stop sending data, vs
most VPN clients, which will simply send your data unencrypted if the
tunnel goes down
* Access to the local network: a VPN disables bonjour and other local
net resources whereas using a SOCKS proxy doesn't

If you're on a Mac, setting up using a SOCKS proxy is simple. Simply
create a 'Network Location' in the Network System Preferences and change
the Wifi to using a SOCKS proxy (localhost 1080). When you switch your
network location you will globally switch most Mac apps to require a
proxy (works w/ web browsers, Adium, Thunderbird, anything that respects
system level proxy settings)

And then using a tool or terminal, you can initialize the proxy tunnel
like so (alias as preferred):

ssh -N -p 22 -c 3des -D 1080 [ssh account/server]

I wrote a little doc on this a few years ago:
http://randomfoo.net/blog/id/3908

Nick Taylor

unread,
Dec 4, 2010, 4:04:10 PM12/4/10
to techn...@googlegroups.com

> What do you use to protect yourselves?

I've started using Perfect Privacy - Openvpn.

I'm using it under Ubuntu - which doesn't (I don't think) have the
simple setup that Windows has, so needed to get the Perfect Privacy
people to help me set it up. They also offered PPtP - an alternative to
OpenVPN... which is (apparently) easier to set up, but slightly less
secure (still more than enough for casual use though)

It's marginally slower than a naked connection, but this is more than
compensated for by the way I can simply route around messages that say
"not available in your territory" - and added peace of mind that I'm not
being spied on. It's slower, but I can still stream videos - and here in
NZ, that was always an iffy proposition to start with.

I chose Perfect Privacy because it's run by activists etc - which seemed
to me a little more trustworthy than a company that could quite easily
be bought by another company etc etc.

Nick


Brink of Complexity

unread,
Dec 4, 2010, 6:54:28 PM12/4/10
to techn...@googlegroups.com
Great info, Leonard :)

Eric and I also use SSH tunnels for security.  The port is configurable by the -D flag that you send to the ssh command, and the other flags listed are optional.

So, I usually initiate my proxy-able SSH session with only that flag, and leave off the others:

ssh -D 3344 lo...@host.tld.

sshd runs on port 22 by default, so unless you've configured the remote server you're tunnelling through to use something else, you don't need the -p.

The -N means "no command". If you leave that off, you'll get an ordinary ssh shell.  I usually want one anyway, both for working with data (and IRC screening) on the server I'm tunnelling through, and to clearly see when/if the connection drops.

The -c 3des flag is completely unneccessary, since 3des is the default encryption type for ssh protocol version 1, and you'll probably be connecting with version 2 anyway.  The default for version 2, without this flag is, in order of attempted use: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr. 

Eric advises using FoxyProxy Firefox add-on to enable the SOCKS proxy for browser sessions once the tunnel is open, both because it works across platforms, and because it has an option to perform DNS lookups on the remote end of the tunnel, thus securing against DNS-leakage-pwning (after any initial DNS request that might be required to open your tunnel in the first place, anyway).

- Brink

--
---
TECHNOMADS
http://thetechnomads.net
http://twitter.com/thetechnomads

---
To unsubscribe from this group, send email to
technomads+...@googlegroups.com

Brink of Complexity

unread,
Dec 4, 2010, 7:09:49 PM12/4/10
to techn...@googlegroups.com
For US travel, Eric and I have been carrying with us a mobile 4G hotspot from Clear, eliminating quite a lot of our need to use cafe wifi in most cities and some towns.  The Clear network has been popping up brilliantly and quickly across the US, and I expect their coverage to be near-total by the end of next year.  The mobile 4G service is offered for about $40/mo.  Clear also offers nationwide 3G hotspots, which do 4G when available and 3G otherwise... but of course, we can just start a hotspot on a phone for that (slow, and can't use the phone as a phone at the same time). 

Running our own hotspot allows us to completely control our own network, so we use it even when other networks are available.


- Brink

Reply all
Reply to author
Forward
0 new messages