Modernizing Authentication — What It Takes to Transform Secure Access
Wi-Fi networks that you setup and control, be it at home or in a small business, start with an assumed safe group of users. The main security objectives, which I wrote about last time, are two-fold: encrypting data traveling over the air and keeping outsiders out.
On a public wireless network you also need to be concerned with encrypting data coming into and out of your computer, but the solutions are very different. On top of this, public networks add new threats because you are now sharing a network with total strangers as opposed to a trusted group.
No fuss. No muss.
Public networks typically don't use WPA or WPA2, leaving you to roll your own when it comes to encryption.
The simplest solution is to use secure HTTPS web pages. For example, when I'm traveling for short periods of time, I use secure webmail for my email rather than Thunderbird, my preferred email software.
However, some webmail systems only encrypt the page where you enter your user ID and password. They do not encrypt the pages where you read and write messages.
Yahoo falls into this category. Both their free "classic" and "new" webmail systems send email to you unencrypted.
Even Yahoo's Mail Plus system doesn't encrypt all webmail pages.
Gmail swings both ways. By default, it will encrypt only the login page, but there is an option (Settings -> Browser Connection) to encrypt all webmail pages. Earthlink customers are fortunate, their webmail system serves up all pages using HTTPS.
One problem with secure web pages is recognizing them. Only techies are constantly attuned to HTTP vs. HTTPS. Firefox users can force the browser to display a green address bar on all secure pages, making them much more visually obvious.
But most web pages are not secure, no doubt including some that you would prefer everyone couldn't tell you were viewing.
And the Internet is much more than just web pages. How can you encrypt everything on a public wireless network?
Answer: a Virtual Private Network (a.k.a. VPN).
Virtual Private Networks
What WPA and WPA2 give you on your home network, a VPN gives you on a public network, encrypting everything coming into and out of your computer. I suspect there are millions of computer users that could and should be using a VPN but aren't aware of it as an option.
VPNs are often couched in brutally obscure techie lingo. In part this is because their market has always been networking techies at large companies.
But no longer. Newer types of VPNs are simpler to employ and are available to a newer audience: you and me.
The classic VPN linked the network in one corporate office to another. Perhaps the most common use of VPNs is for traveling employees to make a secure link back to their home office.
But there is another type of VPN for people who are not employed by large companies and/or who don't have a home office network they need to connect with.
For lack of a better term, I'll refer to them as consumer VPNs.
A corporate or business VPN treats the entire Internet as the enemy and encrypts everything between the traveling employee and the home office. A consumer VPN only treats the immediate area (typically a public wireless network) as the enemy. That is, the goal of a consumer VPN is to offer the same level of security you would have at home by using a wired Internet connection.
Thus, a consumer VPN encrypts everything between you and the servers of the company offering the VPN service. After data gets to the VPN company's servers, it is decrypted and dumped on the Internet.
To illustrate, assume that you are in Boston using a VPN service from a company in Virginia and listening to a radio station streaming from California (again, a VPN encrypts all traffic, including streaming audio). Data coming into your computer travels unencrypted from California to Virginia. The VPN company then encrypts the data (your favorite radio station) and sends it from Virginia to you in Boston. Software on your computer then decrypts the data.
The goal here is that the network you are connected to in Boston, be it a public Wi-Fi network or perhaps a wired network in a hotel, only sees encrypted data. No one in Boston has any idea what you are doing on the Internet. (Thats a good thing if you're a fan of the Los Angeles Angels of Anaheim.)
The consumer VPN company that I have used and feel comfortable recommending is Witopia. They offer both SSL and PPTP based VPNs and do a reasonably good job of explaining the difference between the two. Each is offered on a yearly basis and they stand behind their products with a 30-day money-back guarantee.
The VPN service that Leo Laporte and security expert Steve Gibson like is HotSpotVPN. They also offer a PPTP based VPN (HotSpotVPN-1) and an SSL based one (HotSpotVPN-2). Both services are sold by the day, week, month or year.
Another issue when sharing a computer network with strangers is keeping them out of your computer.
The first line of defense here is a firewall program running on your computer. For an introduction to firewalls, see my previous article here an Introduction to Firewalls.
A firewall program is basically a bunch of rules about what type of data is allowed in, and with better firewalls, what type of data is allowed out.
In this case, the issue is incoming data. A good firewall should block all incoming unsolicited data.
Does your firewall program do this?
Unfortunately, this can be a very hard question to answer. Configuring a firewall, even for someone familiar with the basic concepts, can be maddening.
Perhaps the best user interface I've seen for configuring the firewall rules is the firewall in Windows XP. As a firewall, it's lightweight but it's good enough for many people. Older versions of ZoneAlarm also had an easy to understand user interface.
Rather than try to fight this fight, I suggest running a test. At his grc.com website, Steve Gibson offers a firewall testing service he calls ShieldsUP!.
To understand the test, you need to know that he is testing "ports," which can be thought of as logical lines of communication. That is, they are not physical things. Open ports are bad, they represent a potential security hole through which bad guys may be able to access your computer.
Closed ports are good. Stealthed ports are the best.
For ShieldsUP! to be a valid test however, the computer being tested needs to be directly connected to the Internet. If the computer is connected to a router, then ShieldsUP! is testing the firewall in the router rather than the firewall program on your computer.
One of the bad things that can happen as a result of a hole in the firewall is that bad guys on the shared Wi-Fi network can see and copy files on your computer.
As a second line of defense, consider disabling the file sharing feature in your operating system. For example, Windows XP users can bring up the properties of their wireless network connection from the Network Connections icon in the Control Panel. There is a checkbox for "File and Printer Sharing for Microsoft Networks." Turning this off provides another hurdle for the bad guys to get through.
If you never share files or printers on a network, then you can disable the underlying services in Windows. However, this prevents file sharing on wired networks and may be a pain to debug when a year or two down the road you want to start sharing files or printers.
Who Are You? (The Fake Name)
My last piece of advice concerns the names of wireless networks.
Anyone setting up a wireless network can name it anything they like. Thus, if you find yourself in a Barnes and Noble store and want to use their free Wi-Fi, is their network called "bnwifi," "bnwireless," "barnesnoble" or "free public wifi"?
The only way to know is ask someone who works for the store. Don't make any assumption about a wireless network based on its name. The last choice, "free public wifi" is infamous for not being what the name implies.
It takes work, but it is possible to be safe and secure on a public Wi-Fi network.