Jump to content

Secure WIFI?


Recommended Posts

I am trying to understand the safety, or the lack there of, for "secure" WIFI in campgrounds/RV parks. I have always thought that a WIFI network that had to be signed into does nothing more than limit the number of people who can use the network. The data is no more secure than an open network. True or not?

HTTP connections are just as safe on either network? Yes or no?

 

Thanks

Link to comment
Share on other sites

adding this. as for the http or even https on an open network is not secure. one way to be a little bit more secure is to use a device that contains no banking login info. sort of like a tablet/kindle that is just used to watch a movie but then again there is prob a login for that which opens up that same can of worms.

Link to comment
Share on other sites

as for the http or even https on an open network is not secure.

 

I'm curious about what you're basing this statement on. I've heard that the NSA does have a way to intercept HTTPS transmission but I've never seen evidence that anyone else does.

Link to comment
Share on other sites

NSA level mischief pretty much has us covered no matter the tools we might deploy. If the encryption methods uses an agreed source/target key & method they have the data/tools to deal with it. There are very few if any public accessible methods available to ensure secure web browsing in this environment.

Local and opportunists are a bit easier to block. I use a router between my devices and public accessible AP's, we rarely stay in one location beyond 4 days. I think those two factors significantly reduce our local risk. Our packets can still be grabbed & stored and later busted but we should be long gone. That and periodic changes to our critical PW's and two factor authentication when available allow us to sleep reasonably soundly.

Link to comment
Share on other sites

Our packets can still be grabbed & stored and later busted but we should be long gone.

 

 

FWIW, although you are probably a sophisticated enough user to know how to use a VPN, the current WiFiRanger software has a built in "one button" pseudo-VPN which establishes a "tunnel" from your router back to the WiFiRanger servers in Idaho. Although it isn't the same as a real VPN, it does make it much more difficult to grab your packets if someone was so inclined.

 

Also, as I've previously posted, it does spoof your IP to enable you to connect to US-only streaming sites while vacationing in Canada.

Link to comment
Share on other sites

It turns out that the wonders of HTTPS were far overstated and once folks begin digging past the vendor's hype there were and are severe issues. Too many to count, which embarrasses me as I believed the folks (like my bank and brokerage) telling me how secure things were. Try here for a bit of reading:

 

https://www.google.com/#q=https%20security%20flaw%20problems%20exploit

 

Then of course there are issues with security between your keyboard/screen and the browser where your logon information and passwords can be harvested. DoD has given up on trying to secure personal computers operating systems (all of them) that are used to access their servers and have developed a bootable CD that while it isn't perfect bypasses all but BIOS resident malware.

 

https://en.wikipedia.org/wiki/Lightweight_Portable_Security

 

A VPN will protect you from your computer's network connection to the VPN provider's connection to you but you are still vulnerable to any security issues the VPN provider has and any in the connection from them to your destination as well as malware on your computer. Aside from the cost a VPN has some drawbacks worth reading up on before you sign a contract, most folks can live with them but knowing up front is better than surprised later.

 

 

There are the usual things you can do, none are perfect:

 

Keep updated and run scans that will help with known and fixed issues.

Move to the DoD LPS or another trusted bootable system for your sensitive stuff.

Add a VPN either full time or just for your sensitive sites.

Just avoid iffy WiFi connections when accessing critical sites - which may be the simplest option.

 

I'd not worry about NSA level tricks or even the other state level crackers unless you have a job involving access to classified information. Read Snowden's leaked catalog and you'll see why worrying about that level of stuff is needless aggravation, you aren't going to stop it. Worry about the criminal organizations that are far more likely to cause you problems, you can do a lot to prevent that from happening by following reasonable security practices.

Link to comment
Share on other sites

One way to enhance your security on a public network is to use a VPN. There are numerous companies that provide this service for reasonable fees. I pay just under $40 per year for my PIA (Private Internet Access) account.

 

https://www.privateinternetaccess.com/

 

Safe Travels...

How can my data be encrypted without encryption equipment? Or do I misunderstand what they are selling?

Link to comment
Share on other sites

So this is all true for a home WIFI system as well? It is not secure?

 

Your home system, if your WiFi router is still supported and has current security patches is fairly secure. Sadly far too many home WiFi routers are sold and get a couple patches and then the manufacturer abandons them leaving any new security issues un-patched and the router vulnerable. I have a box of this type of router that I have confiscated from family and friends and replaced with newer and still supported gear. Keeping up with vulnerabilities and patch status is a lot of work, pitching the old gear once the stream of updates stops and buying new isn't a great plan but it is simple and effective.

 

An option to trashing and replacing is to get a router that supports one of the open-source router firmware packages, they have ongoing updates that keep them reasonably secure. The down-side is that they aren't always quite as simple to use with the new firmware. I'm not current on this option as I went a different direction with a fancy router/firewall computer and access points for WiFi which is overkill for most folks.

 

The problem with the WiFi security comes from access points that aren't what they appear to be but are bad actors impersonating a good connection or when someone has infiltrated malware into a supposedly safe WiFi system that you are connecting to.

Link to comment
Share on other sites

How can my data be encrypted without encryption equipment? Or do I misunderstand what they are selling?

 

You do not need specific encryption hardware to do VPN encryption, it can be done by any modern processor at fairly decent speeds. Many newer processors actually include a group of instructions to speed up the encrypt/decrypt process, HTTPS, SSL or VPN. You can see that internal encryption ability as the last line of the snip of my system's dashboard below:

 

Hardware crypto AES-CBC, AES-XTS, AES-GCM, AES-ICM

System Information  
Name	pfSense.home
System	Netgate SG-2440	
Serial: 11521XXXXX
Version	2.3.2-RELEASE (amd64) 
built on Wed Jul 20 10:29:55 CDT 2016 
FreeBSD 10.3-RELEASE-p5 

The system is on the latest version.
Platform	pfSense
CPU Type	Intel(R) Atom(TM) CPU C2358 @ 1.74GHz
2 CPUs: 1 package(s) x 2 core(s)
Hardware crypto	AES-CBC,AES-XTS,AES-GCM,AES-ICM
Link to comment
Share on other sites

Fulltimer, you are partially correct. To address the questions:

 

No, an RV park's wifi is not what you could call secure by any means. Think of it, you first have a multitude of people with the access password given to them by the park. No control on who else was given the password by another camper, employee etc. Couple this with the time frame of when that password is changed - probably rarely.

 

Now, think of this wifi network as a passworded room such as the speak easy from the past. Just say the right phrase and you are in the room, along with countless others and because you are in just one room, everyone in that room can know what everyone else in the room is doing. EXCEPT, in this case there are things you can do to protect yourself.

 

First and foremost is a firewall that only allows connections that you initiated and established. Called a stateful firewall, this protection is like a one way mirror, you can see out but any attempt to see in is blocked. Most modern firewalls are set up this way by default but if you are unsure of yours, you can easily check to see what all you have showing (your fly may in fact be down) by going to Gibson Research Corp's Shields Up site: http://www.grc.com or https://www.grc.com/x/ne.dll?bh0bkyd2 By closing gaps in what can be seen you are narrowing down what can be accessed and/or attacked.

 

Common sense will be your biggest safeguard. Heinlein said it best: There ain't no such thing as a free lunch. A park's free wifi with connection to the internet is bound to come with absolutely no blocks to advertising, DNS hijackers and other minutia. With this in mind it is a no brainer to never respond to some random flashy notice, advertisement or other dire notification that may pop up while surfing the internet.

 

Lastly, when you are done, shut down. Don't stay connected to the wifi network when not actively doing something. Personally I will disconnect even if all I'm doing is taking a short break.

 

I am trying to understand the safety, or the lack there of, for "secure" WIFI in campgrounds/RV parks. I have always thought that a WIFI network that had to be signed into does nothing more than limit the number of people who can use the network. The data is no more secure than an open network. True or not?

HTTP connections are just as safe on either network? Yes or no?

 

Thanks

Link to comment
Share on other sites

stan, on your home network it is a secured connection, you/ family an anybody that you allow to connect to it are only ones that can access network an anything on that network.

 

Unless you have a router with an unpatched security glitch that gets compromised you are reasonably safe at home.

 

However all the encryption methods including WPA2, the newest and most secure, have security flaws, made worse by short simple passwords. Still for a home router it is unlikely anyone would bother to break in for profit, might have an angry neighbor looking for access though.

 

 

I learned a lot about WiFi security after I told someone still working in the field that I thought it was pretty secure. I still use wiFi for a lot of stuff but I ran a couple more Ethernet cables to put our main laptops on a wired connection when doing our financial stuff. Probably not necessary but Ethernet cables are cheap insurance against a minor chance of having a severe problem.

Link to comment
Share on other sites

Just some suggestions to choose a VPN service provider:

1) Supports your devices
First step before signing-up is to make sure your devices are supported by the service provider.
2) Does not maintain a log
For privacy reason, the providers should never keep a log. Some service providers even accept Bitcoin, instead of the usual credit card (which has your name and address) to add more privacy.
3) Uses shared IP addresses
All users of the service provider should share IP addresses. So, there is no traceability between user account and IP address.
4) Is based on OpenVPN
PPTP and L2TP are not secure. Check on the vendor website, or ask the sales person.
5) Allows simultaneous connections
The provider shoud allow more than one device to be connected at once.
6) Clearly indicates the location
For privacy reasons, the service provider should not be under any government control. Although we cannot be 100% certain, recommended countries would include: Cyprus, Iceland, Netherlands, Sweden, Switzerland. Again, without any guarantee!

Link to comment
Share on other sites

Here is probably the worst example of a poor choice of WiFi routers:

 

http://www.theregister.co.uk/2016/08/22/ioactive_turns_up_the_most_sohopeless_router_so_far/?utm_source=dlvr.it&utm_medium=gplus

 

 

“An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.”

Bad? Wait, there's more: there are hidden users, default SSH with a hard-coded root password, and the box “injects a third-party JavaScript file into all users' HTTP traffic”.

 

 

The router includes a hard-coded SID, 700000000000000: if an attacker presents that to the router, they get access to “all authenticated features”.

Presenting that SID revealed the hidden user, dms:3.

And even better, after a bit more work: “whatever SID cookie value you provide, the router will accept it as proof that you’re an authenticated user”. Goodness.

It couldn't get worse, but it does: commands like Traceroute run with root privilege, making escalation a snap, because attackers can run OS commands without authentication.

“At this point, we can do anything:

  • Eavesdrop the traffic on the router using tcpdump
  • Modify the configuration to redirect traffic wherever we want
  • Insert a persistent backdoor
  • Brick the device by removing critical files on the router ".

 

Most aren't this bad but if you have a known bug that isn't patched you can become a victim of anything from a serious criminal to a teenager looking to torrent porn without getting caught by their parents. It isn't a likely situation but it happens to folks every day so if you are feeling lucky???

Link to comment
Share on other sites

Guys thanks for all the information. This has been a great read. Trying to get more educated on using park wifi. Up to now use cell for hotspot and do nothing over parks wifi. So loving forward can someone tell me what is the best router to use for an RV?

 

Thanks for the help

Link to comment
Share on other sites

Best, something like a pfSense router and an UBiquity access point, not cheap or just plug and play to get full use of them but the combination gives you pretty much everything from multiple local LANs to VPNs built in. You have a wide range of hardware that pfSense will run on, much of it far cheaper than the linked system, lots of discussion in the pfSense hardware forum.

 

Four port version, they also have a two port but you give up a lot of options: https://store.pfsense.org/SG-2440/

 

Ubiquity WiFi access point, Lite or Pro versions: https://www.ubnt.com/unifi/unifi-ac/

 

Cheaper and a bit easier, you end up with consumer grade WiFi routers that run open-source firmware. I'm happy with the better ASUS hardware for that role, they have a decent update policy for their factory firmware and once they stop supporting it you can move to the open-source firmware on some of their hardware. I'm not current with the latest FCC rules on third-party and open-source firmware, there is some issue with newer hardware and the ability to update because the FCC does not want consumers to control the internal radio hardware as it can interfere with other radio services.

 

I tend to buy friends mid-grade ones from this line: https://www.asus.com/us/Networking/Wireless-Routers-Products/

 

Cheap, you get the lower tier of consumer routers that offer less functionality, shorter support periods and they won't run open-source firmware so once the updates stop you just toss and replace.

 

All three options have their place, most folks are happy with the second or third option depending on your interest in learning about the gear and choice of maintain or toss as an update policy. If the FCC rules prevent the third party,open-source options the third choice above becomes more attractive since once support ends security begins to fall apart as new flaws are discovered.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...