Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wireless connection encryption


  • Please log in to reply
8 replies to this topic

#1 webstudent

webstudent

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 05 November 2011 - 05:24 PM

Hi, everybody. Please excuse my lack of knowledge on the subject I am asking about. As far as I know, you are not able to set up WPA encryption on your laptop in a wifi hotspot(unless of course the owner tells you the router's MAC address and passphrase). However, I was wondering what exactly the WPA does. I read that it supposedly encrypts all the so-called "data" that you send out(specifically for web browsing, downloading, etc.), and makes anyone trying to connect to your computer(and therefore your network) need to input the correct passphrase. If this is the case, isn't there some sort of software that could also encrypt your outbound data in the same way on a hotspot, but without actually setting up an encrypted network between your computer and a router(or access point)? I am guessing that if there is, then it would probably only encrypt outbound "data", and not protect you from people trying to access your computer. I have read about VPNs, TOR, etc., but as far as I can understand, these only try to mask your IP/identity. They also say that they "tunnel data," but doesn't all web traffic have to make "hops" anyway? So how would they "tunnel data," unless that company had a physical line running straight from your computer to their server? I welcome any number of responses on this subject, and I would appreciate any help anyone can offer. Thank you very much!

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:34 PM

Posted 05 November 2011 - 07:10 PM

WPA is a data encryption and authentication scheme which endeavors to prevent anyone from eavesdropping on or modifying information as it is transmitted between your laptop and the wireless access point. It protects you against other people who are using the same wireless access point only. Without WPA or a similar secured wireless protocol, all data sent over the wireless connection is visible, readable, and potentially modifiable by everyone else who is using the access point. WPA also serves as an effective means of preventing unauthorized users from accessing the internet via your wireless network (for example, to keep a neighbor from using your wireless internet.) Generally speaking, publicly accessible wireless networks such as those found in coffee shops do NOT use WPA or other protection due to the fact that users would need to already know the password in order to access it.

Currently there exists no means by which a secured wireless connection between the user and the access point can be initiated by a user on an unsecured wireless network.

There are, however, alternatives. One such alternative which you already mentioned is to use a Virtual Private Network (or VPN.) In practice, a VPN offers much the same protection as WPA, the difference being that your data is encrypted and transmitted over the wireless network to another computer on the internet which then decrypts and relays the data to its final destination. Once the data is decrypted and relayed it is not protected by the VPN, however the vulnerabilities caused by using an unsecured wireless network are to an extent ameliorated.

The only way to ensure data integrity and secrecy is to employ an end-to-end encryption and validation scheme, such as HTTPS. Many websites such as Google, Facebook, and most banks and financial institutions offer, or require, HTTPS when interacting with sensitive parts of their websites (e.g. accessing a bank account, checking Gmail, sending your log-in details, etc.) While HTTPS is not foolproof by any means, it does offer extensive and robust security in most situations.

The anonymizing features of TOR do not offer security in the same way that other methods do; data transmitted over the TOR network is not--indeed cannot-- be validated and as such can be tampered with at any point between the source and the destination. The main purpose of TOR is not to secure data but to protect the anonymity of the user. It is intended primarily for people living in countries which heavily censor the internet and which persecute those who use the internet to air grievances about their government.

Edited by Andrew, 06 November 2011 - 05:48 AM.


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 AM

Posted 06 November 2011 - 05:18 AM

Since you mention MAC addresses, I assume you understand networks and I want to add something to Andrew's excellent answer.

The wireless network frames used on layer 2, which contain MAC addresses in their header, have only their data encrypted, not the header.
So the MAC addresses are not encrypted.

One implication is that an eavesdropper knows which wireless access point you are using, although he can not see what data you are exchanging.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 webstudent

webstudent
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 06 November 2011 - 05:22 PM

Thanks, Andrew, for such a detailed and knowledgeable answer, and to Didier for the great follow-up! So I guess I'm best off with a VPN, although I have heard that a lot of them hold onto logon info and traffic patterns for a long time(often to sell this info to other companies that you may not want having such info.) Can you use a VPN with TOR(I guess Prixoxy is the same idea as TOR, though)?

Also, you mentioned end-to-end encryption, such as HTTPS. Are there other such schemes, an if so, is there any way for a user on an unsecured hotspot to initiate such? Thank you again!

#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:34 PM

Posted 06 November 2011 - 10:35 PM

The only idea that springs to mind would be to set up a VPN host on your home computer. Then, when out in the world and connecting to hotspots, you can connect back to your own desktop via your VPN and relay all your traffic through it. On the desktop you could configure the VPN to route all relayed traffic through TOR. This is not something I've ever done so I can't give you much in the way of specifics, but in theory it should work.

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 AM

Posted 07 November 2011 - 04:18 AM

So I guess I'm best off with a VPN, although I have heard that a lot of them hold onto logon info and traffic patterns for a long time(often to sell this info to other companies that you may not want having such info.)

That is something I've never heard before (that they sell this info). But I do know that many of them keep logs and will provide them to law enforcement agencies when asked.

Can you use a VPN with TOR(I guess Prixoxy is the same idea as TOR, though)?

I think I tested this once, but I'm not sure of the result anymore. I will test this and let you know. But should there be no technical problem to do so, there could always be VPN providers that refuse TOR connections.

Privoxy is not the same idea as TOR, but it is used together with TOR. Many parties on the Internet try to track you. Privoxy is a local proxy that will filter out all attempts to track you.

Also, you mentioned end-to-end encryption, such as HTTPS. Are there other such schemes, an if so, is there any way for a user on an unsecured hotspot to initiate such? Thank you again!

Yes, there are other protocols that provide end-to-end encryption. SSH is one example. SSH stands for Secure SHell, it gives you a command-line interface to a machine (often a *nix shell) and all communication is encrypted.

A SSH tunnel is an alternative to a VPN for browsing purposes.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 AM

Posted 07 November 2011 - 04:32 AM

The only idea that springs to mind would be to set up a VPN host on your home computer. Then, when out in the world and connecting to hotspots, you can connect back to your own desktop via your VPN and relay all your traffic through it. On the desktop you could configure the VPN to route all relayed traffic through TOR. This is not something I've ever done so I can't give you much in the way of specifics, but in theory it should work.


You're correct Andrew, this works. And you don't have to use your computer and leave it powered on. You can also install open source firmware on many routers (like DD-WRT and OpenWRT) and then install an OpenVPN server on your router.

A major drawback however is when you have an asymmetric line, like ADSL. Then surfing will be slow, because your VPN server at home has to upload to you what you requested via a slow channel (uploading with ADSL is much slower than downloading).

And you've to check the terms of service of your ISP. It could be that they don't allow you to run servers at home.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 AM

Posted 07 November 2011 - 04:47 AM

Just as an example, here is a tutorial for OpenVPN on DD-WRT: http://www.dd-wrt.com/wiki/index.php/OpenVPN

Edited by Didier Stevens, 07 November 2011 - 04:47 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 webstudent

webstudent
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 08 November 2011 - 07:08 PM

Thank you once again to both posters! You have provided me with many useful suggestions that I will definitely have to learn more about!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users