{"id":8402,"date":"2015-06-12T09:38:29","date_gmt":"2015-06-12T13:38:29","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8402"},"modified":"2015-06-12T09:38:29","modified_gmt":"2015-06-12T13:38:29","slug":"even-with-a-vpn-open-wi-fi-exposes-users","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/06\/12\/even-with-a-vpn-open-wi-fi-exposes-users\/","title":{"rendered":"Even with a VPN, open Wi-Fi exposes users"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/arstechnica.com\/security\/2015\/06\/even-with-a-vpn-open-wi-fi-exposes-users\/\"><img data-recalc-dims=\"1\" height=\"425\" width=\"640\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2015\/06\/freewifi-640x425.jpg?resize=640%2C425\" alt=\"\" \/><\/a><\/p>\n<p>Image:<a href=\"https:\/\/www.flickr.com\/photos\/khawkins04\/6170218244\/\" target=\"_blank\" rel=\"nofollow\">Ken Hawkins<\/a><\/p>\n<p>Larry Seltzer is the former editorial director of BYTE, Dark Reading, and Network Computing at UBM Tech and has spent over a decade consulting and writing on technology subjects, primarily in the area of security. Larry began his career as a Software Engineer at the now-defunct Desktop Software Corporation in Princeton, New Jersey, on the team that wrote the NPL 4GL query language.<\/p>\n<p>By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don&#8217;t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn&#8217;t widely appreciated.<\/p>\n<p>Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure&#8217;s Freedome and Privax&#8217;s HideMyAss. Your device connects with the VPN service&#8217;s servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.<\/p>\n<p>It&#8217;s a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can&#8217;t see the traffic. Any party that is in a position to monitor your traffic can&#8217;t even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.<\/p>\n<p>But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a &#8220;captive portal,&#8221; which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.<\/p>\n<p>In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.<\/p>\n<p>I tested this scenario at a Starbucks with Google Wi-Fi while running Wireshark. Thousands of packets went back and forth on the open network before the VPN attempted to connect. A quick scan of the list found nothing that looked dangerous, and in fact the software on my system used TLS 1.2 in almost all cases, which was quite a relief. But your configuration may be different from mine, and even if your software attempts to use HTTPS, it could be vulnerable to attacks like SSLStrip, which tricks the software into using open HTTP anyway.<\/p>\n<p>This gap in coverage may only be a matter of seconds, but that&#8217;s enough to expose valuable information like logon credentials. Try running a network monitoring tool like Microsoft&#8217;s TCPView for Windows or Little Snitch for Mac before you establish your Internet connection and see what happens in those first few seconds. The information may be protected by encryption, but it can carry details about your system configuration that could be used to identify it\u2014or provide clues for an attacker<\/p>\n<p>Read More: <a href=\"http:\/\/arstechnica.com\/security\/2015\/06\/even-with-a-vpn-open-wi-fi-exposes-users\/\" target=\"_blank\">Even with a VPN, open Wi-Fi exposes users | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Image:Ken Hawkins Larry Seltzer is the former editorial director of BYTE, Dark Reading, and Network Computing at UBM Tech and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[6,7],"tags":[],"class_list":["post-8402","post","type-post","status-publish","format-standard","hentry","category-networking","category-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-2bw","jetpack-related-posts":[{"id":5871,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/01\/free-wi-fi-networks-in-sf-san-jose-enable-seamless-switching-with-hotspot-2-0\/","url_meta":{"origin":8402,"position":0},"title":"Free Wi-Fi networks in SF, San Jose enable seamless switching with Hotspot 2.0","author":"NCCT","date":"July 1, 2014","format":false,"excerpt":"San Francisco and San Jose are now at the cutting edge of another tech trend, and one that has nothing to do with smartwatches or social-media startups\u2014not directly, at least. The two cities have geared up their free public Wi-Fi networks so users can automatically get on both after going\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8789,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/12\/21\/critical-wps-vulnerability-discovered-in-bell-canada-home-hub-routers\/","url_meta":{"origin":8402,"position":1},"title":"Critical WPS vulnerability discovered in Bell Canada Home Hub routers","author":"NCCT","date":"December 21, 2015","format":false,"excerpt":"By Boyd Chan | Neowin In recent years, Wi-Fi has gained attention mainly due to the increased speeds afforded by the 802.11n and 802.11ac specifications. This has seen a flurry of new hardware hit the market enticing owners of older 802.11a\/b\/g hardware to upgrade to the latest and greatest kit.\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5681,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/03\/meet-cupid-the-heartbleed-attack-that-spawns-evil-wi-fi-networks\/","url_meta":{"origin":8402,"position":2},"title":"Meet \u201cCupid,\u201d the Heartbleed attack that spawns \u201cevil\u201d Wi-Fi networks","author":"NCCT","date":"June 3, 2014","format":false,"excerpt":"Enlarge \/ A packet capture showing Cupid attacking a wireless network. SysValue \u00a0 \u00a0 It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=525%2C300 1.5x"},"classes":[]},{"id":6401,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/09\/10\/comcast-wi-fi-serving-self-promotional-ads-via-javascript-injection\/","url_meta":{"origin":8402,"position":3},"title":"Comcast Wi-Fi serving self-promotional ads via JavaScript injection","author":"NCCT","date":"September 10, 2014","format":false,"excerpt":"Comcast has begun serving Comcast ads to devices connected to one of its 3.5 million publicly accessible Wi-Fi hotspots across the US. Comcast's decision to inject data into websites raises security concerns and arguably cuts to the core of the ongoing net neutrality debate. A Comcast spokesman told Ars the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/09\/javascreener-640x74.png?resize=525%2C300 1.5x"},"classes":[]},{"id":5864,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/01\/some-surface-pro-3-users-complain-of-wi-fi-woes-after-first-day-firmware-update\/","url_meta":{"origin":8402,"position":4},"title":"Some Surface Pro 3 users complain of Wi-Fi woes after first-day firmware update","author":"NCCT","date":"July 1, 2014","format":false,"excerpt":"\u00a0 Ten days after launch, Microsoft is still trying to squash the bugs in its Surface Pro 3 tablet. As Ed Bott at ZDNet reports, some users have been complaining of connectivity problems over 802.11ac Wi-Fi networks. Complaints have also popped up on Microsoft's support forums, with users noting slower\u2026","rel":"","context":"In &quot;Hardware&quot;","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7070,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/11\/comcast-slapped-with-class-action-lawsuit-for-turning-customers-routers-into-public-hotspots\/","url_meta":{"origin":8402,"position":5},"title":"Comcast slapped with class-action lawsuit for turning customers&#8217; routers into public hotspots","author":"NCCT","date":"December 11, 2014","format":false,"excerpt":"Comcast\u2019s controversial decision to transform its customers\u2019 wireless routers into public Wi-Fi hotspots has, predictably, landed the company in even more hot water. A pair of disgruntled customers recently filed a class-action lawsuit against the cable, television and Internet provider in San Francisco. Toyer Grear and Joycelyn Harris claim Comcast\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=8402"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/8402\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=8402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=8402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=8402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}