Some British politicians aren’t terribly keen on members of the public encrypting their communications, because of the difficulties that law enforcement and intelligence services can experience trying to snoop upon you.
But you would still like to think that British members of parliaments are aware of the dangers of using public WiFi hotspots, wouldn’t you?
If you’ve never understood just why it’s so important to encrypt your communications from criminal hackers when using WiFi to log into your email, make a VOIP call, or simply browse the web then you need to watch this video.
The answer is to use VPN (Virtual Private Network) software that creates a secure encrypted tunnel, allowing you to access the internet privately when using a public connection.
Oh, and it should go without saying, that if VPNs were forced by Parliament to have a backdoor that could be used by the intelligence services to spy on you… well, that could be awfully handy for criminals too.
Well done to Peter Warren of the Cyber Security Research Institute and the folks from F-Secure, for putting the video together and making a potentially complex issue so easy for the average person in the street to understand.
Graham, as I'm sure you know VPNs can be subject to MiTM attacks. It's trivial for somebody with the correct equipment and software to intercept the connection before it hits the VPN and then poison the connection. It'd give you the same access to peoples credentials as shown in the video.
Thus I'd argue that connecting to a VPN when using a public Wi-Fi connection isn't "the answer".
I think what Graham means, and maybe I'm wrong (wouldn't be the first time), is that if you have to connect to a public Wifi then do not do it without attempting encryption. It might not fix all issues (nothing will) but it does help most of the time (and is better than nothing as long as you understand that things change and you have to keep aware and adapt to the changes).
As for MiTM, it is hardly only VPNs so I don't see it as all that different and it certainly isn't a reason to ignore the problem. Perhaps I misunderstand you, though.
In the video the 'hacker' accessed services which were already encrypted (Facebook, Gmail, Skype etc.).
With the software and equipment that the hacker appeared to have it would be trivial for him to intercept an encrypted VPN PRIOR to it connecting to Wi-Fi. Therefore your victim would believe themselves to be connected to their secure VPN whilst actually they would be connected via the rogue access point.
So in the precise scenario illustrated an encrypted VPN wouldn't help because ALL connections would be filtered through the hacker.
I didn't actually watch the video so I couldn't have known what he actually had. But I understood your point; that is why you referred to MiTM, is it not ? I know very well what you mean.
But what I was trying to express is there are two routes here:
1. Don't use a VPN ever.
2. Do use a VPN but know it won't solve the problem 100% of the time (there is no 100% I sense you understand this very well).
I'll give an example of something I'm more familiar with (including tunnels) that hopefully will explain what I mean.
I first ssh to a server and the server's key is added to my ~/.ssh/known_hosts file. The next 20 times I ssh there, no warning and I proceed to login as usual. The 21st time, however, I get the warning that the host's keys have changed. It gives you the option, though:
You can remove the entry from the known_hosts file (e.g. because you regenerated the keys directly or indirectly, and you can verify this which means you're sure the change is fine). Or you can heed the warning (because you didn't expect the change) and not continue to login because it could be a MiTM.
Key point: just because it CAN be (or WOULD be) easy/practical/likely/whatever does not mean it WILL be. Similarly, just because it MIGHT be a MiTM doesn't mean it IS.
If you are using secure wifi but Eve knows the password, can Eve use that to decrypt your traffic?
Yes, but not automatically as knowledge of the password alone is not enough.
If Eve wanted to decrypt your traffic she would be able to do so via a number of methods including (and not limited to): cache poisoning, MiTM, certificate spoofing, remote control of your system etc. It's not particularly difficult to do if that is her objective.
The only way to reduce your exposure against some of those threats would be with a Radius Server and/or effective UTM.
Thanks Bob.
I have read a number of articles on VPNs recently,and many of the free ones have multiple problems,like 17% of those studied actually injected ads into the data stream. And there were other things they did that leave you unsecured. I will dig up the links later.
It's not just the free ones Dave!
In an academic article published this month all of the paid ones have flaws which render their security nugatory:
http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf
It's very much a false sense of security.