Nubility.Net

Securing wireless at home is straightforward. Securing it while surfing wirelessly is a different matter. The risks are greater, and the fixes are harder. To make matters worse (& and better!) wireless is now almost ubiquitous in urban areas.David Pogue, who writes a column for the New York Times Technology Section, indicated a couple of years ago that he wasn’t concerned with the security of public WiFi, because no one would be interested in his stuff. Here’s what David had to say last week about his previous comments:

“From the Desk of David Pogue” e-column I wrote in 2004, in which I attempted to throw water on scare-tactic computer-magazine articles that said, in effect: “Ooooh! If you use your Wi-Fi laptop at public Internet hot spots, the bad guys will see everything you’re doing and rifle through your files!”

He’s had a change of heart. In this article, I’ll summarize Dave’s solutions, and go over other options, and make some simple recommendations for reasonably secure surfing surfing at StarBuck’s or your hotel.

From David Pogue’s January 4 post:

I’m back again today to throw that water right back into my own face. On this topic, my eyes have been opened.

It came about like this: I recently filmed six episodes of a new TV series (”It’s All Geek to Me,” which airs in February on The Science Channel, Discovery HD and Discovery Europe). In one of them, I wanted to get to the bottom of this Wi-Fi snooping business. I wanted to see exactly what is, and is not, possible for the bad guys to intercept when you’re sitting there in Starbucks or the hotel lobby.

Dave Points out correctly that anyone can simply pull ALL your unencrypted info out of the aether, and goes on to suggest some of the obvious ways to mitigate against this:

• Use an Office Virtual Private Network (VPN) (if your company has one,
• access only “secure” web sites (those have https:// at the beginning of the address bar, and an image of a Lock on the right side of the address bar

However, he misses a couple of other really useful ways to improve security however:

• Purchase a VPN/secure proxy subscription service from a company that will encrypt your traffic between your laptop and the VPN provider. Below are a list of services worth considering:

• Google Secure Access (Beta). Free, but must be connected to google WiFi in San Francisco, CA to download. (as of 1/2006).  This looks like your best choice if you are eligible.

• Phiphon. Like OpenVPN, it establishes a secure connection between your laptop and the your home PC, and uses the home PC for your internet service. Its relatively easy to install (except for configuring your firewall). There are two problems with Phiphon — it only works on unsecure sites (but see below), and it doesn’t have much documentation. I’ll cover Phiphon setup and use in a separate post.  If you aren’t eligilble for Google Secure Access, and can do some basic setup, this is a great choice to secure your own system.  (Update: see my detailed Why Use Phiphon post here, and my Psiphon setup Guide here).
• OpenVPN. Full featured, open source vpn, which can be set up as a bridge to use your home PC as the service provider. A decent tutorial from InformIT.com can be found here.  This is your best choice for a 100% do-it-yourself secure solution, but its some work to set up.HotSpotVPN, 8.88/Month. (as of 1/2006).

Here are several commercial providers of secure solutions.  I’ve not used any of them.  They are listed here for reference:

• UltraVPN - $5/month (as of 1/2006)
• Anonymizer - $100/year (as of 1/2006)
• MegaProxy - $3.33/month (as of 1/2006)
• Guardster - $10/Month (as of 1/2006)
• JiWire — $25/year; 10 days free (as of 1/2006)

My recommendation for secure browsing from a public WiFi perspective, are similar to Dave Pogue’s. All his recommendations are good, but he’s missing several points:

• If you are not surfing securely (either through your own VPN or one provided by someone else), then you are open to snooping.
• To Surf securely, Phiphon is a fine partial solution. However, that only covers your surfing of unsecure web sites. If you want to know how to setup Phiphon, please check the home page, or read my post on the topic here.
• However, If you don’t have a VPN, then all of the following remain insecure:

• Chat
• Mail Downloaded to your PC via “POP” (this is probably the case if you are using OutLook, Thunderbird, Eudora, or Pegasus as your laptop mail client). If you are using commercial web-email hosts, such as Google, Yahoo, MSN or HotMail, and reading the messages on the web, you are OK (as long as you don’t download the message with the programs listed above!)