Security tips for connections in open wi-fi?

[Ivo]

Hi,

I know we have some tech savvy people in the forum and would like to ask what should I be careful about when using a free wi-fi in places like airports / randomly picking up someone's neighbor connection (I have been lucky enough to get that in a hotel once). Usually when I found SSIDs with brand names (linksys anyone?) I figured I was probably safe. But an SSID named "Free Wifi" in a residential area seems slightly suspicious (maybe it is just a generous neighbor...).

Usually I avoid using it for anything involving passwords, but I think even that is not risk-free. Using passwords, is it so that scrambling the password with a hash on your machine works? There are some programs that do that, but I suppose you need to be prepared beforehand and have changed the passwords to their hashed versions on the sites you log into.

What should I know about? I did a couple of google searches for this info but the more obvious info I found I already knew about. I guess I would need to dig deeper for the more tech stuff.

Ivo.

[Hatta]

The best thing to do is get a VPN. As soon as you log into any public wifi, switch on your VPN. All traffic is encrypted and routed through the VPN, once it gets to the VPN it's as secure as any other wired internet traffic.

Failing that, use SSL. Unfortunately SSL isn't bulletproof. Many sites will use it only for encrypting your password. The problem with that is that once you're logged in, the session key is transmitted in plain text. This allows anyone nefarious to steal your session key and hijack your session. Google Firesheep for info on how this is done.

It's worth pointing out that WifFi encryption is insufficient. WPA2 will stop people from evesdropping, if they are not authenticated with the access point. However, if they are authenticated with the access point (e.g. encrypted but public access wifi), then the traffic on the WiFi looks unencrypted to them. You have to use your own encryption to secure yourself against eavesdroppers on the WiFi.

[Ivo]

Does anyone recommend any free VPN solutions?

Ivo.

[Anapan]

I've heard logmein is good. Never used it tho.
Might not be relevant here, but I've used Tor to access US/Japanese sites that do not allow Canadian clients to access their content (IE Saver2 Pandora Client using TorTunnel). It's tried and tested by many people and will secure your connection while anonymizing you internet access. Works great, tho not able to get the bandwidth speed that something like Netflix needs. For that you need a pay proxy.
Both of these might be completely off topic, but it's all that I know about this stuff. I use my cellphone as a wireless USB dialup modem for anything sensitive.

[Hobie-wan]

I've heard logmein is good.

I use the Log Me In Rescue at work for remotely controlling customer's PCs, though that one is pretty expensive, like $1000 a year or something per account. I'm not sure about the other flavors and how they'd be more suited. The Rescue one is good stuff though at least.

[Hatta]

I've heard logmein is good. Never used it tho.
Might not be relevant here, but I've used Tor to access US/Japanese sites that do not allow Canadian clients to access their content (IE Saver2 Pandora Client using TorTunnel). It's tried and tested by many people and will secure your connection while anonymizing you internet access. Works great, tho not able to get the bandwidth speed that something like Netflix needs. For that you need a pay proxy.
Both of these might be completely off topic, but it's all that I know about this stuff. I use my cellphone as a wireless USB dialup modem for anything sensitive.

Tor and encryption are entirely orthogonal. Tor only hides the source of the data. If the data includes personally identifying information (e.g. login credentials), then you've just defeated the purpose. Anyone can set up a Tor exit node, and all the data coming out of the node is sniffable. You have to use end to end encryption over tor if you want anonymity and privacy.

But, it sounds like you're just using it as a quick proxy for region check on websites. that's totally OK.