Do you use public Wi-Fi networks to access the Web? Perhaps in a coffee shop, airport, hotel, or university campus? Maybe on a laptop or iPhone?
Did you know that anyone also using that network can currently hijack your twitter, Facebook, and other account details to log in to those services as if they’re you? If you’d like to fix that, read this post. It’s about Virtual Private Networks or ‘VPNs’. It tells you how to use one to make your connection more secure over public Wi-Fi.
Get protected
Here’s what you’ll need to secure yourself on open Wi-Fi networks. I’ve reduced it to three steps because I’ve assumed that most people reading this want to be safe but don’t care too much how it works. (If you do want to learn that stuff, read ‘how it works’ below.)
1. Get a VPN account.
I recommend StrongVPN. Their ‘Euro-America Special PPTP 1-year’ package costs $55USD a year, which is good value, and you can pay with PayPal if you like. Order it from this page.
Free VPN services do exist, but I don’t feel comfortable recommending any of them to you. If you want to stay secure but you’re not willing to pay for a VPN connection, the simplest way is to leave your laptop at home and not use public Wi-Fi.
2. Set up your Mac, PC, and mobile device to use that account.
StrongVPN have setup instructions for Windows, Mac, iPhone, and more.
3. Connect to your VPN before using the internet on public Wi-Fi networks.
On a Mac, turning VPN on takes two clicks: click the black VPN icon in your Mac’s menu bar. (It looks like this.) Then click ‘Connect StrongVPN’, or whatever you named your VPN connection in step two. The bars in the VPN icon go a light grey colour when you’re connected, and clicking the VPN icon will now display a ‘Disconnect….’ option together with a timer showing how long you’ve been connected for.
On an iPhone, a VPN connection is two taps away: tap the Settings app, then toggle the VPN switch at the top to ON. If you see a blue “VPN” icon in the title bar, you’re connected.
I’ve never connected to a VPN on Windows or Linux, but the final steps in the StrongVPN setup guides tell you how.
Two important points:
VPNs will disconnect you (or ‘timeout’) if you don’t use the connection for several hours. If you sleep your laptop, there’s a chance you won’t be connected when you wake it again. So get used to checking your VPN connection’s still active before you fire up your browser.
A StrongVPN account can only be used by one device at a time. If you’re connected to the VPN on a laptop, you’ll need to disconnect it before you use the same VPN connection on your iPhone. In general, it’s best to disconnect the VPN when you leave your computer, and reconnect it when you get back. Or just turn the whole machine off and save the planet as well as your sanity.
Want to know more?
That’s it! You’re safe. Or safer, at least. If you’re curious to discover how someone could hijack your details and log in as you, or want to know how a VPN protects you, read the following FAQ. It’s long, but it’s not too scary, I promise.
How it works
How can someone hijack my login details?
There are several ways, including watching over your shoulder as you type them. But the exploit I’m referring to in this post that lets others send requests as if they’re you is called ‘sidejacking’. Here’s how it works:
When you log in to Facebook, Twitter, and other sites, you do so on a secure page — you’ll probably have noticed the ‘https’ at the beginning of the address bar. It means your information’s being passed over a secure connection.
If you log in successfully, the site returns a random string of characters that your browser stores in a cookie. It reads the cookie and sends this string with all future requests when you, for example, update your status or post a photo. It’s why you only have to log in once each time, instead of every time you load a new page.
The problem is this: although sites like Facebook use a secured connection (HTTPS) when you log in, they currently use an unsecured connection (HTTP) for all requests after that. This means that the random string of characters that your browser sends to Facebook to identify you as someone who’s already logged in is sent openly over the public Wi-Fi network you’re connected to. Anyone on the same Wi-Fi network can lift that information out of the air by ‘sniffing’ the traffic.
Once they’ve lifted your special login string from the Wi-Fi traffic, they can use it to send requests to Facebook as if they’re you. They won’t have your username and password, but they don’t need that stuff — the way Facebook and other sites work at the moment means that the special login string is all they need.
But sniffing that sort of data is hard, right?
On public Wi-Fi it’s laughably easy. There’s even a free Firefox browser extension called Firesheep that helps you do it with a simple user interface. No nerdery required.
Anyone can install the extension, hop on a busy public Wi-Fi network, and wait for someone to log in to Facebook, Twitter, or a wide range of affected sites. As soon as someone does, a double click is all it takes to be logged into the site as them.
Why did you just tell me that?
Because the more people who know about it, the more chance there is that Facebook and other sites will take their users’ security more seriously.
The idea of Eric Butler’s Firesheep extension is to highlight how easy it is to attack users of popular sites who log in over public Wi-Fi, and to encourage those sites to start using HTTPS at all times. If they did, attackers on your network wouldn’t be able to sniff your user information because, although you’re still sharing a Wi-Fi connection with them, they can’t glean any useable information from a secure connection between you and another site such as Facebook.
Are all sites flawed in this way?
No.
How can I tell which sites are affected?
There’s no definitive list, but checking is simple: sites you log into should carry on displaying the ‘https’ at the start of your browser’s address bar. If they don’t, users who log in to those sites on a public Wi-Fi network are vulnerable to this type of attack.
What’s a VPN?
In simple terms, a VPN is just a connection between you and another computer. The important thing is that it’s a secure connection. It means that any information you send to or receive from that computer is encrypted so that others on your network can’t read it.
How does a VPN help?
Because the computer you’re connected to when you switch on your VPN connection is far away, what you’re creating is a secure ‘tunnel’ out of the public Wi-Fi network you’ve joined. Other users on your Wi-Fi network will be able to tell it’s there, but there’s no reasonable way for them to tell what information you’re sending along the tunnel, or even who you’re sending it to.
I don’t get it. Can you explain it in simple language that I’ll understand, perhaps using an imaginary room full of cookie monsters?
Sure. If you prefer analogies, try this: you’re holding a jar of cookies in a room full of cookie monsters. It’s a pretty dangerous situation. Luckily, the room has one open window. To get the cookies out of the room, you could throw them at the open window. There’s a good chance some of the monsters might notice that you’re throwing something, though. And when they see that they’re cookies, you’re really in trouble.
Instead, you decide to pick up the 10 foot blue tube that one of the monsters just finished using as a didgeridoo. You wipe off the slobber, then push one end of it through the open window. Next, you hold it high and slide the cookies down the tube, one at a time.
The monsters think it’s a little weird, but they can’t really tell what you’re sending along it, and they certainly can’t see what’s coming out the other end beyond the window, because they’re stuck in the room with you. Even if they wanted to break the tube to discover what was going on they couldn’t because, as everyone knows, puppets can’t jump.
If you haven’t guessed already, the giant blue tube is your VPN connection, and the room is the Wi-Fi network. I hope that helps. I really do. I felt quite silly writing it.
Why do I still see ‘http’ and not ‘https’ in my browser when using a VPN, then?
Because the computer at the end of your VPN connection is connecting to Facebook on your behalf over HTTP.
The connection between that computer and Facebook is still unsecured but, because that part of the connection is now far away from the open Wi-Fi network you’re on, people on your Wi-Fi network don’t have access to it. In fact, no-one should have access to it, because the only other computers on the far-away network should be other VPN servers in a locked building.
Why don’t Facebook et al fix the security flaws?
A good question. It turns out that there are some vaguely compelling reasons why big sites don’t use HTTPS for all traffic that flows across their networks but, on the whole, the consensus from security professionals seems to be that no site should gamble with their users’ privacy or security; they should force HTTPS connections at all times. Perhaps they will one day.
UPDATE: As of 26 January 2001, you can now enable HTTPS at all times via your Facebook settings. The advice in this article still applies, though. Using a VPN in public Wi-Fi areas is just safer.
Why should I have to use a VPN to fix others’ security flaws?
For now, it’s the only option if you want to use a public Wi-Fi network safely. Beyond that, I feel that anyone using a public Wi-Fi network should take whatever steps they can to secure themselves, and not rely on third-parties to do it for them. That’s why I suggest using a VPN on any network you don’t have full control over.
Frankly, if you currently use public Wi-Fi networks without connecting to a VPN, you’re taking a big risk anyway. Sidejacking isn’t the only attack you’re setting yourself up for. Any data you send in plain text (like FTP passwords), will be accessible to anyone on that network. And, trust me: there are people looking for it. For many, it’s akin to a hobby.
Is my home or office connection safe?
Probably. Most of them are password-protected by default now. If yours is too, it’s a lot harder for people you don’t know to use the network to hijack your cookies and log in as you.
Note that I said ‘people you don’t know’. If you share a home or office Wi-Fi network among family members, flatmates, or work colleagues, they can use Firesheep or similar on their own computers to steal your session information and log in as you. So you might want to be kinder to them.
If being kind isn’t an option, the good news is that using a VPN on the computer you access the Web with at home will help. It will stop people who share that network with you from capturing your cookies and posting naked photos of you to your own Facebook account. So it’s probably worth it. Or you could stop using Facebook. That would help too.
But there’s no harm in connecting to a VPN when you’re at home or in the office as well as out and about. It protects you against irritating people you share networks with. It also prevents anyone getting meaningful information from the traffic passing between your machine and the outside world should they manage to join your home or office Wi-Fi network. Perhaps by guessing that your network’s password is ‘yoda’.
Do I really need a VPN?
If you’re just using a computer at home or work and you trust the people you live and work with, it’s probably not worth paying $55 a year for a VPN connection. Just pick a good password for your Wi-Fi network, change it a few times a year, and be careful who you share it with.
Otherwise, yes, it’s worth having.
When signing up to StrongVPN, I’m given the option to choose what location I want for my initial connection. What’s that about?
You can choose any ‘initial location’ in the StrongVPN location form you see when your order’s completed. It doesn’t really matter.
In general, though, I recommend choosing whichever location is closest to you, preferably in your own country. You’ll experience a slightly faster connection that way. Choosing VPN servers in other countries can also have weird side effects, like being served the Dutch Google homepage instead of your own country’s one.
You can use a VPN to trick websites into thinking you’re in another country in a good way, too. Some people use this to access, for example, the BBC’s iPlayer and other location-restricted services when they’re travelling outside their home country. You’d just connect to a UK-based VPN from the US or elsewhere, and the BBC’s website will serve iPlayer pages as if you’re connecting from the UK directly. (And yes, the BBC knows about this loophole.)
I’ve still got questions about this stuff, but you’ve stopped typing. Who do I send them to?
If they’re questions about setting up a VPN, please send them to whoever you’re paying to provide you with a VPN service.
