Wifi in public places - stay protected?

[Conrad11]

When connecting to public wifi is there any precautions I should take to protect myself from hackers etc?

I run Windows 7.

Thanks.

 

[tntcoder]

Don't enter any personal information (or usernames/passwords) over non-encrypted connections. Keep in mind that anyone can intercept what you're doing unless you're using SSL or similar encryption, banks and shopping sites will typically be SSL'd so just keep an eye out for the SSL padlock and you will be fine. Also don't click accept on any invalid SSL certificates warnings, never do this.

Otherwise just have windows firewall turned on and run some malware protection maybe MSE.

If you have some spare $$$ and want to keep high levels of privacy/security whilst using public wifi you could invest in a VPN connection to tunnel everything through, or even tunnel it through your home computer. This will prevent anyone on the public wifi link from looking at what you're doing or modifying traffic e.t.c

 

[Conrad11]

Oops...I guess using forums is out then?

 

[Dano]

And make sure you've checked what you're sharing via shared folders/files.

 

[tntcoder]

Oops...I guess using forums is out then?

While it's possible someone could intercept your forum username/password/cookie I wouldn't say the risk of a hacker being interested in them is enough to stop you doing it

I would care most about email, shopping, banking things like that.

 

[blueacid]

Basically, bottom line is: use the public wifi to browse wikipedia / the news / browse some forums (logged out).

Anything with SSL and without whinging about SSL certificates is good, too. If it moans about certificate issues, run to the hills.

 

[mast3r]

buy a USB 3G card?

 

[SiriusB]

When connecting to a new network Windows 7 should ask you what type of network it is. Choose Public. This should set up the firewall to pretty much block everything - including shares.

I can testify as to how good it is - my brother [or possibly me!] accidently set my LAN as a Public network on his computer. I could never connect to the bloody thing!

 

[V4NT0M]

This is why I tether my phone a lot instead of using public wifi, it's too easy to get passwords etc.

 

[Morfik]

Curiously, whilst the forums on OcUK aren't encrypted, do your login details at least get encrypted? I know the page itself isn't HTTPS but I'd heard the login part can still be encrypted? Or am I wrong about that?

 

[tntcoder]

Curiously, whilst the forums on OcUK aren't encrypted, do your login details at least get encrypted? I know the page itself isn't HTTPS but I'd heard the login part can still be encrypted? Or am I wrong about that?

An MD5 hash of the password is sent when you press Log In, so it isn't encrypted but it isn't plaintext either. MD5 has numerous attacks on it now so it isn't worth trusting all that much. The bigger issue on public wifi is sniffing the cookie that says you're logged in, that can simply be replayed by an attacker who can then steal your login session with no need for a username/password.

 

[theheyes]

Software updates. Also look for things like "Sign in with enhanced security" links on webmail etc. A firewall is a given but knowing how to use it is just as important.

 

[ncjok]

An MD5 hash of the password is sent when you press Log In, so it isn't encrypted but it isn't plaintext either

Where does the MD5 hashing come in?

I thought that the passwords are stored at OcUK's end in their hashed form, supposedly to secure it from anyone with database access. When a forum user logs in the password is transmitted in plaintext and it is then hashed and compared to the database at the remote end.

Maybe I'm describing an antiquated process or am just wrong

 

[tntcoder]

Where does the MD5 hashing come in?

I thought that the passwords are stored at OcUK's end in their hashed form, supposedly to secure it from anyone with database access. When a forum user logs in the password is transmitted in plaintext and it is then hashed and compared to the database at the remote end.

Maybe I'm describing an antiquated process or am just wrong

Yer, if you look in the source for Vbulletin, there is a Javascript implementation of MD5.

When you press Log In on this forum it fires:

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">

So essentially it is as you describe, except it is hashed in the users browser, then sent to the database and compared to the stored hash. This removes the major weakness of transmitting it exactly as is in plaintext form (hence protecting it from trivial sniffing).

 

[Mattus]

A little surprised it uses MD5. Isn't SHA-1 supposed to be more secure these days?

 

[tntcoder]

A little surprised it uses MD5. Isn't SHA-1 supposed to be more secure these days?

Yer indeed, SHA1 or SHA2 are significantly better options. Maybe the vbulletin devs will get with the times soon

 

[snowdog]

Meh who on earth wants to nick a U/N & PW for a public forum ?

 

[tntcoder]

Meh who on earth wants to nick a U/N & PW for a public forum ?

Numerous people use the same password for multiple things. Obtain a forum password, gets you in to email accounts, gets you more passwords to things like shopping sites and you're pwned. Point is to just be careful and think twice when using open wifi.

 

[snowdog]

I used to do that, until I accidentally posted it in an msn convo when I thought I was typing it in my browser. Now I have unique PW'ds for important things like Gmail, steam, Paypal, ClicknBuy and MSN, and 3 different passwords for unimportant sites like shopping sites ( yes they can't pay with my money so unimportant in my eyes, a shop acc is nothing), forums, and other places.

 

[Rainmaker]

SSH to your home machine thh.