Some things warrant further discussion.
This, then, is a collection of things that don't.
This, then, is a collection of things that don't.
Surviving Unknown and Untrusted Networks
Posted 14th April 2008 at 11:30 AM by Ben
Consumer Mobile Broadband brings with it new challenges for security. The mobile networks are a black box, and we know very little about what happens to our data while it passes through. Image compression is one thing we do know about, mobile networks will often squeeze all of your images to save themselves precious bits and bytes - and this can even involve inserting code into the websites you view. So, today I'm going to look at how we can take back control.
Back in the olden days when I was using untrusted networks or networks with unpalatable restrictions, such as proxy servers and no publicly reachable IP, I used a piece of software called Loophole. The idea behind Loophole was very simple. First, you install the server software on to a computer on a safe network, preferably one with a static IP address. Then you install the client on the machine connected to the questionable network. The software would create a secure tunnel through the questionable network, trying to make the data look as much like 'normal traffic' as possible, back to the server. Now you could forward ports back to your machine from the server, and basically do anything without the interference of anything in the middle.
Unfortunately, as you will know if you clicked the link above, it looks as if Loophole is no more. You may think that this is because the Internet is now a loving utopia with open access for all. And you'd be wrong. No, what probably finished off Loophole is the Virtual Private Network (VPN).
The VPN works a lot like Loophole did, but as an Enterprise tool it's much more widely accepted. You see, it's reasonable for big business to demand that remote users have a safe, secure connection - but end users wanting the same sort of protection are often greeted with a raised eyebrow. Fortunately VPN's are filtering down to the mainstream, and a lot of home routers now even have some kind of VPN function.
Where a VPN has its weakness, and Loophole had its strength, is in the ability to negotiate a network that doesn't want it there. You see, Loophole would even use the HTTPS port if necessary to carry all of your data. It could even get by a proxy server by making all of your data look like HTTP requests - it was very slow, but worked fantastically. A VPN, though, often requires specific provisions to be in place and, while they usually are (thank you Big Business), it's hardly guaranteed.
Still, we have to make the best of the hand we are dealt, and in all honesty a VPN is like a pair of tens. Good enough to make it worthwhile.
There are two things that you'll need to create your own VPN. The first is some VPN server software, and the second is, really, a static, public IP address. Fortunately the former comes with OS X Server, but I'm one of about 10 people in the world who actually uses that, and I've always insisted on the latter though ISP's usually don't give out static IP's by default. A static IP is important because you need to know the address of your VPN in order to connect to it. Getting hold of VPN server software could be tricky, try Google by all means, but definitely check the options available on your router.
Connecting to a VPN on a Mac is easy. You configure it right out of Internet Connect and then you get an icon at the top right that you can click whenever you want to be connected. Windows, well I have no idea to be honest, but if there's no built-in way to get connected then there'll be free client software on the net that you can try.
Once your VPN is active you have the peace of mind that, wherever you are physically, you're virtually sat at your desk in the office or on your sofa with some Ben & Jerry's at home. In terms of Mobile Broadband, this means no image compression. It also means you can forward ports for incoming traffic and, because you'll now be using your work/home IP address, get access to services or pages restricted to your usual IP.
It gets better. It's now much safer for you to use most Internet connections without knowing anything about them. So long as they support VPN, you can use that free public WiFi, or that hotel room service, without fear of the interception of your data.
If you can't set up a VPN then, don't worry, there are still precautions you can take. A lot of websites allow the use of HTTPS. This is a secure end to end encrypted connection between your computer and the server. It would be nice if the whole Internet used HTTPS, though rather impractical, as it guarantees that only the server sending you the web page you're looking at knows what it is sending you and also prevents any intrusions on your private browsing by systems such as Phorm.
When you log in to a website you will often see HTTPS, in your browser address bar and via the padlock icon, for a moment as your password will often be sent encrypted. However, to save on bandwidth and resources, most sites then transfer you back to plain old HTTP. To get around this, try changing the address in the address bar to start https:// - all well written websites will then stay as HTTPS for the duration of your session. The best websites will, of course, keep you on HTTPS by default - especially if you're logged in to some sort of account or service. Update your bookmarks to start https://. Remember, even a VPN only secures the connection between you and your VPN server. HTTPS provides true security between you and the destination.
Just remember, HTTPS is only really good for web browsing. IM conversations on most IM networks are all sent plain text, as are emails and a lot of other stuff. Don't just assume that the Internet is a safe place. Don't just assume that your ISP, particularly at a free hotspot or on Mobile Broadband, will take care of security for you. It's up to you to do everything you can to keep your data safe and private.
Back in the olden days when I was using untrusted networks or networks with unpalatable restrictions, such as proxy servers and no publicly reachable IP, I used a piece of software called Loophole. The idea behind Loophole was very simple. First, you install the server software on to a computer on a safe network, preferably one with a static IP address. Then you install the client on the machine connected to the questionable network. The software would create a secure tunnel through the questionable network, trying to make the data look as much like 'normal traffic' as possible, back to the server. Now you could forward ports back to your machine from the server, and basically do anything without the interference of anything in the middle.
Unfortunately, as you will know if you clicked the link above, it looks as if Loophole is no more. You may think that this is because the Internet is now a loving utopia with open access for all. And you'd be wrong. No, what probably finished off Loophole is the Virtual Private Network (VPN).
The VPN works a lot like Loophole did, but as an Enterprise tool it's much more widely accepted. You see, it's reasonable for big business to demand that remote users have a safe, secure connection - but end users wanting the same sort of protection are often greeted with a raised eyebrow. Fortunately VPN's are filtering down to the mainstream, and a lot of home routers now even have some kind of VPN function.
Where a VPN has its weakness, and Loophole had its strength, is in the ability to negotiate a network that doesn't want it there. You see, Loophole would even use the HTTPS port if necessary to carry all of your data. It could even get by a proxy server by making all of your data look like HTTP requests - it was very slow, but worked fantastically. A VPN, though, often requires specific provisions to be in place and, while they usually are (thank you Big Business), it's hardly guaranteed.
Still, we have to make the best of the hand we are dealt, and in all honesty a VPN is like a pair of tens. Good enough to make it worthwhile.
There are two things that you'll need to create your own VPN. The first is some VPN server software, and the second is, really, a static, public IP address. Fortunately the former comes with OS X Server, but I'm one of about 10 people in the world who actually uses that, and I've always insisted on the latter though ISP's usually don't give out static IP's by default. A static IP is important because you need to know the address of your VPN in order to connect to it. Getting hold of VPN server software could be tricky, try Google by all means, but definitely check the options available on your router.
Connecting to a VPN on a Mac is easy. You configure it right out of Internet Connect and then you get an icon at the top right that you can click whenever you want to be connected. Windows, well I have no idea to be honest, but if there's no built-in way to get connected then there'll be free client software on the net that you can try.
Once your VPN is active you have the peace of mind that, wherever you are physically, you're virtually sat at your desk in the office or on your sofa with some Ben & Jerry's at home. In terms of Mobile Broadband, this means no image compression. It also means you can forward ports for incoming traffic and, because you'll now be using your work/home IP address, get access to services or pages restricted to your usual IP.
It gets better. It's now much safer for you to use most Internet connections without knowing anything about them. So long as they support VPN, you can use that free public WiFi, or that hotel room service, without fear of the interception of your data.
If you can't set up a VPN then, don't worry, there are still precautions you can take. A lot of websites allow the use of HTTPS. This is a secure end to end encrypted connection between your computer and the server. It would be nice if the whole Internet used HTTPS, though rather impractical, as it guarantees that only the server sending you the web page you're looking at knows what it is sending you and also prevents any intrusions on your private browsing by systems such as Phorm.
When you log in to a website you will often see HTTPS, in your browser address bar and via the padlock icon, for a moment as your password will often be sent encrypted. However, to save on bandwidth and resources, most sites then transfer you back to plain old HTTP. To get around this, try changing the address in the address bar to start https:// - all well written websites will then stay as HTTPS for the duration of your session. The best websites will, of course, keep you on HTTPS by default - especially if you're logged in to some sort of account or service. Update your bookmarks to start https://. Remember, even a VPN only secures the connection between you and your VPN server. HTTPS provides true security between you and the destination.
Just remember, HTTPS is only really good for web browsing. IM conversations on most IM networks are all sent plain text, as are emails and a lot of other stuff. Don't just assume that the Internet is a safe place. Don't just assume that your ISP, particularly at a free hotspot or on Mobile Broadband, will take care of security for you. It's up to you to do everything you can to keep your data safe and private.
Total Comments 2
Comments
Windows VPN [client] is almost as easy to set up as it is on the Mac.
In windows go to Network Connections and then Create a New Connection - the menu options in there should lead you to creating a VPN easily enough. It is about ten or so mouse clicks. |
|
Posted 15th April 2008 at 12:54 AM by Hands0n |
The Register today have an article up on this very subject in the context of using public WiFi. http://www.theregister.co.uk/2008/09/01/openvpn_primer/
|
|
Posted 1st September 2008 at 07:01 PM by Ben |
Recent Blog Entries by Ben
- I bought Vodafone (10th December 2008)
- Getting into the fast lane (5th December 2008)
- Evangelism (15th November 2008)
- We must ask questions (28th October 2008)
- ADSL: Last mile, or last foot? (26th September 2008)