Travel Technology - Internet security in hotels

Do you feel comfortable logging on to, say, your online bank and brokerage accounts, using a hotel's internet service? Does the answer change if it's a wired connection through an ethernet cable vs a generic wifi/wireless "unsecured network"?

In each case Windows gives a warning like "some information may be visible to others on the network", but does the https sufficiently encrypt it? I mean, if someone got hold of one's online banking password, it would be a pretty major hassle for one to sort out!

On my own computer I don't think about it too much, but I don't trust doing stuff like that on common computers.

Generally speaking the HTTPS sufficiently encrypts the communication even on a wireless connection. Yes, there are still ways to intercept the traffic, but they are much more complicated/difficult.

If I'm using my own computer and the site in question is using SSL, I have no problems.

Unless it's a computer I trust, I don't do much beyond facebook/email...and even that is pushing it.

If I'm feeling paranoid and SSL is not an option, I do an SSH tunnel to my home router, and route traffic through that.

What they said.

On my own computer not a problem in my mind as long as the site is secure.

On the lobby computer, or cafe or something like that where there is a good chance of a key logger, nothing like bank or credit card transactions.

I know I'm overly paranoid but I won't do anything over hotel internet connections until I VPN into my home router first. Like others have said avoid business center computers as they may have keylogging software installed (not necessarily by the hotel, but it could be installed by other teenage guests.)

HTTPS connections do a quite good job protecting packets, but they don't protect you from tainted DNS servers (i.e., you enter "www.citibank.com" and the bad DNS resolves you to a phishing site which masquerades as the HTTPS version of the original). About 2 years ago I was in a major Vegas hotel and saw that Hotmail resolved to a private 10.10.x.x address instead of over the public internet.

HTTPS connections do a quite good job protecting packets, but they don't protect you from tainted DNS servers (i.e., you enter "www.citibank.com" and the bad DNS resolves you to a phishing site which masquerades as the HTTPS version of the original). About 2 years ago I was in a major Vegas hotel and saw that Hotmail resolved to a private 10.10.x.x address instead of over the public internet.

The certificate exchange in negotiating the SSL connection will verify the site's identity.

yes, that is the purpose of the Verisign certificate, to ensure that the site matches who they say they are. If it is a masquerading site you would get a certificate warning.

Just like what others have posted here I don't usually worry if it is my own computer and HTTPS.

The certificate exchange in negotiating the SSL connection will verify the site's identity.

It's better now since Firefox 3.x now complains if the site uses a self-signed certificate instead of one registered through a major player like Verisign. Older browsers would accept self-signed certs and even display their little padlock icon even though the site was as phony as a $3 bill.

I still advocate using a VPN since there still are quite a few vulnerabilities out there, especially if you're not watching carefully. A pretty good report is at: http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf

I still advocate using a VPN since there still are quite a few vulnerabilities out there, especially if you're not watching carefully. A pretty good report is at: http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf

Interesting report- thanks for sharing.

While most people are naturally suspicious enough not to fall for this, but some people would just go on and ignore the certificate warning (basically giving a man-in-the-middle a license to read their encrypted traffic).

If you don't get a certificate warning for a site at home, don't just ignore it if it pops up when you connect somewhere else, folks!

But if you really are paranoid, how about looking out for a hidden camera in the room that records all the passwords you type? ;)

You have to weigh the risks in life and decide where to expend your energy. Sure, you could VPN back to your company first, but doesn't handing your credit card to a waiter at that same hotel represent a greater risk than traffic sniffing? If you're concerned about identity fraud, get protection for that - for example, Californians can contact credit agencies and freeze their credit.

Consider the risk of being attacked by a shark to the risk of driving to the beach while talking on your cell phone. Like the traffic sniffing, the shark attack is possible, and wearing chain mail while swimming in the ocean will certainly reduce your risk of shark attack. So some would say: "why take the chance, always wear chain mail." But you're really much safer ignoring the sharks and putting down the cell phone.

I also use a VPN (witopia.net).
I also only use SSL to check my e-mail accounts (gmail defaults to non-SSL, but you can change the setting to force SSL, for example).
My use of the VPN is primarily to deal with sites that don't use SSL and yet still are info that, although not particularly sensitive, I don't want to be just "in the air". I don't like snoops, and without a VPN, non-SSL webpages are viewable in plain text over non-secured WiFi connections.

Taking this slightly off-track, what home VPNrouter do you guys recommend? Should have support for Windows and Mac.

Back on topic, right now I am generally use my employer's VPN when I am on a network I don't trust (which is pretty much always when I am not at home).

Taking this slightly off-track, what home VPNrouter do you guys recommend? Should have support for Windows and Mac.

I'm curious about this also. And I think this question is really, which home VPN router and which windows (or other) VPN client do you use?, ... as the two seem to go together.

Some things I saw when I tried to do this: some routers limit the bandwidth available this way. Windows seems to be the only free VPN client that I see out there. And some VPN routers require a static IP address for both the router and the client (which is not possible when traveling).

Do you want full VPN, or just an SSH tunnel? For the latter, you can run open-source Tomato or DD-WRT firmware on a variety of cheap Linksys/Netgear/Asus/Buffalo routers.

If you want full VPN and have a moderate degree of technical skill, you can get the VPN edition of DD-WRT.

DD-WRT and Tomato are both free, open source third party firmwares for various routers. I find Tomato much easier to use, but it doesn't do full VPN - just SSH, which for my purposes is perfectly fine. Just need to forward ports. I also forward web traffic through the SSH tunnel. DD-WRT is also supported on many more router models than is Tomato.

I use a Linksys WRT54GL with Tomato at home.

www.polarcloud.com/tomato
www.dd-wrt.com

Taking this slightly off-track, what home VPNrouter do you guys recommend? Should have support for Windows and Mac.


This thread may help

http://www.flyertalk.com/forum/travel-technology/936479-personal-vpn-recommendation.html

Thanks, gfunkdave and Mike (cordelli).

About 2 years ago I was in a major Vegas hotel and saw that Hotmail resolved to a private 10.10.x.x address instead of over the public internet.



Could you expand on this for a moment? If I see a wifi network that, when connected says something like "connected to John Doe's network, 10.10.x.x
should I be worried? Should I disconnect?

Taking this slightly off-track, what home VPNrouter do you guys recommend? Should have support for Windows and Mac.

Back on topic, right now I am generally use my employer's VPN when I am on a network I don't trust (which is pretty much always when I am not at home).

Just a word of advice... do not buy anything that is an SSL VPN router and expect it to work with a Mac. There is no good SSL VPN client for OSX. Believe me, I've tried. I bought an SSL VPN router thinking it would work with the built in VPN client and I was wrong. I ended up installing PoPToP on a Linux box and it works flawlessly with the builtin VPN client.

I just use the company VPN and I'm good to go. This way I also circumvent local internet censors, too. (think China, Middle-East, etc - in Oman even hotels.com was blocked. Probably they confused hotels with hotties :D)

Could you expand on this for a moment? If I see a wifi network that, when connected says something like "connected to John Doe's network, 10.10.x.x
should I be worried? Should I disconnect?

No, that by itself is no reason to worry. Typically routers will issue you a 192.168 or 10.10 private addy which is the proper way of doing it.

The problem I had was when I browsed to www.hotmail.com I happened to glance at the bottom status bar of the browser which said "connecting to 10.10.x.x" just before the phony website came up (the request never even traversed the public internet). I did a tracert to the URL and after a half dozen hops it showed that 10.10 address was the final destination -- pfui. Since then I've set up a dd-wrt router at home as an OpenVPN server and feel much more secure when on the road.

I also use VPN to avoid having to think/worry about it.

Do you feel comfortable logging on to, say, your online bank and brokerage accounts, using a hotel's internet service? Does the answer change if it's a wired connection through an ethernet cable vs a generic wifi/wireless "unsecured network"?

No. Public/unknown networks, whether wired or wireless, should always be treated with caution.

but does the https sufficiently encrypt it? I mean, if someone got hold of one's online banking password, it would be a pretty major hassle for one to sort out!

HTTPS is sufficient.

The biggest danger is scam networks set up to "look like" real networks. At an airport, see that one enticing network that says "Free Public Wifi"? It's a scammer trying to get you to login to HIS computer. He's around close. I found one at SFO about six months ago, figured out who it was, and sicced the cops on him.

No, that by itself is no reason to worry. Typically routers will issue you a 192.168 or 10.10 private addy which is the proper way of doing it.




Oh, thanks for the explanation. I was rather worried about a particular wifi at an office I visit regularly.

Interesting replies and ideas here--I used to do the VPN route to my home setup as well. Now, I just utilize a Verizon data card and avoid the hotel's (and also the client's) system altogether. Of course, this doesn't help me internationally but right now I'm 85% domestic so it works fine.

The biggest danger is scam networks set up to "look like" real networks. At an airport, see that one enticing network that says "Free Public Wifi"? It's a scammer trying to get you to login to HIS computer. He's around close. I found one at SFO about six months ago, figured out who it was, and sicced the cops on him.
I highly doubt it. Assuming "sicced" means you called them perhaps?

Two reasons. First, the "cops" would have absolutely no clue what you were talking about. There was no crime being committed, after all. How exactly did you "figure out who it was"? And what did you say to these cops?

Second, and more important, you should have read this (http://www.wlanbook.com/free-public-wifi-ssid/) first. It is roughly equivalent to a virus, and is pretty much completely benign. Its only real effect is to make very unsuspecting people think that there is a nice convenient WiFi hotspot next to them, and in almost all cases the person whose PC is causing it to be transmitted is completely unaware.

Would have been an interesting situation to watch though :D

Wirelessly posted (iPhone: BlackBerry9630/4.7.1.40 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/105)

I connect through corporate VPN first.