Should I be worried about surfing web at hotels?
Dec 9, 2006, 10:08 am
#1
Original Poster
Join Date: Sep 2004
Programs: UA GS
Posts: 2,159
Should I be worried about surfing web at hotels?
I was wondering is it really safe surfing the web in your room at a hotel. I use an apple express and plug the ethernet cable into the express and surf wirelessly. I have wap set up and hide the ssid and my mac address is the only one that can surf on the express.
Can the hotel employees see which sites i'm visiting - such as online banking and credit card accounts? Are the hotel room ethernet cables connected to an onsite server where it gets all stored and a unscrupulous employee could pilfer the info?
Can the hotel employees see which sites i'm visiting - such as online banking and credit card accounts? Are the hotel room ethernet cables connected to an onsite server where it gets all stored and a unscrupulous employee could pilfer the info?
Dec 9, 2006, 10:53 am
#3
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
I was wondering is it really safe surfing the web in your room at a hotel. I use an apple express and plug the ethernet cable into the express and surf wirelessly. I have wap set up and hide the ssid and my mac address is the only one that can surf on the express.
Can the hotel employees see which sites i'm visiting - such as online banking and credit card accounts? Are the hotel room ethernet cables connected to an onsite server where it gets all stored and a unscrupulous employee could pilfer the info?
Can the hotel employees see which sites i'm visiting - such as online banking and credit card accounts? Are the hotel room ethernet cables connected to an onsite server where it gets all stored and a unscrupulous employee could pilfer the info?
Although not everyone always agrees with me...so I'll try and limit the opinion and stick to the facts. There's a couple questions and issues here, I'll start in reverse order. First, can the hotel tell what you are doing. Yes- sorta. Assuming you aren't using VPN or something like Tor (more on those later) the yes, 100%. Every time you visit a web site by name, say www.google.com, your computer first asks a DNS server for the numerical IP address of that server. Thats a fancy way of saying "can you tell me how to get to sesame street?". So, assuming the hotel staff arn't doing anything malicious at all, by virtue of providing you internet access they have to give you a DNS server, and those queries are logged. But, chances are the equipment they are using is logging more than just DNS but your basic activity in general. That's again not a malicious thing, but the result of the default settings on most pieces of equipment involved. The next question is can they see exactly what you are doing, and the answer there is maybe. If you are surfing to unsecured sites (http, NOT https) then anything you send or receive is sent in 'clear text' and is wide open. When you go to your bank, for instance, and the address starts with https (the s is for secure or ssl) then your traffic is protected by something called SSL, or secure sockets layer... again facncy for 'encrypted'. SSL is generally regarded as VERY strong protection. But, remember because of DNS they can still see where you are going, just not what you are doing there. If you use gmail, for instance, for email, then you have to take some action to make sure you stay secure. G-Mail always uses SSL (https) for your login/password but then it wants to revert back to insecure mode when you actually go to read your email. So anyone watching could read your email too. (In the case of g-mail you can explicitly ask for a secure session by starting with the https ... https://www.gmail.com)
That all brings us to the next point. Just because there is some inherit transparency involved, does that mean anyone is looking? Better yet, does the front desk clerk have the know-how (let alone the passwords, etc) to peek into your actions? Chances are no one is looking over your shoulder (proverbially speaking). But I'm the paranoid type and an advocate of privacy so I always assume the worst...knowing that its a long shot at best.
The next question or issue involves your apple airport express. There are two things at work there. The protection that any NAT router provides and the security involved with wireless networking. To the first point, NAT basically (when using the default configuration) allows one way traffic. You can surf out but traffic upstream cannot come back in to your computer (unless you requested it). That's great for hiding you from internet worms or keeping people from trying to access files on your hard drive via built in file sharing. It doesnt do anything to protect your traffic from prying eyes though. So its a great idea, but doesnt solve the entire problem. It also invites another issue to the party, wireless security.
So, despite what some others may say, WEP is broken and ineffective and SSID hiding is useless. WEP is a little like those older traditional locks on windows, the simi-circular things where you swivel the latch into place. We all know how to slide a knife or close hanger b/t the satches and open them, but we still trust them be cause logic says bad guys will go for the open window before trying to crack the locked one. WEP can be broken by anyone with a laptop and google in about 10 mins or less. Once its broken and someone else is on your wireless network, then the benefits of NAT are lost and your computer and traffic is wide open. There is an easy easy fix though...more on that blow. On to SSID hiding...doesnt do anything, not worth it, not security, dont bother. Basically its a myth, the Airport is still sending out the SSID, but asking listening devices to ignore it...and most software outside of the stock windows wireless software doesnt ignore that request. Any wifi sniffer (google, you'll find 100 free ones) will find 'hidden' ssids in a second.
The answer is WPA with a long, random passphrase. Just set your Airport to WPA (or WPA2 if your laptop supports it) and get a VERY LONG and VERY RANDOM password...up to 64 characters long. I like www.grc.com/pass for generating them, but I reload the page several times and take snippets from each generated password, just to make sure its totally random! Once you do a little copy and pasting you shouldnt need to ever enter it again, but just in case, store it in a text file on a usb drive. Thats it, problem solved. WPA is very secure and with a long password it would take a factor of years to crack....unless you believe that the only reason the government allows it to be sold is that they've already cracked it...but I don't want to cast any doubts
Regardless, remember that WPA is only protecting the wifi signal b/t your laptop and the Airport...not protecting you from anything upstream of the aiport (IE the hotel staff). Back to privacy and protecting your traffic. The easiest thing to do is use something called VPN, or virtual private network. If your company provides you with remote access into their network then its probably VPN and will do the job perfectly, unless you are surfing to sites or doing things your rather not do through your work network. If thats the case then look at a 3rd party services like hotspotvpn.com. If you have a computer at home you can use something like Himachi (recently acquired by logmein.com I think) or even run your own VPN software like OpenVPN (pretty nerdy approach). VPN works by building a secure 'tunnel' through the hotel network and the internet to the 'end point' (VPN server). To any prying eyes all they can see is that you have a connection to the end point, any traffic will look like scrambled letters and numbers. So, this does require that you trust the end point (or 3rd party service), but it removes any chance of the hotel snooping.
For the truly parinoid nerd, there is Janus, http://janusvm.peertech.org/. Janus runs in a 'virtual machine' on your laptop, its like running another computer with in a window. It uses something called TOR, often referred to as the onion router, to distribute your traffic across the internet securely. Its pretty technical, but its some of the best stuff out there. IT also uses VPN so that all the hotel could see is your connection to the Janus server (a large collection of participating users around the world) which changes every time you use it. Then through that secure VPN your traffic travels and pops out somewhere random, like Russia or Brazil or Texas...anywhere, and its always random and different. So it can't be traced back to you or your location. The downside is to overcome some technical issues involved in protecting you, it has to be slow, so its not great for things like VoIP or streaming videos.
There it is... turn on WPA, get a VPN solution and you are good to go.
If anyone is wondering why I'm writing a PHd thesis here on FT...its because Mrs SpaceBass is setting up for a work cocktail party and this is my way of avoiding any real work
Dec 9, 2006, 10:55 am
#4
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
Dec 9, 2006, 12:35 pm
#5
Join Date: Oct 2003
Location: A Capital City on The East Coast
Programs: CO-Dirt,SPG-Nothing,Marriott-Gold, Hilton-Blue, Hyatt-Plat, HI-Plat
Posts: 6,872
Dec 9, 2006, 1:25 pm
#6
Join Date: Nov 2006
Location: Detroit; Formerly Dubai
Posts: 3,652
Great post. I vpn my connections in hotel for a second reason -- port blocking. Many hotels now block voip, port 25 (believe it or not) and a number of other functions from their network. Vpns opens up all the ports. Witopia.net has an ipsec vpn for $39 a year if you don't want to do it yourself.
Stu
Stu
Dec 9, 2006, 1:38 pm
#7
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
I use compression
You know, this could really get ugly quickly...
Thats a great point!
You know, this could really get ugly quickly...
Great post. I vpn my connections in hotel for a second reason -- port blocking. Many hotels now block voip, port 25 (believe it or not) and a number of other functions from their network. Vpns opens up all the ports. Witopia.net has an ipsec vpn for $39 a year if you don't want to do it yourself.
Dec 9, 2006, 7:46 pm
#9
Join Date: Nov 2000
Location: Colorado Springs, CO USA
Posts: 217
This topic pops up almost like clock work once a month...and I have a soft spot for it Although not everyone always agrees with me...so I'll try and limit the opinion and stick to the facts.
There's a couple questions and issues here, I'll start in reverse order. First, can the hotel tell what you are doing. Yes- sorta. Assuming you aren't using VPN or something like Tor (more on those later) the yes, 100%. Every time you visit a web site by name, say www.google.com, your computer first asks a DNS server for the numerical IP address of that server. Thats a fancy way of saying "can you tell me how to get to sesame street?". So, assuming the hotel staff arn't doing anything malicious at all, by virtue of providing you internet access they have to give you a DNS server, and those queries are logged. But, chances are the equipment they are using is logging more than just DNS but your basic activity in general. That's again not a malicious thing, but the result of the default settings on most pieces of equipment involved. The next question is can they see exactly what you are doing, and the answer there is maybe. If you are surfing to unsecured sites (http, NOT https) then anything you send or receive is sent in 'clear text' and is wide open. When you go to your bank, for instance, and the address starts with https (the s is for secure or ssl) then your traffic is protected by something called SSL, or secure sockets layer... again facncy for 'encrypted'. SSL is generally regarded as VERY strong protection. But, remember because of DNS they can still see where you are going, just not what you are doing there. If you use gmail, for instance, for email, then you have to take some action to make sure you stay secure. G-Mail always uses SSL (https) for your login/password but then it wants to revert back to insecure mode when you actually go to read your email. So anyone watching could read your email too. (In the case of g-mail you can explicitly ask for a secure session by starting with the https ... https://www.gmail.com)
That all brings us to the next point. Just because there is some inherit transparency involved, does that mean anyone is looking? Better yet, does the front desk clerk have the know-how (let alone the passwords, etc) to peek into your actions? Chances are no one is looking over your shoulder (proverbially speaking). But I'm the paranoid type and an advocate of privacy so I always assume the worst...knowing that its a long shot at best.
The next question or issue involves your apple airport express. There are two things at work there. The protection that any NAT router provides and the security involved with wireless networking. To the first point, NAT basically (when using the default configuration) allows one way traffic. You can surf out but traffic upstream cannot come back in to your computer (unless you requested it). That's great for hiding you from internet worms or keeping people from trying to access files on your hard drive via built in file sharing. It doesnt do anything to protect your traffic from prying eyes though. So its a great idea, but doesnt solve the entire problem. It also invites another issue to the party, wireless security.
So, despite what some others may say, WEP is broken and ineffective and SSID hiding is useless. WEP is a little like those older traditional locks on windows, the simi-circular things where you swivel the latch into place. We all know how to slide a knife or close hanger b/t the satches and open them, but we still trust them be cause logic says bad guys will go for the open window before trying to crack the locked one. WEP can be broken by anyone with a laptop and google in about 10 mins or less. Once its broken and someone else is on your wireless network, then the benefits of NAT are lost and your computer and traffic is wide open. There is an easy easy fix though...more on that blow. On to SSID hiding...doesnt do anything, not worth it, not security, dont bother. Basically its a myth, the Airport is still sending out the SSID, but asking listening devices to ignore it...and most software outside of the stock windows wireless software doesnt ignore that request. Any wifi sniffer (google, you'll find 100 free ones) will find 'hidden' ssids in a second.
The answer is WPA with a long, random passphrase. Just set your Airport to WPA (or WPA2 if your laptop supports it) and get a VERY LONG and VERY RANDOM password...up to 64 characters long. I like www.grc.com/pass for generating them, but I reload the page several times and take snippets from each generated password, just to make sure its totally random! Once you do a little copy and pasting you shouldnt need to ever enter it again, but just in case, store it in a text file on a usb drive. Thats it, problem solved. WPA is very secure and with a long password it would take a factor of years to crack....unless you believe that the only reason the government allows it to be sold is that they've already cracked it...but I don't want to cast any doubts Regardless, remember that WPA is only protecting the wifi signal b/t your laptop and the Airport...not protecting you from anything upstream of the aiport (IE the hotel staff).
Back to privacy and protecting your traffic. The easiest thing to do is use something called VPN, or virtual private network. If your company provides you with remote access into their network then its probably VPN and will do the job perfectly, unless you are surfing to sites or doing things your rather not do through your work network. If thats the case then look at a 3rd party services like hotspotvpn.com. If you have a computer at home you can use something like Himachi (recently acquired by logmein.com I think) or even run your own VPN software like OpenVPN (pretty nerdy approach). VPN works by building a secure 'tunnel' through the hotel network and the internet to the 'end point' (VPN server). To any prying eyes all they can see is that you have a connection to the end point, any traffic will look like scrambled letters and numbers. So, this does require that you trust the end point (or 3rd party service), but it removes any chance of the hotel snooping.
For the truly parinoid nerd, there is Janus, http://janusvm.peertech.org/. Janus runs in a 'virtual machine' on your laptop, its like running another computer with in a window. It uses something called TOR, often referred to as the onion router, to distribute your traffic across the internet securely. Its pretty technical, but its some of the best stuff out there. IT also uses VPN so that all the hotel could see is your connection to the Janus server (a large collection of participating users around the world) which changes every time you use it. Then through that secure VPN your traffic travels and pops out somewhere random, like Russia or Brazil or Texas...anywhere, and its always random and different. So it can't be traced back to you or your location. The downside is to overcome some technical issues involved in protecting you, it has to be slow, so its not great for things like VoIP or streaming videos.
There it is... turn on WPA, get a VPN solution and you are good to go.
If anyone is wondering why I'm writing a PHd thesis here on FT...its because Mrs SpaceBass is setting up for a work cocktail party and this is my way of avoiding any real work
Although not everyone always agrees with me...so I'll try and limit the opinion and stick to the facts. There's a couple questions and issues here, I'll start in reverse order. First, can the hotel tell what you are doing. Yes- sorta. Assuming you aren't using VPN or something like Tor (more on those later) the yes, 100%. Every time you visit a web site by name, say www.google.com, your computer first asks a DNS server for the numerical IP address of that server. Thats a fancy way of saying "can you tell me how to get to sesame street?". So, assuming the hotel staff arn't doing anything malicious at all, by virtue of providing you internet access they have to give you a DNS server, and those queries are logged. But, chances are the equipment they are using is logging more than just DNS but your basic activity in general. That's again not a malicious thing, but the result of the default settings on most pieces of equipment involved. The next question is can they see exactly what you are doing, and the answer there is maybe. If you are surfing to unsecured sites (http, NOT https) then anything you send or receive is sent in 'clear text' and is wide open. When you go to your bank, for instance, and the address starts with https (the s is for secure or ssl) then your traffic is protected by something called SSL, or secure sockets layer... again facncy for 'encrypted'. SSL is generally regarded as VERY strong protection. But, remember because of DNS they can still see where you are going, just not what you are doing there. If you use gmail, for instance, for email, then you have to take some action to make sure you stay secure. G-Mail always uses SSL (https) for your login/password but then it wants to revert back to insecure mode when you actually go to read your email. So anyone watching could read your email too. (In the case of g-mail you can explicitly ask for a secure session by starting with the https ... https://www.gmail.com)
That all brings us to the next point. Just because there is some inherit transparency involved, does that mean anyone is looking? Better yet, does the front desk clerk have the know-how (let alone the passwords, etc) to peek into your actions? Chances are no one is looking over your shoulder (proverbially speaking). But I'm the paranoid type and an advocate of privacy so I always assume the worst...knowing that its a long shot at best.
The next question or issue involves your apple airport express. There are two things at work there. The protection that any NAT router provides and the security involved with wireless networking. To the first point, NAT basically (when using the default configuration) allows one way traffic. You can surf out but traffic upstream cannot come back in to your computer (unless you requested it). That's great for hiding you from internet worms or keeping people from trying to access files on your hard drive via built in file sharing. It doesnt do anything to protect your traffic from prying eyes though. So its a great idea, but doesnt solve the entire problem. It also invites another issue to the party, wireless security.
So, despite what some others may say, WEP is broken and ineffective and SSID hiding is useless. WEP is a little like those older traditional locks on windows, the simi-circular things where you swivel the latch into place. We all know how to slide a knife or close hanger b/t the satches and open them, but we still trust them be cause logic says bad guys will go for the open window before trying to crack the locked one. WEP can be broken by anyone with a laptop and google in about 10 mins or less. Once its broken and someone else is on your wireless network, then the benefits of NAT are lost and your computer and traffic is wide open. There is an easy easy fix though...more on that blow. On to SSID hiding...doesnt do anything, not worth it, not security, dont bother. Basically its a myth, the Airport is still sending out the SSID, but asking listening devices to ignore it...and most software outside of the stock windows wireless software doesnt ignore that request. Any wifi sniffer (google, you'll find 100 free ones) will find 'hidden' ssids in a second.
The answer is WPA with a long, random passphrase. Just set your Airport to WPA (or WPA2 if your laptop supports it) and get a VERY LONG and VERY RANDOM password...up to 64 characters long. I like www.grc.com/pass for generating them, but I reload the page several times and take snippets from each generated password, just to make sure its totally random! Once you do a little copy and pasting you shouldnt need to ever enter it again, but just in case, store it in a text file on a usb drive. Thats it, problem solved. WPA is very secure and with a long password it would take a factor of years to crack....unless you believe that the only reason the government allows it to be sold is that they've already cracked it...but I don't want to cast any doubts
Regardless, remember that WPA is only protecting the wifi signal b/t your laptop and the Airport...not protecting you from anything upstream of the aiport (IE the hotel staff). Back to privacy and protecting your traffic. The easiest thing to do is use something called VPN, or virtual private network. If your company provides you with remote access into their network then its probably VPN and will do the job perfectly, unless you are surfing to sites or doing things your rather not do through your work network. If thats the case then look at a 3rd party services like hotspotvpn.com. If you have a computer at home you can use something like Himachi (recently acquired by logmein.com I think) or even run your own VPN software like OpenVPN (pretty nerdy approach). VPN works by building a secure 'tunnel' through the hotel network and the internet to the 'end point' (VPN server). To any prying eyes all they can see is that you have a connection to the end point, any traffic will look like scrambled letters and numbers. So, this does require that you trust the end point (or 3rd party service), but it removes any chance of the hotel snooping.
For the truly parinoid nerd, there is Janus, http://janusvm.peertech.org/. Janus runs in a 'virtual machine' on your laptop, its like running another computer with in a window. It uses something called TOR, often referred to as the onion router, to distribute your traffic across the internet securely. Its pretty technical, but its some of the best stuff out there. IT also uses VPN so that all the hotel could see is your connection to the Janus server (a large collection of participating users around the world) which changes every time you use it. Then through that secure VPN your traffic travels and pops out somewhere random, like Russia or Brazil or Texas...anywhere, and its always random and different. So it can't be traced back to you or your location. The downside is to overcome some technical issues involved in protecting you, it has to be slow, so its not great for things like VoIP or streaming videos.
There it is... turn on WPA, get a VPN solution and you are good to go.
If anyone is wondering why I'm writing a PHd thesis here on FT...its because Mrs SpaceBass is setting up for a work cocktail party and this is my way of avoiding any real work
Why can't you just use the Torpark browser without bothering with the janus setup?
Dec 10, 2006, 3:05 pm
#10
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
I know when I use Vildalia on OS X (basically torpark) that DNS requests still go to the loacal DNS server.