N900 security when using public wifi
 

Hi All,

There's nothing better than surfing full webpages on the go with the N900 but it's costing me a fortune on the 3G. I really want to take advantage of McDonald's free wifi, but am scared of sending my passwords over a public wifi network.

Currently my contact list uses google talk, skype, facebook (via jabber), msn (using msn-pecan) and yahoo (using pidgin protocols for conversations and contacts 0.7). I also have an imap email account set up using the "secure authentication: login" option, whatever that means!

Can anyone advise which of these I should disable before connecting to a public network? And is there a quick way to stop the e-mail account from trying to connect?

Thanks!

Re: N900 security when using public wifi
 

There are two main risks, I think:

1. Somebody loging into you N900 - if you install telnetd or OpenSSH-Server you should change the passwords. Of course, this can happen even if you are on cellular. You just have to be on the Internet for somebody to try to break into your computer.
2. Traffic sniffing. This is what you were asking about. Yes, you should be very wary of any public wi-fi, but it is manageable.

About #2, you should avoid anything that sends clear text passwords.

The last time I looked (about a few years ago), MSN used clear text passwords.

Skype encrypts all the communication. When using the browser to login into Facebook, Yahoo or Gmail, you are safe because the login data is encrypted. By using the plugins I'm not so sure, but my guess is that they wouldn't leave that open, right?

I'm not sure about jabber either.

If you use secure authentication for IMAP or POP3 there is no problem, generally.

Just watch out for anything suspicious. For example, if a unknown certificate is presented by the software when you are trying to connect to a known service it might mean that there is someone trying to play the man-in-the-middle attack on you.

Re: N900 security when using public wifi
 

Yep, don't use anything with clear text passwords. But that doesn't apply only to wi-fi networks, it applies _anywhere_. Even at home. Not only does your password travel over maybe continents of different networks, if your're connected to certain types of cable networks even your unsophisticated neighbour can sniff your cleartext.

And I would also log in to e.g. gmail with https://mail.google.com, and not http://www.gmail.com/, because the former will run the whole session (reading / writing your mails) encrypted, and not only the login session. (But you can also enable a gmail option in settings, which will enable encryption all-the-time as default. That's a good idea too.)

Re: N900 security when using public wifi
 

Well, you could use an SSH tunnel for your surfing via proxy. This way you never have to worry. Just a bit inconvenient to set up.

x

Re: N900 security when using public wifi
 

May I ask why a firewall has not been implemented for the n900?

Re: N900 security when using public wifi
 

The Linux kernel has a very good firewall built-in. However the N900 standard kernel doesn't come with the module. But there's another thread around which talks about building fiasco-compatible kernels, with iptables enabled.

Re: N900 security when using public wifi
 

If you want to check which apps are using clear text passwords you can try the following:

1/ Install Wireshark (might be in extras-dev, so read about he dangers of installing software from there)

2/ Log on to your home wireless network

3/ Set Wireshark up to monitor the traffic over your wireless adapter

4/ Login to all your email accounts and IM accounts in turn

5/ Look through the Wireshark packet capture info and you will see any clear text passwords that are transmitted.

Once you've worked out whats going on you can then decide what to use over public wireless etc. It won't protect you from someone sniffing stuff but it will make thing harder for them to gain access to your accounts. I did this and found out one of my e-mail accounts was inadvertantly sending a clear text password - it's not now!

Re: N900 security when using public wifi
 

Just tested with tcpdump, the GTalk plugins use TLS all the way (not just login), I see the starttls commands in plaintext and then it's all garbage.

Re: N900 security when using public wifi
 

AFAIRecall the base iptables module is in the stock kernel but the binary to manipulate is not in the basic install (it's in extras-devel at least).

Anyways unless you have specifically installed telnet or ssh you have no services running and attacking the linux TCP/IP stack itself with just SYNs is kind of hard...

Edit "no services" is to mean no services accessible on any of the real interfaces, loopback is a different beast.

Re: N900 security when using public wifi
 

maybe a silly question, 3G packet data link is connected to Access Point of each operator, how secure this link is?

Re: N900 security when using public wifi
 

Between the phone and the cell-tower relatively secure, from there on to the telcos nearest internet gateway "it depends" and when your packets reach the internet they're on their own (so use protocol that encrypts the packet payloads if you worry about sniffing).

Note that "it depends" can go to ridiculously low values, at one time it was not uncommon to have the (highly directional) microwave links between cell-towers (not all of them have dedicated land lines) run unencrypted and with proper equipment it was easy to sniff all traffick going out of the tower (essentially negating the link-level encryption between the phone and the tower to all but the most casual eavesdropper).

Re: N900 security when using public wifi
 

I've set up openvpn server on my old N800 which I leave at home. I can then connect to it using my N900 on insecure networks and all the traffic goes through the secure tunnel to my home connection and then out onto the internet. It also means I can access devices that are sitting behind my home router and not made public.

Generic (not maemo-specific) setup guide:
http://openvpn.net/index.php/open-so...ion/howto.html
I used routing rather than bridging mode.

On my N800 (the server) I had to install iptables-ext and iptables-nat packages and install their kernel modules:
http://talk.maemo.org/showpost.php?p=89044&postcount=25

On my N900 I had to do this to make all traffic go through the tunnel:
http://talk.maemo.org/showpost.php?p=519753&postcount=5

It is quite a bit of work to set up, but now it's working, it's very easy to use and gives me piece of mind.

Re: N900 security when using public wifi
 

Hey cpm,

just curious, why did you choose vpn over ssh/vnc? Easier, better performance?

x

Re: N900 security when using public wifi
 

I set it up to prevent eavesdropping of any traffic while connected via public wifi. Normally your ssh connection is protected, but if another program on your N900 makes a connection to something else, that's not protected. Once the vpn's established, you can ssh and vnc to your machines at home without having to make them publicly accessible by port-forwarding them through your router (thereby exposing them to attack).

Re: N900 security when using public wifi
 

ic, couldn't the same thing be done with ssh and proxy? Or is it simpler to connect vpn and then everything automatically goes through the vpn?

Btw, not trying to put one over the other just seeing if perhaps vpn fits my needs better. thx

x

Re: N900 security when using public wifi
 

openvpn is really an ssh-tunnel with extra things around it to handle routing and stuff. I also use it like cpm describes, and I have set my server to listen on port 443, which enables me to use all kinds of traffic when I'm on a network that only allows http and https traffic. Yes, it actually tricks many filters that think my vpn traffic is https :-)

Re: N900 security when using public wifi
 

vpn is simpler than setting up lots of tunnels through ssh. It transparently sets up a virtual network (thereby the name..) and everything goes through it.

@demiurgus: I don't know if you meant it literally or not.. but openvpn is _not_ an ssh tunnel with extra stuff. openvpn usually works over UDP, not TCP, to start with. A VPN solution that actually works as you describe is the Fortigate VPN client.

Re: N900 security when using public wifi
 

Yes, I didn't mean it literally (technically), more from the point of view of usability and security; it's openssl doing the job in both cases.

Re: N900 security when using public wifi
 

Thanks guys, I haven't research enough yet to figure out if vpn make more sense for me than ssh/vnc. I spend enough time learn and getting my ssh stuff up and running, so I'm not really looking forward to setting up another one only to find out its not really better for me.

Also I did find that you can set up a ssh with tsocks to get the dynamic port changing/tunneling. So I might look into that first.

With vpn are you still accessing your system through the terminal? Meaning, I don't have to open a xterm on the machine I log into to run commands?

x

Re: N900 security when using public wifi
 

@xman:

VPN is transparent. If your VPN connection is to your home it'll look like you're just connected to your home network: You use the browser and everything else just the way you would at home. Everything is transparently sent through the VPN connection, it's not like an ssh command in the terminal.

(It's also possible to fiddle with the routing table so that something bypasses the VPN and the rest doesn't, but the default setup is that as soon as you engage the VPN connection you're virtually transfered to that other (home/work) network.)

Re: N900 security when using public wifi
 

I see, so in your opinion are there any downside to using vpn over ssh/vnc? Or perhaps a better question, why would I want to use ssh/vnc?

thanks again

x

Re: N900 security when using public wifi
 

If you only want to securely vnc, I don't think moving from ssh to vpn is going to provide you any tangable benefit and it's probably going to be quite an effort to set up (it was for me). If you want to tunnel all your traffic, vpn is the right tool for the job.

Re: N900 security when using public wifi
 

Yep, as cpm said.

There are two main reasons for using VPN:
a) You want to tunnel all your traffic through somewhere else, for some reason (i.e. accessing internet sites through somewhere else)
b) You need to access an internal network from outside. E.g. a company network. This may not be possible just with SSH.

Re: N900 security when using public wifi
 

Thanks Guys! For now I think I'm happy the way things are. But I think at some point it might be nice to have my traffic tunneled and secure when on public wifi (without setting up the ssh socks/proxy stuff all the time).

But it's nice to know how they to protocols overlap and their main difference. Of course probably simplified, but I can do more research when I need it.

x