Random thoughts on wifi and vpn. :: semicomplete.com

Tue, 29 Aug 2006

Random thoughts on wifi and vpn.

Being that we can't really control all of the hops between ourselves and every end point on the internet, can we really be sure our traffic is secure?

Food for thought: My home vpn is a very simple poptop setup. It does not use certificates. How do I verify that my vpn connection is untainted? How difficult would it be to intercept my vpn connection request with a rogue vpn?

Let's say I'm on Google's free wifi here in Mountain View, and someone's being naughty by putting up the following rogue services: dhcp, dns, and vpn. It is trivial to advertise a route on the network and redirect vpn connections to a rogue vpn service. This vpn service could use the intended vpn as an authentication service. In doing so, the "bad guy" can quite easily join the two vpn tunnels such that the victim has no idea he has been victimized.

Put simply, how hard would it be for me, personally, to do this? Tools that come to mind, are: FreeRadius, Poptop server, isc-dhcp server, BIND 9, pf. Tack on a trivial script to interrupt the normal network services such as DHCP and DNS, and you've got something that can easily be deployed on a laptop.

I'm sure there are technologies to prevent this kind of MITM attack on vpns, right? IPSec, perhaps? I don't know. More research is required.

How secure are you on your favorite wifi hotspot? How secure are the "secure" services we rely on?

Comments: 4 (view comments)
Tags: security
Permalink: /geekery/random-thoughts-wifi-vpn
posted at: 22:54

4 responses to 'Random thoughts on wifi and vpn.'

Adam posted at Wed Aug 30 09:35:29 2006...

IPSec is certainly an implementation that would resolve these issues. Certificates, generally, solve this problem. Anything that uses certificates is going to help you here. You might look into an SSL VPN. They're becoming more popular nowadays, but may require special software. IPSec is pretty well supported, especially in combination with L2TP.

Basically, you need mutual authentication -- the server must identify itself to you, and you to it, in order for access credentials to be exchanged and verified.

Adam posted at Wed Aug 30 09:42:18 2006...

Ah, I had another idea.

What if you simply tunneled SOCKS through SSH? You can run a SOCKS proxy server on one of your FreeBSD systems in a "secure" location, SSH to it (with a known key, i.e. mutual authentication), create a tunnel to the SOCKS server, and then you can browse the web, FTP, etc. encrypted with commonplace SSH.

PuTTy is a nice, small, standalone SSH client and supports tunnelling, which makes it perfect for use on a flash drive. I think you could also install a portable version of Firefox so that you have enough access to modify the proxy/connection settings (if you weren't administrator of the machine).

Wesley Shields posted at Wed Aug 30 13:35:07 2006...

Certificates will certainly help, but they are not a simple drop in replacement. How many users don't have a clue what a certificate is, how the whole system works, and even what they are looking at when presented with a "do you accept this certificate" dialog? I, for one, know my mother would blindly click accept to any certificate presented to her.

Adam posted at Thu Aug 31 13:58:13 2006...

Oh, certainly if one is not aware of the importance of valid certificates. I can only speak to those who are.

Anyway, I'm browsing and chatting via my university's free wifi, tunneled to /usr/ports/net/3proxy through an SSH connection to my home server. Sweet!

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.