Guide to Hotspot Safety: Page 2

Posted January 18, 2008

Lisa Phifer

Lisa Phifer

(Page 2 of 2)

Step 3: Secure your hotspot login 

To avoid accidental associations with strangers, configure your Wi-Fi connection to connect only to Preferred Networks, in manual (not automatic) mode. This ensures that you retain complete control over your wireless connectivity when visiting hotspots (below).



The only foolproof way to ensure that you connect to a legitimate hotspot AP is to verify the server’s certificate. In hotspots with WPA-Enterprise (e.g., T-Mobile, iBAHN), configure your laptop to validate the server’s certificate during 802.1x (below).



In hotspots where 802.1x is not available, see if you can use a secure roaming client (e.g., iPass, Boingo) that transparently authenticates both you and the hotspot to an off-site roam server (below).



Think twice about using unfamiliar paid hotspots that do not support either option. Man-in-the-middle attacks are very difficult to avoid there, since you don’t even know what the server's identity should be. If you decide that the risk is worth it, then avoid entering credit card numbers unless the hotspot login page is SSL-encrypted and the server’s certificate is valid and signed by a trusted root authority. If anything looks suspicious (as below), go somewhere else.



Step 4: Encrypt your data

In hotspots that offer WPA-Enterprise (below), connect to the encrypted network’s SSID (e.g., tmobile1x, stsn_wpa), being careful to the open network (e.g., tmobile, stsn). With WPA, all packets sent by your laptop will be encrypted—including LAN broadcasts. However, when they reach the hotspot AP, packets will be decrypted and routed onto the Internet.


Encrypt data with WPA.


In hotspots without WPA, use higher-layer encryption. If you don’t have your own VPN, you can use a consumer VPN service like JiWire Hotspot Helper, Witopia personalVPN, or HotspotVPN. For example, download and install AnchorFree, an OpenVPN client that tunnels your traffic to a free VPN gateway out on the Internet (below). These services decrypt packets at the provider's VPN gateway before relaying them to the destination in the clear.


Encrypt data with a VPN.

To protect packets all the way to their destination, without your own VPN, use applications that can encrypt their own messages, like SSL-protected websites and mail clients (below). Doing so hides those messages from third parties, but leaves other applications exposed. For better coverage, protect everything with WPA or VPN, adding SSL for sensitive applications.


Encrypt e-mail with SSL.


Step 5: Watch your step

Many hotspot connection managers, personal firewalls, and Internet security programs can log network activity. Use those logs to confirm or deny your suspicions whenever an incident occurs. If you spend a lot of time at unfamiliar hotspots, consider installing a host Wireless IPS program like Shmoo Group HSDK or AirDefense Personal (below). After all, what you can't see CAN hurt you—especially if you're careless.  fig5a.jpg

Like any traveler in unfamiliar territory, the single most important thing that you can do is to exercise caution and err on the side of safety. If a hotspot feels "phishy" don't stay connected. If your firewall warns you about suspicious activity, don't click "ok" and continue. By combining basic security measures with sound judgment, you can use hotspots safely.

Page 2 of 2

Previous Page
1 2

Tags: security, Microsoft, wireless, mobile, Internet Explorer

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.