I am using a public access wireless network in order to access the internet on my university campus. It is an open network / has no encryption.

Given that I have *no* control over the network itself, is there anything I can do (on my part) to make my connection to the internet safer?

Somebody mentioned "OpenSSH" (or whatever) to me. Would it be appropriate in this case? Can anybody suggest any measures to me / point me in the direction of a *good* howto?

(Plain English, please! I don't really know what I'm doing)

Define your needs better. What exactly are you wanting to do? What do you mean by 'safer'?
Encryption will only help if you are talking to a computer that understands it...

You really must resign yourself to having no privacy if you must use a public/unencrypted connection. Do not send any info over this link that you would not allow _anyone_ to access.

If doing a CC transaction or whatever make damn sure the other connection is secure and using SSL (almost any reasonable online retailer will have this...look for the 'lock' in your browser).

I don't really know. I was just fishing for ideas.
I know: it is an open network, as I said. Nothing I can do about that. I was just wondering if any alternative measures could be taken.

However, the reason I started this thread was because somebody mentioned this to me (on this other thread: http://www.linuxquestions.org/questi...=470452&page=2)

This guy recommended I look into SSH tunneling. Is this appropriate for the sort of open network I'm using? Or is this really only for home usrs who own their own router?

Thanks

The trouble is that your connection to the net is insecure... that's quite unusual and you are usually quite confident that the ISP you use aren't going to be sniffing EVERYTHING that you do. Secure connections are the only guarantee that you won't be heard but having a "partially trusted" connection like a modem, cable etc. is useful to help the way along. With wireless, any idiot in a few hundred yards can read EVERYTHING you send/recieve the Internet and probe your machine.

However, the way around is, of course, encryption.

The problem comes when most packets on the internet are not encrypted (HTTP, FTP, POP3, STMP, etc.etc.etc.). Therefore you can't talk "encrypted" to them and so you have to talk plaintext.

This is where your problem lies... you can't just "encrypt" everything and still talk to remote HTTP sites (unless they are also HTTPS "secure" sites), but equally you need to encrypt SOMEHOW or anyone with a wireless card in a large range of you can read the websites you surf, the files you upload etc.

You can either: only ever talk encrypted (harder than it sounds as you won't be able to "hide" things like DNS lookups for the websites you visit) or implement a secure tunnel so that all the insecure stuff is encrypted and then decrypted "somewhere else" where it's not as easily sniffed (i.e. a landline connection of some sort, or a remote server etc.) from which it reaches the websites you want to look at etc.

This would require a PC under your control or with permission for you to use which will accept the other end of the VPN "tunnel" and access websites on your behalf - a proxy effectively.

If you have a server hosted elsewhere, you could use that (Look at OpenVPN etc.), otherwise you would have to set one up (e.g. by leaving a computer on somewhere that has a permanent Internet connection and running OpenVPN or similar), rent one, use a service that allows you to set up a tunnel to an external company (there are a few of these but they can be expensive), see if your univeristy has one you could use (quite probable but they would be the ones to ask) or let *all* your plaintext Internet communications be seen by any fool with a wireless card that can see the university network (including websites you visit, emails you send, etc.).

Personally, I'd ask the Uni if they are really serious about students using an open, unencrypted wireless network - if they say yes, then study elsewhere, especially if you are studying computing.

If they can't/won't help, then you will need to set up a tunnel, which involves renting/owning a PC somewhere in the world that has an Internet connection over a more secure medium (such as a modem, broadband, etc.) and connecting to it using VPN software.

I'm an ICT Technician and I use SSH and OpenVPN throughout the day to connect to various machines (not all of whom can be trusted to be secure, e.g. spyware, malicious users etc.). In these circumstances I ALWAYS use a tunnel back to my own private connection at home.

This is also my connection of choice when using wireless connections - no matter whether the access point I'm using at a customer's site is encrypted or not, I can connect (encrypted) back to my home PC and use my home broadband connection to browse the web without having to worry who's looking. And I didn't have to worry when WEP was broken or if/when WAP will be broken, the SSH is my ass-coverage and is religiously updated.

I have nothing to hide (I work for schools and my job requires me to download certain utilities when at a customer's site and that's the only time I need to use it), but I wouldn't use an unencrypted wireless channel for anything. A piece of advice - never EVER use an insecure wireless connection (that includes WEP encryption as well as unencrypted) in range of any students with a PC and never use one in any other circumstances anyway.

In summary, you need another endpoint to form an tunnel.

Yeah,

as you may have gathered from ledow's response, a VPN or SSH tunnel is only good if you are trying to contact a particular remote host that is set up to recieve you. For instance, a fellow at home connecting to the servers at work. It is not useful for general internet browsing...

Thanks for the response.

Well, what they do have once you've connected to the network is a login screen before you can begin browsing. Once you open a web browser, you are prompted to log in as you would be on a normal library workstation before you can use the internet. That's all.

Alas not. I'm a student and am cash strapped! I don't have a spare server lying anywhere unfortunately, and this is my only means of connecting to the internet on my computer.

I'll just have to risk that then, and make sure I never use anything sensitive over the wireless connection, e.g. credit card numbers. Any malicious network sniffer, though able to read my communications, wouldn't be able to hack into my laptop through this would they?

Anything you do over a secure HTTPS connection (e.g. banking etc.) will be encrypted and therefore quite safe. Your email (depending on your setup), including your email password may not, your FTP passwords, Instant Messaging logins (some of them at least), knowledge of every site you visit (because your DNS lookups will be traceable even for HTTPS sites) and even your login password for this "gateway" website or other university services won't be safe either, unless it's encrypted in some way.

Hence why it's such a diabolical system for the uni to run. Someone, somewhere who works for the univeristy will know this... find them and ask them what you can do, what you are at risk of, etc. They will know better than anyone.

What you are doing by joining a open, unencrypted wireless network is "plugging" a network cable into your machine and not knowing who or what is on the other end (even in the Uni buildings you're *quite* safe because of the monitoring usually done on such networks). Because you're using that "cable" for Internet, someone from the Internet can see you and theoretically monitor every packet you send, but in a trivially easy way rather than having to work at it like they would have to to monitor an "ordinary" connection (e.g. home broadband etc.).

Re: Them attacking you - yes it's perfectly possible, in fact almost certain. Make sure you have a decent firewall *minimum*. Keep up to date with software. Disable files shares etc. Don't run vulnerable programs. All the usual stuff. If nothing else, you are on a shared network will all those other smelly students who will almost certainly have a copy of every virus/spyware etc. known to man accumulated on their un-kempt machines. And that's before you consider if one of them actually bothers to see what they can find by poking around the network (Trust me, every CS student will do this at one time or another).

Personally, put in such a situation, I would check facts with the IT department and if they are complacent about the security of your information, lodge an official complaint. Fortunately, my Uni was not only very well informed on all matters (with 3 officially supported OS including Linux and MacOS) and funded but were extremely keen to stay on top of things like this, so I never needed to.

Of course, it may well be that they have certain systems in place to combat the above but it doesn't sound at all likely - it sounds like anything that's not in HTTP will not get tunnelled at all - thus leaving the primary causes of virus infection and propogation (open network shares, non-firewalled computers) open to attack.

In your position... I wouldn't use it until I was certain. My data is just too important to expose to such an open network - if you are writing your Uni notes and coursework on your laptop, think what would happen if you lost it all because you connected to their network.

Such as? (what do you mean exactly?)

Well, perhaps you could help me to come up with some work-arounds in the mean time.

[Even if I did convince them to make changes, the infrastructure is so big that it would certainly take a few weeks (plus the time for the beaucracy that would go with any administrative change: the IT technician would have a meeting with the university's senior administrator in order to schedule a meeting for the technology department, which would then contact the services department, who would contact their subcontractors, who would contact *their* subcontractors, who would have a conference to discuss what sort of biscuits should be provided for the meeting for the organization of a departmental meeting... it goes on). Would be at least a few weeks even if I suceeded. ]

Perhaps I could create a new user ultra-restricted user account to surf the internet with, who would only have permissions to use the web browser and port 80. (They would need sudo access to iwconfig, ifconfig and neat in order to activate the wireless card though).

What do you think? Any other suggestions?

I may be missing the boat as far as what you're attempting to accomplish on your end, but if privacy/anonymity is a concern, then TOR may be of use to you:

cheers,

It's not directly relevant, but still a very useful link
Thanks

I use ssh tunneling all the time.

My workstation runs an ssh server and an HTTP proxy (privoxy) which is always open to my LAN, and when I connect my WinXP wireless laptop to my lan (like right now) I only talk on the internet via an ssh tunnel to the HTTP proxy that is run through my workstation. Thus, though I am sitting in the family room with my laptop in my lap, my only connection is with my workstation via ssh. The workstation has a wired connection to the internet through a router and this way I can browse wireless without my neighbors being able to monitor my connection.

When I am traveling with the laptop, I forward a port from my router to my workstation, thus enabling external (WAN) connections to my workstation. So, when I sit down in a coffeehouse someplace, I establish a tunnel to my workstation and do all my browsing that way.

You don't need much to function as the other end of the tunnel. Pick up some obsolete box with a 500 MHz processor for $25 and install Linux in it. Make it a fairly minimal system; just make sure it has network access and runs OpenSSH.

good suggestion.
A cheap CPU I can manage (people give old ones away all the time), but I'll have to see if I can find a cheap router somewhere.

thanks.

Or, plan B... make good friends with someone with a router running linux with an unnecessarily fast internet connection!

(...who won't mind me tunneling into his computer and borrowing some bandwidth).

I think this one might be cheaper