What about online security

[Oberneldon]

HDR,

As noted in the wiki link above it is a vertical private Network. Your computer or smart phone in this case, makes a secure (encrypted) connection to a computer server on the internet that all your internet communication goes through.

I was recently overseas and I did not buy a data package for my phone die the high cost of data. Therefore, I only had wifi connection at public wifi sites. The VPN software I use made these secure connections I needed for all my internet connections.

I hope this helps.

Brent

 

[LeeRevell]

Just a note. I avoid PayPal like the plague. Twice I experienced CC number theft and a third attempted. Each time was directly a result of using PayPal. I cannot afford their lax security.

 

[frater secessus]

If the connection is compromised, using PayPal isn't really secure.  The bad guys will get your PayPal ID and password.

No, they won't. 

The importance of public key cryptosystems (like SSL used on secure websites) is it doesn't matter who sees the data being transmitted. That's why it's called public key.  That's how it works.  That's why it's used.  That's why it doesn't matter if you connect to a secured website (or TLS email, or scp, sftp, etc) over open wifi.  Or post the session on a billboard or a fullpage advertisement in a newspaper.

Don't believe it?  This is my public key.  This is a message encrypted to my public key; it contains my date of birth and social security number.  That's the same way your browser and secured webserver communicate.   Bad Guys can sniff that over all the open wifi they want and it still won't do them any good.

The most effective approach for non-technical RVers to stay secure on the web is to only give personal info over SSL-secured websites.  These can be identified with the closed padlock icon in the browser.  Further reading for any interested parties:
wiki article on TLS/SSL
wiki article on public key cryptography


I'm bowing out of this thread before my head explodes, so don't take my failure to correct future misinformation as tacit agreement.

 

[AngryVanMan]

frater secessus is spot on about the security of SSL/TLS and private/public key pair encryption.

There are a few side channel attacks you should know about when using public WiFi and cellular data. These are accessible to anyone and require very little skill to implement.

WiFi Pineapple/Rouge AP
This a a neat little toy that allows me to spoof an access point. I can run a de-authorization attack on the real AP and imitate the AP, or more simply just run the AP along side with a similar name. Anyone who associates with my AP I can run sslstrip and man in the middle attack you before you connect to any HTTPS websites. If you don't check for the padlock, I own your connection and see everything you do. You'll see twitter, facebook, gmail, or amazon just like always - the difference is your traffic is insecure (no padlock in your browser) and is running through my system while I watch you. MAKE SURE you get that all-powerful padlock and that the URL is correct each and every time.

IMSI Catcher
Also known as a Stingray, people think this tech is only in the hands of big brother - not so. I can slurp up your cell data if you are running a GSM device with a SDR GNU radio running OpenBTS, I just need to downgrade you to 2G by selectively jamming 3G+ GSM and then your cell device connects to my rouge tower unauthenticated, where I can spoof your DNS, strip your SSL, and do whatever I could do with the Pineapple above. If you were running 3g or 4g and suddenly your device drops down to 2G or "edge" you could be talking to me. Don't worry, I'll pass your traffic along to the real cell tower once I take a look at your goodies.

WiFi hotspots, Home Router
So you made sure to set up WPA2 on your router or hotspot, good job! I hope you picked a strong password, because I can sniff your handshake and crack passwords less than 12 alphanumeric characters in a matter of minutes to hours with my array of graphics cards, they're not just for video games anymore! I can dictionary attack with rainbow tables any common English-language word based passwords in a similar time frame.

Plaintext websites & email logins
OK, so you watched your SSL padlock, and didn't fall for the fake AP I made. I hope you don't use the same password on a non-SSL website as you do on your online banking! And if you are passing your email address in your login to your provider in plain text through your mail client, I can spear phish you with some handy social engineering tricks which is usually the easiest way to specifically target an individual. The more I know about you and your interests, the easier it is for me to phish you. If I am on the same WiFi network as you, I can see any and all unencrypted data you transmit, including DNS queries, non-HTTPS web traffic, etc.

These are some of the best and easiest attacks. There are others. A VPN isn't the worst idea, as once your data is inside that tunnel, it's hard for average Joe hacker to watch your traffic, even on a compromised middle point like a rogue AP or IMSI catcher. VPN compromise is also possible, but most providers have upgraded to stronger handshakes and protocols which make our lives as evil hackers more difficult. Be safe and sleep tight!

 

[Stephen]

These are some of the best and easiest attacks.  There are others.  A VPN isn't the worst idea, as once your data is inside that tunnel, it's hard for average Joe hacker to watch your traffic, even on a compromised middle point like a rogue AP or IMSI catcher.  VPN compromise is also possible, but most providers have upgraded to stronger handshakes and protocols which make our lives as evil hackers more difficult.  Be safe and sleep tight!

Gee, I feel so safe now!  :blush: