I’ve read lots of articles in a wide variety of publications that try to help people “practice safe computing”, but nearly every one I’ve seen retreads the same small set of issues and misses the bigger picture. In this post I’m going to try to change that.
I travel a lot and use my laptop (sadly, not yet an Ultrabook, but maybe soon..) at open Wi-Fi hotspots all over the place. The advice here is what I do to protect myself and is what I advise others to do. In some cases I’ll be mentioning specific products; these are what I use personally (and in some cases pay for myself), but don’t read these recommendations as an endorsement by anyone but me.
#1 Use HTTPS Everywhere
I know, you’ve read dozens of articles telling you to make sure that any page you type passwords or sensitive info on is a “secure” page with a URL (web address) that starts with https: . This means that the information sent between the web site and your browser is encrypted so that it can’t be read by others. That’s fine, but for a lot of what you do, it’s only the login page that is secured – after that, you’re back to unsecured pages. Why? It takes a bit more processing power at the web server to deal with secure pages, so the default is to log you in securely, but send your browser a “cookie”, a key that is sent with every request, to identify you as the user who logged in. But if the page you’re on isn’t secure, anyone who “sniffs” the wireless traffic can see this cookie and can use it to impersonate you. This is most often a problem on email sites (Gmail, Hotmail, etc.) and social network sites (Twitter, Facebook, LinkedIn, etc.). Recently, a free tool called Firesheep was developed that makes it easy to impersonate a Facebook user who is using the same Wi-Fi hotspot.
For a long time, web service providers were largely indifferent to the risks of non-secure pages, but recently many of them have made it possible for you to always use a secure connection to the service. Here are links to instructions for some of the more popular services that offer this option:
Your web searches can be “sniffed” too! Google recently changed to always use a secure connection if you are logged in, but this applies only when searching from the Google main site itself, not from web browser toolbars (though the Google toolbar will use a secure connection if logged in.) You can explicitly request a secure search window by going to https://www.google.com/ Bing and Yahoo do not yet support secure searches, as best as I can tell.
For users of the Firefox or Chrome browsers, the Electronic Frontier Foundation has an add-on called, naturally enough, HTTPS Everywhere. This automatically redirects you to the secure version of any site in its large list. It seems like a great idea, but I found that it caused glitches at some sites, notably iGoogle, so I stopped using it. Feel free to give it a spin – it may work for you.
#2 Use a Password Manager
In the past year there has been a steady drumbeat of news reports where hackers broke in to some website’s servers and made off with its list of users, including their passwords. Sadly, many sites inadequately protect the passwords they store, some keeping them in plain text, others may encrypt or hash them but do so in a manner readily susceptible to decoding. The data thieves often count on people using the same password on many or all their sites, so a password stolen from one site is often good on another.
The usual advice for this is to use a different password on every site, but even with mnemonic tricks, it can be difficult to impossible to keep track in your head of which password goes where. It also means that people are more likely to choose simplistic passwords. The solution is to use a password manager that keeps track of the passwords, making it easy to have a different (and difficult to guess) password for each site.
Every browser contains a built-in password manager, but these rarely help you pick secure passwords and are specific to each browser. There are a number of separate password managers out there – the one I like best is LastPass, which is free and supports many browsers on Windows, Linux and OS X. The nice thing about LastPass is that your password list is available in all the browsers automatically and is heavily encrypted, with your master password never leaving your browser. There is also an inexpensive premium service (currently $12/year) that extends LastPass to mobile platforms including iOS, Symbian, Android, Windows Phone 7 and others. LastPass will also generate a random password for you and fill it in when you create or change passwords. It is very easy to use and very secure.
#3 Pick a Secure Master Password
Ok, let’s say you’re using a password manager which requires a master password to unlock. How do you pick a good password? The advice I most commonly read is to take some phrase and turn it into a password; for example, “My mother gave me 8 bananas!” might turn into “Mmgm8b!”. The problem with these is that the passwords tend to be short, and even mixing punctuation in makes them vulnerable to high-performance brute force password crackers.
An alternative scheme has been gaining popularity: using a series of random words. This is perhaps best illustrated by this xkcd comic, where instead of a difficult to remember (but easy for computers to guess) password with character substitutions, such as “tr0ub4dor&3”, a longer string of two, three or four words is used (“correct” “horse” “battery” “staple”.)
A recent study, however, found that many people who think they are using this technique instead pick common phrases that are subject to a dictionary attack. If you go this route, it is important to really pick random words. What I do is go to a web site that displays random words, ostensibly as an aide to writers and poets, and have it generate several dozen. I’ll pick some from those that I can remember but which would not tend to show up together in normal use, for example, “odoriferous” “supple” “teakettle”. One such site is Coyote Cult, but if you do a web search for “random word generator” you’ll find many.
#4 Use a Virtual Private Network
This tip is perhaps a bit more complicated than the others. As I wrote above, when you’re at an open hotspot your web traffic can be seen by others. Even if you’re using https (see tip 1), it’s possible for someone to redirect your browser to a malicious server, if they have control over the hotspots domain name resolution service (DNS). Also, you may do other things that don’t support https, and it’s even possible, in some case, for someone to let you think you are connecting to a particular service but, without your knowledge, you’re connecting somewhere else.
The solution to this is something the corporate world, including Intel, makes regular use of, a Virtual Private Network (VPN). With a VPN, you connect to a VPN server and log into it. It creates a secure, encrypted “tunnel” for all network traffic between your computer and the VPN server, including DNS lookups. The VPN server, in turn, relays your requests to your intended destination. Once you have established the VPN connection, everything you do is encrypted and safe from prying and misdirection.
There are many ways for individuals to take advantage of a VPN. You can sign up to use a commercial server, which usually has a fee. I use Witopia’s PersonalVPN service, which has servers in many countries. (An interesting advantage of using a VPN is that your connection appears to come from the VPN server and not where your computer is located. VPNs can also be used in many countries that otherwise restrict network access.) Many technical-minded people set up their own VPN server at home, using open-source software or a home router with a VPN option.
If all you want to do is browse the web safely, another option is SurfEasy, a small USB device that fits in a credit-card sized holder. Insert the device into any PC or Mac, run the included program, and you have a safe and secure VPN tunnel created for you with your own Firefox-based web browser. This is a commercial service, with some amount of usage per month free, with more available for purchase.
I hope you have found this information useful and that it will help keep your Internet usage safe wherever you and your Ultrabook go.