Secure Internet?

Discussion in 'Mac Basics and Help' started by Texas_Toast, Nov 12, 2016.

  1. Texas_Toast macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #1
    What exactly makes an Internet connection "secure"?

    Obviously using free wifi at Starbucks isn't a great place to be if you want security, but are there other ways people connect to the Internet that are also risky?

    I have an AT&T hot spot and my understanding is that it is fairly secure.

    Can the same be said if you have a wireless router at home?

    What about if you have DSL?

    What about cable?

    Is using your iPhone (or Android) as a hot spot secure?

    Thanks.
     
  2. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #2
    One way of thinking about a secure connection is to think about whom you have to trust to reach your destination, i.e. a website. There are multiple waypoints that can interfere with your Internet traffic and prevent you from connecting in a confidential manner.
    1. Local network, such as your home network or a wireless access point
    2. Internet service provider (ISP)
    3. Domain-name server (DNS)
    4. Target server (and its own DNS, ISP and home network)
    Whomever controls your local network or Internet access, can intercept your Internet traffic, redirect you to compromised or counterfeit websites and can read all the transmitted data if sent in plain text (e.g. HTTP instead of HTTPS). You want to make sure that you are in a network you trust, the same is true for the ISP.

    When you try to access a website via its domain name, e.g. macrumors.com, you will also need to connect to a DNS to resolve the IP address of the target. This can of course be compromised as well (e.g. macrumors.com could be pointed to another server). Usually, the DNS is set by your router or by your ISP, but you can define a server yourself if you do not trust your local network or ISP. Obviously, (1) and (2) still apply and your DNS of choice could be compromised as well.

    Finally, there is of course the target server and itself will operate with a DNS, ISP and home network. This is obviously something largely beyond your control.

    There are several ways to mitigate these attacks:
    1. Make sure that you are in a network you trust. Public networks, especially ones without a password, should be distrusted, as a rule of thumb. The same applies to an iPhone hotspot, if the device does not belong to you or if its Internet connection is dependent upon a local network. Hotspots that are provided by your ISP and to which you connect with provided credentials are a bit of a grey area, but they may be trustworthy.

    2. Make sure that when you connect to websites that you do so via HTTPS instead of HTTP and enforce SSL/TLS connections (e.g. in Mail, Contacts, Calendars) when available. Sometimes, websites do not default to HTTPS or mention this. http://www.apple.com and https://www.apple.com is an example, both sites will work, but only one is secured with HTTPS.

      Often you can just try for yourself by changing the ‘http:’ in the address to ‘https:’ (your browser will usually tell you if the HTTPS connection could not be established without errors and you need to pay attention to this). HTTPS will make sure that the contents of your Internet traffic between the target server and yourself are encrypted, but it does not necessarily guarantee that you are connecting to the ‘real’ server. To that end, more and more websites let their identity be confirmed by a certificate authority as well. You can see this on https://www.apple.com, where you will see a green lock icon and the name of the website owner, in this case Apple Inc. Many banking websites offer this and should always make sure that this appears in your browser.

    3. Use a virtual private network (VPN) to protect yourself from compromised local networks and ISPs, e.g. when you are at Starbucks. When you connect tot a VPN server, it will create a tunnel between your computer and the VPN server and protect your traffic in between. The VPN server will then redirect your traffic to its destination. Obviously, you will need to trust your VPN as well and be aware that a VPN server also has an ISP and a DNS, which can be compromised. It is not a master key to secure networking, it just protects you from local threats by moving your traffic to another location.
    There are other things you want to consider, but I think these are the most important aspects that most people will have to deal with.
     
  3. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #3
    KALLT,

    Thanks for the detailed explanation - all good information to share in the MacRumors community.

    Most of what you wrote were things I knew.

    Could you please comment on the security of the items in my OP, though?

    1.) Would you consider a wireless AT&T hot spot to be reasonably secure?

    2.) What about a wireless router at home?

    3.) What about DSL at home?

    4.) What about a cable modem at home?

    5.) What about dial-up service - if that even exists anymore - at home?

    6.) What about using your smartphone as a hot spot?


    I use a VPN, but am curious how secure any of the above mediums would be if you used them straight up with no VPN.

    And out of that list of 6, are some more secure than others?

    Thanks.
     
  4. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    If you read my post carefully, you can figure most of these out for yourself. The gist above still applies: you need to trust the local network (whether Wi-Fi, ethernet, smartphone hotspot or otherwise), the ISP (whether DSL or dial-in) and the DNS. Obviously, at home you can trust your own local network, in most cases also your ISP and its designated DNS. The problems really start when you are not at home and have to use someone else’s network, ISP and DNS.

    A hotspot, also a local network, if operated by someone else, is prima facie untrustworthy. You have to consider who operates the hotspot and whether you trust them. Consider also how you connect to this hotspot. If the hotspot is public and uses no authentication or a simple username/password authentication (which can be faked too), then you should not consider them secure. ISPs usually distribute network profiles for this purpose which you can install on your device and which manage your authentication to such networks automatically. I cannot say anything about AT&T, because I do not know anything about them.
     
  5. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #5
    So it sounds like a hot spot owned by me or DSL service owned by me or a cable modem owned by me would be equally secure.


    I was asking from the point of view of owning each of the above choices.


    I agree.

    How does using your smartphone as a hot spot compare to the other choices above?

    I would think that mobile technology is more secure, but having never used a cellphone before who knows.
     
  6. bcave098 macrumors 6502a

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #6
    Using a mobile device as a hot spot should be equally secure as using a Wi-Fi router at home, but the same principles of what @KALLT said applies. The ISP in this case is your cellular provider.
     
  7. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #7
    If you are concerned about the security of the ISP, then presumably a hot spot, smartphone used as a hot spot, DSl and cable would all be equal. (3 of the 4 would all come from AT&T in my case.)

    Can a hot spot or smartphone used as a hot spot be hacked - as in sidejacked?
     
  8. bcave098 macrumors 6502a

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #8
    Cell phone hotspots, such as that on the iPhone, use the same security as most Wi-Fi routers (WPA2, I believe) which is pretty much as secure as it gets.
     
  9. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #9
    In the old days, the wisdom was that wired connections were much safer than wireless. But since mobile and configured wireless routers use encryption, I guess that puts them all on the same level.

    I suppose you could say that unsecured free wifi spots are the weak link.

    Of course, as @KALLT said above, there are risks with ISPs and DNS services. That is why I use a VPN whenever possible.
     
  10. bcave098 macrumors 6502a

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #10
    Exactly. If you're sending un encrypted data (such as posting on this forum) using 'free' Wi-Fi, you're essentially leaving your data on your front yard (forget about unlocked doors).
     
  11. Texas_Toast thread starter macrumors 6502a

    Texas_Toast

    Joined:
    Feb 6, 2016
    Location:
    Texas
    #11
    When you run the setup assistant on a new Mac, I assume you want to do it over a secure connection, right?

    Does anyone know what, if anything, is passed over the Internet when yous et up a new Mac?
     
  12. bcave098 macrumors 6502a

    bcave098

    Joined:
    Sep 6, 2015
    Location:
    Northern British Columbia
    #12
    Honestly I don't know, but it would probably be mostly Apple ID/iCloud related which is all encrypted with SSL.
     
  13. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #13
    KALLT gave you some pretty good info there. There are several facets to "security" and also to understanding levels of "risk."

    When you speak of providers (whether DSL or Cable or...) they all have in common being 3rd party and not exactly in your hands. What is* in your hands are tools to improve security on your side at home. (I'll leave hot spots etc. for the moment).

    I wont go through all the permutations here of security at home but you might consider investigating

    drive encryption
    software fire wall and the various levels/types
    hardware fire wall and the various types
    anti-virus/anti malware software and services

    For home, consider best practices for using WAP2 WiFi ranging from pass phrases to not broadcasting your network SSID etc. An item often not discussed is going the opposite of what many want - limiting strength of signal so it does not bleed out into the environment beyond your home.

    For the computer - ideally, non-used ports should be made not available. There are typical ports used for email, web pages etc. You can look them up fairly easy. Windows has a fair firewall tool but it is a bit cumbersome to get the full benefit. OSX/MacOS does not really do much as compared to Windows BUT the ability to do something is still there and there are 3rd party tools to gain access easily and get a fair representation on the status of your computer.

    There are some ideal ways to be on the road and have a fair amount of security. One way is to not go directly out to sites via your hot spot but rather, VPN into your home system and through your home system (and its security) go to the internet from home. While not perfect, it adds a layer of protection if done correctly.

    As you can see, the list can get very long on what it takes to reduce risk and improve security. I only mentioned perhaps a small amount of what can be done at a non-business level.

    Other missed security item - Get rid as much as possible "auto pay." You are better to set up with your bank on line paying to these companies. If its the same amount each month, that could possibly be done with an auto pay of sorts from your bank. If amounts vary month to month, get the bill and set up electronic pay for that company so you log in, plug in the dollars and the bank pays it. This method is SAFER. Your credit card info only resides with the bank and not all the people you have accounts with that you make payments to. Each of them has the potential to be hacked.

    I'll leave the various forms of communication out of the discussion as others somewhat mentioned them other than you would want to check to make sure those ports are available and not shut down.
     

Share This Page