An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#31772 - 11/14/14 07:56 AM WiFi security
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
I suspect this is a simple query with a simple answer. Maybe not.

With dialup/DSL Internet access security of one's computer and contents seems to be satisfactorily looked after by activating my Mac's firewall and Stealth Mode.

With router/WiFi access security is supposedly assured via the router with a password + its supposedly built-in firewall and it is recommended that the Mac's firewall (and also Stealth Mode?) be turned off. This does not sound like a good idea to me. What say assembled Mac users?

Beyond that, how does one assure security with WiFi hotspots (public or otherwise), even those which are passworded. I'd be extremely reluctant to do business, particularly financial business, under such conditions. What protections are out there if one is forced into such a scenario?

Top
#31773 - 11/14/14 11:21 AM Re: WiFi security [Re: grelber]
deniro Offline


Registered: 09/09/09
I don't know who recommended you turn off your firewall just because you have a router. No one ever said that to me. I have my firewall on all the time.

On your second point, I do not trust public wifi and never use it. The only place I connect to the internet is at home.
_________________________
OS X 10.11.6
iMac 21.5", Mid 2011
2.8 GHz Intel Core i7, 24 GB
AMD Radeon HD 6770M
Using Apple computers since 1980

Top
#31774 - 11/14/14 11:29 AM Re: WiFi security [Re: grelber]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Your router uses Network Address Translation (NAT), which is an extremely secure form of firewall. Unless you do port forwarding on your router, you can have your Mac wide open and nothing from the Internet can connect to you. There's not necessarily a reason to turn off the Mac's firewall, unless you are attempting to run some sort of server on the Mac (trying to troubleshoot firewall and port forwarding problems can be a pain in the ass if you're running a NAT router and a firewall at the same time), but the Mac's firewall isn't actually doing anything.

This assumes you're using a strong password on the router, of course, and there's no hostile attacker on your wireless network. If there's an attacker on your local network using your wireless access point, then the router's NAT firewall doesn't protect you.

Using public WiFi is a complicated issue, and it depends on what security threats you're concerned with.

Even on public WiFi, the router is protecting you from attackers on the Internet. What it does *not* protect you from is an attacker on the same public WiFi--that is, an attacker sitting next to you in the coffee shop or behind you on the airplane.

An attacker on the same public WiFi can "see" information traveling between your computer and the wireless access point. If you are connected to a secure Web site (using https), that doesn't really help him very much; but anything you do on a Web site that isn't secure is wide open and can be seen. There's a great demonstration of this--a program that will display every image that anyone sharing WiFi with you is looking at, if they're using Web sites that aren't encrypted.

Your Mac does not, by default, expose any server processes that can be remotely exploited, but running a firewall is still a good idea when you're on public WiFi. Far more important, though, is making sure everything you do--browsing the Web, using instant messenger apps, sending or receiving email--is done on a secure link. If you're browsing unsecured Web sites, using non-encrypted IM programs, or fetching email without using SSL, then you should assume that everyone in the coffee shop can potentially view whatever you're doing.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#31775 - 11/14/14 12:44 PM Re: WiFi security [Re: deniro]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: deniro
I don't know who recommended you turn off your firewall just because you have a router.

For as long as I can remember, the standard operating procedure with regard to firewalls as promulgated in these forums and their predecessor MacFixIt Forums has been to turn on and configure the router's hardware firewall, and to turn off the firewall provided by the OS. As tacit explained, the rationale was and still is that two sequential firewalls don't provide extra security, but may cause various problems, the least of which can be unnecessary delays when surfing the web. Selecting the hardwired router firewall is generally considered preferable over the software-only version of the OS.
That said, this does not necessarily apply to situations outside of your home setup, where you use an unknown router with equally unknown firewall settings. In those cases, you may choose to enable your OS firewall anyway, as long as you understand that you may run into access issues caused by interference of the two sequential firewalls. Here too, configuration specifics are important.

Public WiFi is inherently insecure, because traffic between WiFi hotspot and client can easily be monitored by third parties. Since this traffic is frequently not encrypted, sensitive data may be exposed to malfeasants. When you only need to surf the web without exchanging sensitive data, public WiFi is probably OK. But the secure use of email (where password exchange occurs transparently and unnoticed simply by using your preconfigured email client) and online account access (requiring passwords and/or credit card numbers) requires a VPN type of connection.
VPN services are not usually free, but there are affordable options, from temporary/timed to continuous. They have the additional advantage of thwarting the use of so called 'supercookies' which are increasingly stalking both smart phone and home computer users.
_________________________
alternaut moderator

Top
#31778 - 11/15/14 07:47 AM Re: WiFi security [Re: deniro]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: deniro
I don't know who recommended you turn off your firewall just because you have a router. No one ever said that to me. I have my firewall on all the time.

It's part of the write-up in David Pogue's Missing Manual.

Top
#31780 - 11/15/14 07:52 AM Re: WiFi security [Re: tacit]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: tacit
An attacker on the same public WiFi can "see" information traveling between your computer and the wireless access point. If you are connected to a secure Web site (using https), that doesn't really help him very much; but anything you do on a Web site that isn't secure is wide open and can be seen. There's a great demonstration of this--a program that will display every image that anyone sharing WiFi with you is looking at, if they're using Web sites that aren't encrypted.

How does one go from a browser (http://) to a secure site (https://) without risking discovery of a password used to get to that site? Or does just the act of selecting a secure website deal with that?

Top
#31784 - 11/15/14 10:41 AM Re: WiFi security [Re: grelber]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
No password is required to enter an HTTPS site, but any page where you are asked to provide a password should be accessed through an HTTPS server. In fact Safari 8.0 in Yosemite warns you when a password field is detected on a page that is accessed via HTTP and not HTTPS. You might read Wikipedia's article on HTTPS to get a more fulsome explanation of exactly what it is and how it works.
_________________________
joemikeb • moderator

Top
#31791 - 11/16/14 11:47 AM Re: WiFi security [Re: joemikeb]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
My query was meant to determine that once a https:// page was accessed whether that prevented the password which might be required to access the site downstream would be compromised on a WiFi network - ie, once the secure page is accessed and a password requested to enter the site, that password cannot be 'seen' by anyone on the WiFi network.

Top
#31792 - 11/16/14 12:57 PM Re: WiFi security [Re: grelber]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: grelber
My query was meant to determine that once a https:// page was accessed whether that prevented the password which might be required to access the site downstream would be compromised on a WiFi network - ie, once the secure page is accessed and a password requested to enter the site, that password cannot be 'seen' by anyone on the WiFi network.

If the password is entered on a secure page (i.e., a page that was loaded using https), then an eavesdropper cannot see the password.

Unfortunately, many sites think that's all there is to security. They give you a secure page for entering your password, and then continue the session with plain old http after giving you a session cookie that lets them see that you've already logged in. Trouble is, that means the cookie is being sent in the clear, and an eavesdropper can harvest that cookie to hijack your session. They still don't know the password, but the site believes they do because they have the cookie.

If a site requires a password for access, they should not only use https for the password entry form, but continue to use https for the remainder of the session. If they don't, you know they either don't understand or don't care about security. If they have something of yours worth protecting with a password, but are so careless about security, you should avoid the site, especially over open WiFi.

You also should avoid logging in to personal sites (your bank, for example, or an online store where you're paying with your personal credit card) over a corporate network. That is, if your company requires that you install something on your computer as a condition of using the company network, then use the network only for company-related business. The "something" they make you install will include a corporate root certificate that the company firewall can use to forge certificates on the fly. Those forged certificates will let them see your password even over https. Don't let them see any password they don't already know.

Top
#31797 - 11/17/14 01:46 AM Re: WiFi security [Re: alternaut]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: alternaut
VPN services are not usually free, but there are affordable options, from temporary/timed to continuous. They have the additional advantage of thwarting the use of so called 'supercookies' which are increasingly stalking both smart phone and home computer users.

This thread has been very enlightening.

I never access any critical sites, such as banking, from anywhere except home and I'm only a periodic user of public wifi away from home (hotels, airports). Even then I keep my usage to a minimum. However, I don't care for the idea of someone reading private emails.

It would be interesting to hear more about VPNs from our members about their experiences with them…what they've used, what they they liked/didn't like about particular ones, et cetera.


Edited by ryck (11/17/14 01:47 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#31799 - 11/17/14 07:37 AM Re: WiFi security [Re: ganbustein]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: ganbustein
If the password is entered on a secure page (i.e., a page that was loaded using https), then an eavesdropper cannot see the password.

That's what I thought. Thanks for confirming.
I take it that the upshot would be protection on a WiFi hotspot.

Top
#31800 - 11/17/14 08:34 AM Re: WiFi security [Re: ryck]
Ira L Offline


Registered: 08/13/09
Loc: California
Originally Posted By: ryck
Originally Posted By: alternaut
VPN services are not usually free, but there are affordable options, from temporary/timed to continuous. They have the additional advantage of thwarting the use of so called 'supercookies' which are increasingly stalking both smart phone and home computer users.

This thread has been very enlightening.

It would be interesting to hear more about VPNs from our members about their experiences with them…what they've used, what they they liked/didn't like about particular ones, et cetera.


If you do searches for "best" or "cheapest" VPN services you will find many options, with a few of the same companies showing up on the lists repeatedly.

If you have very limited needs, like occasional airport or hotel wi-fi use, I have found a free and reliable VPN: Tunnel Bear. Strange name, but they give you 500 Mb/month of free download data. There are also very reasonable monthly or annual rates for unlimited data and multiple devices.

In my limited use I have found Tunnel Bear easy to install and use, and so far the 500 Mb is more than adequate.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#31806 - 11/18/14 06:26 AM Re: WiFi security [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: ryck
This thread has been very enlightening.

I've installed several VPNs at small businesses over the years. IIRC the Cisco RV082 is mac-compatible, and fairly easy to set up. That would get you a good secure connection to anything on your home LAN such as file servers, custom app servers (apps written for your small business or for your type of small business like lawn care business etc), printers, locally shared hard drives, etc.

Also another alternative is to use back-to-my-mac to teleport home and web browse from your home machine if needed. BTMM is encrypted afaik.

_________________________
I work for the Department of Redundancy Department

Top
#31809 - 11/18/14 06:37 AM Re: WiFi security [Re: Virtual1]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Ira L
If you have very limited needs, like occasional airport or hotel wi-fi use, I have found a free and reliable VPN: Tunnel Bear.

Thank you....

Originally Posted By: Virtual1
IIRC the Cisco RV082 is mac-compatible, and fairly easy to set up.

Also another alternative is to use back-to-my-mac to teleport home and web browse from your home machine if needed. BTMM is encrypted afaik.

....and thank you.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#31812 - 11/18/14 08:04 AM Re: WiFi security [Re: Virtual1]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: Virtual1
BTMM is encrypted afaik.

Indeed. Back to My Mac uses IPsec, which includes encryption. It wouldn't be a useful alternative without it. That said, enabling BtMM may have (had?) other security consequences for iCloud users. But security remains a moving target, and things may change on a byte.

Last but not least, it's good to see you back again here, and congrats with your new day job! laugh
_________________________
alternaut moderator

Top
#31816 - 11/18/14 06:17 PM Re: WiFi security [Re: alternaut]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: alternaut
Last but not least, it's good to see you back again here, and congrats with your new day job! laugh


thx, it's good to be back! I was a little worried that this place may have dried up in my absence.
_________________________
I work for the Department of Redundancy Department

Top

Moderator:  alternaut, dianne, MacManiac