How can I encrypt my internet traffic so I can use public wifi securely?

I have moved to a hostel and they provide WiFi network. I would like to be safe on that public WiFi network. Is there any way to encrypt my data transmission to and from the router ? I am a bit consumed by the hype of “How unsafe public WiFi is” slogan.


Solution 1:

Remote access

Most public wireless access points (encrypted or not) use client isolation so there's no way another network client can communicate with your device. If clients can communicate, just make sure to (temporarily) disable or secure all network services running on you device (like httpd, ftpd, sshd, smbd), as you will likely not need them during your stay in the hostel anyway. If you consider yourself a “layman“ as per your comment, you don't need to worry, because Ubuntu doesn't have any network services enabled by default. Of course a more savvy friend could have enabled them per your request, but I suspect you would know about that.

Wireless packet sniffing

Since the network is encrypted with WPA2, an encryption protocol without publicly known vulnerabilities, you're safe from wireless packet sniffers too, because the wireless access point assigns a different session key to every client. Even if all clients share the same password, they won't be able to decrypt each other's network traffic (with reasonable effort). This part is only true for WPA2-EAP.

I have since learned that an attacker with knowledge of the pre-shared secret (likely for a semi-public wireless network) and a record of the WPA2-PSK authentication handshake (reauthentication can be provoked with a deauthentication attack which only requires knowledge of the PSK) can decrypt all subsequent traffic.

Conclusion: Don't rely on the privacy of public wireless networks encrypted with a pre-shared secret. Refer to the following sections for solutions.

Upstream wire tapping

If you're concerned that the hotel staff abuses their access to the unencrypted “upstream“ network (i. e. between the wireless access point (AP) and their internet service provider (ISP)), you need to use HTTPS/TLS¹ or a VPN to encrypt your network traffic throughout that section depending on you needs. See my first comment for things to consider and update your question accordingly, so I can go into the correct details.

VPN

To set up a VPN you need to find a VPN provider that offers VPN protocols with Linux support – preferably with setup instructions, even better when they're for Ubuntu. An alternative would be a public peer-to-peer based VPN like Tor or I2P. Find or ask another question if you encounter problems with either of those, since this would lead a bit too far from the original question.

¹ Most popular web sites use HTTPS by default or optionally to protect against session stealing and man-in-the-middle attacks. Many more do so at least during authentication to protect your password.

Solution 2:

One possible idea, may not be a "solution" for the question you are asking, is to use a different approach to accessing the internet:

  1. Use a VPN service that maintains anonymity. One can look for Hotspot Shield or alternatives for Ubuntu. Is there a free VPN service that works on Ubuntu?

  2. Install VirtualBox with Tails Linux, where-in you are running an OS, that focuses on anonymity, as Virtual Machine on Ubuntu. In my experience, VirtualBox works like a charm on 14.04, though I have not tried Tails.

As for "letting other users in", you need to install latest security-updates and ensure proper firewall set-up.. .but this is more about general network-security and not specifically about "your activities".

I hope this helps.

Solution 3:

Seeing as nobody else has provided this as an answer, I think it's time to recommend Tor. What Tor offers is fairly robust security by routing your outbound traffic through a whole bunch of computers. Tor is not the be-all and end-all of security, however. What it will do is encrypt your outbound traffic to the network itself.

What this means is that your outbound packets (what you send out) won't be able to be read by anyone intercepting the traffic at that end. They have no way to control traffic beyond an exit node, however.

Here is a good rundown on the whole process - note the first answer. Here's the gist of it but I encourage you to go to the site and actually read the entire question and the various replies to it. It's well worth knowing this information as it may come in handy in a variety of ways. Here you go:

Your connection into the Tor network itself is encrypted, as are connections between Tor nodes. In fact, each hop is encrypted with a new key to avoid back-tracing. What might be unencrypted is the connection from your Exit Node onto the web, if you're connecting over an unencrypted protocol. This means that if you're viewing a standard HTTP webpage then the final Tor node in your circuit and their ISP can see the unencrypted data, but they won't be able to trace it back to its origin (unless that data contains anything personally identifying you).

Now there are a lot of ways to get Tor running but, frankly, the easiest way that I can think of is to simply go here and download the appropriate version for your computer (32 or 64 bit).

What Tor is not - Tor is not something you use to download large files, it's not something you download torrents with either. Tor is meant to, mainly, stay on the .onion networks but can be used like a proxy server to browse the web. This is not completely secure from someone who's able to use traffic packet shaping/modeling attacks and timing attacks. If they can see the shape of your packet entering the network and control an outbound node then they can determine where you went. This doesn't really apply to your situation, however.

If you want an additional way to install Tor and to keep it updated, this is how you do it for the latest release:

You need to add the following entry in /etc/apt/sources.list or a new file in /etc/apt/sources.list.d/:

deb http://deb.torproject.org/torproject.org utopic main deb-src http://deb.torproject.org/torproject.org utopic main

Then add the gpg key used to sign the packages by running the following commands at your command prompt:

gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

You can install it with the following commands:

$ apt-get update $ apt-get install tor deb.torproject.org-keyring

If you need more information then please see this site but the above directions should remain stable and unchanged for the foreseeable future.