How to browse safely from a public internet computer?
I was reading this question when I thought: Some emergencies requires that you log on in e-mail or another sensitive sites in public internet computers. Remember that points:
- You cannot install anything;
- You will use probably internet explorer 6+
- You will use probably Windows XP
I think that maybe an on-line service will met that requirements...
Solution 1:
You can't. Two-factor authentication with one-time passwords (OTPs?) would be the first requirement, as your keystrokes and login procedure no doubt will be recorded. This would make it harder for an attacker to reuse anything another time...
...however even if you then establish an encrypted tunnel - there is of course nothing preventing all the information you pass through it to be dumped as you don't control your endpoint.
So as long as you're only protecting the access rights, sure, it can be done decently protected (though nothing is ever secure). But all the information available to you during that session should be thought of as public property as you can't control its distribution when the client is compromised.
It could be using hardware logging so even if you break into the terminal and boot your own operating system, you wouldn't know if it's safe ^^
Solution 2:
A lot of this depends on how much you trust the public machine. Who is running it? If the machine or network is under the control of someone or an organization you do not trust to handle privacy issues competently, there aren't many options available to you to ENSURE your privacy. The machine may have keyloggers (hardware or software) or other monitoring software.
If you must do this though, or if your primary concern is people who may use the public terminal after you and have similar access abilities, I'd go with the following:
- Ensure you are accessing services securely via https
- Clean cache, history and cookies when you're done
- Check to make sure you CAN delete the cache and cookies prior to browsing.
Solution 3:
I doubt you can guarantee security from a public terminal. If your sensitive services are available via HTTPS, that will give you some protection from line sniffing or proxy servers between the workstation and the server. However, there is no guarantee that there will not be a recording application on the computer itself such as a key-logger or desktop recording software monitoring everything that you do. If possible, boot your own micro-OS from a portable USB storage device and work with that and connect to the server through a secure VPN or other encrypted connection. Even that isn't foolproof though, as a hardware key-logger could potentially be installed on the keyboard or connecting cable (thieves have even done this sort of thing with ATM machines to get your card's magnetic strip and your pin number).
Solution 4:
I have installed a SSH Java applet on the Linux boxes I need to go to and have skey authentication (one time key) enabled for both login and sudo with a list of at least 50 valid keys in my pocket (without any indication that could help a thief identify to which box these keys are valid).
To access my e-mail I use Emacs with Gnus from this console.
This setup works for me as most installations of Windows have some sort of Java pre-installed and the SSH applet I works even on ancient versions of Java.
I am aware that this way the communication I do while working is
not safe. I primarily try to protect from login-attempts and replay-attacks using the one-time passowords offered by skey.