sorry in advance for the OT, but this is the forum with the most smart people tuned in with networking.
I have spent a lot of time securing my network at home, thanks to openWrt... But now that I feel reasonably safe at home, of course, I have needs to travel for a while and stay at various guest accommodations.
So I need to secure my computer (running macOS). What are the attack categories that I should be aware of when connecting to someone else's wifi? How can I mitigate them?
A few specific questions:
- If say I do my homebanking via https connection, can I be confident that this is safe?
- Is there a security advantage to using a VPN, if I only use https connections?
- Conversely, if I use a VPN on an untrusted wifi, am I reasonably secure?
Yes, unless you have certificates installed that allow a Man in the middle attack.
Only if you use your private VPN that you can trust otherwise a VPN only moves the lamp post from the Wifi to the VPN provider
Only in terms of visibility of your traffic. The attach angle from the Wifi to your machine remains the same
Can anyone weigh in on the security of a "travel router" (such as the GL.iNet MT-300N)?
It runs OpenWrt, and is powered by your laptop's USB. You configure its "WAN" connect to the public Wi-Fi. Your computer connects to the Wi-Fi on the LAN port, and the OpenWrt firewall rules provide substantial protection. It offers various VPN options - I haven't looked at them recently.
I occasionally use a travel router which has a wireguard connection to my home network. I think it's a good idea for someone doing work from a hotel or public hotspot or etc. The laptop connects only to the travel router so it's on a trusted network. The VPN ensures I can access my home stuff. If I want to hide my traffic I could even funnel all my traffic through the home connection. Also it can SQM for better bufferbloat.
I like the GL inet "creta" (ar-750) for this purpose. Running standard OpenWrt.
As far as I know macos has very little in the way of host firewall. I run linux on all my machines and they all have some kind of host firewall. So I don't insist on the travel router at all times.
Why not to use wireguard client on your laptop and phone?
Thanks for that.
What I am unclear on is what threats do a travel router protect me, versus simply having proper firewall on the laptop.
MacOs has inbound firewall. There are also great solution for outbound firewall, but I assume you only have inbound firewall in mind.
You can of course do this but it's more configuration and especially if you have several laptops phones and tablets (such as a family of 4-5 people). Also tablets and phones have no controllable firewall to speak of.
Typical threats for using public hotspots:
- Traffic can be subjected to filtering/shaping based on L3/L4 protocol data.
- DNS/HTTP and other unencrypted protocols are vulnerable to MITM.
- HTTPS can leak domains with SNI.
Add to that list that other machines on the local net can attack your machine directly. Windows in particular has a history of network exploitable security problems allowing worms to propagate etc. However MacOS and Linux also have had remotely exploitable kernel bugs as well as of course services that might be running (for example samba, NFS, ntp servers, etc etc)