We’re in the midst of signing leases etc for a new place we’re moving to. An interesting approach is a single monthly payment to the property managers which covers all utilities, (council tax, power, water, & broadband). FYI, this is not a share flat, it’s a one bedroom flat in a new build high rise.
It’s the broadband that I’m a bit wary of. Reviewing the lease the terms include a commitment that we will not access anything illegal, nor use the connection to breach copyrights. IE no pirated downloads. So I can understand that, as presumably the broadband connection is a commercial account and any C&D letters would go to the landlord/management company.
So far so good. However the lease goes on to stipulate that the landlord reserves the right to monitor specific usage of the broadband service, given that the broadband account will not be in our name, presumably they ‘own’ the router, and I am now concerned about using online banking through the WiFi.
I am totally OK with VPN’s, and use one occasionally now, but if I understand correctly a VPN is only helpful from the router out into the wilds of the net, and will not help if the vulnerability is at the router? Is that correct? Should I be concerned? Could a monitoring system at the router log more than just the site visited, account ID’s & passwords for example? If so, any suggestions to protect my data privacy if I assume there is some kind of monitoring system in the router?
That depends on whether you’re running the VPN client on the router or on your own computer (or other device) that connects to the router. The latter is the more common setup, in which case the router isn’t going to know which sites you are visiting or what data you are transferring. So as long as you trust the security of your VPN software and the privacy of the VPN service provider, you don’t have anything to worry about.
Mind you, you might not even need to use the VPN for much of your browsing. Things like online banking are conducted through protocols that are already secure and mostly private. Whoever controls the router would know what online banking website you are connecting to, but they wouldn’t be able to eavesdrop on the traffic between you and the bank.
Once whoever controls the router knows what banking website you are connecting to, they can set up a fake site to resemble it and then just redirect your traffic there.
Not really. This is the whole point of SSL certificates. If whoever controls the router tries to do this, your browser should pop up a very conspicuous warning dialog telling you that the site’s certificate doesn’t check out. Of course, if you’re in the habit of dismissing security warnings without reading and understanding them, then I suppose this trick might work.
Most people do this. That is why the fake website collecting your credentials works. Usually started by sending a phishing email with a fake link, but control of a router makes it easier.
Yes, a VPN client on your PC will send encrypted data out from the PC to the VPN company’s router. Basically, anyone eavesdropping will see a packet that says “from Me, to VPN, here’s a package of encrypted data”. The VPN provider then spews the data unencrypted out the other side onto the internet, appearing to come from them not you.
Of course, if you’re the type who has their PC’s sharing data with each other, no password needed, anyone else on that Wifi can also find and read your shared folders. This is why when you connect to a new Wifi, the computer asks if this is home or public. Home, you think everyone on the nework is supposed to be on it and able to access shared date. Public, like in Starbucks, you don’t want to be sharing data. if you are excessively techno-immersed, you probably want to set up your own router and connect the external port to either the wired or wifi provided. Note this still does not protect your traffic from inspection. HTTP data can be read from the packets. HTTPS is encrypted - that is, the data is encrypted but the destinations are not. Nor are the port numbers, which indicate what sort of traffic this is, typically. And of course, you started the conversation by querying the DNS “what is the IP for straightdope.com?” so the person monitoring your traffic externally will see encrypted traffic going to that IP and know it is for this website… All the more reason for a VPN where even that request is sent to the VPN site totally encrypted.
I’ll bet they’re still using the default password. It’s usually something like admin / password depending on router brand. Not sure what information you’d get if they are monitoring through there, though.
It’s true, but it’s more broadly true. If your landlord isn’t MITM*-ing you, his upstream provider might. If not, their backbone provider could.
You have to decide who you trust, and how much.
*For those not involved with network security: MITM == “Man in the middle attack”. A hostile network element (such as a rogue router) puts itself in the path through which data must pass, and uses its position to alter or redirect that data. A non-trustworthy network intermediary.
Recent versions of chrome and probably the other browsers are making it really difficult to bypass incorrect SSL certificates. You really have to read the error web page to find how to dismiss this error. And it is a multi step process.
This is sort of a pain for administering my router. I would like to have the router web page as an encrypted web page. But since it is my local router it does not have a signed certificate. I have to click advanced which opens an other link to allow me to ignore that the certificate is bad then I can proceed.
I just found a good resource for all the certificate errors so you can see what sort of thing pops up under various circumstances. https://badssl.com/ https://wrong.host.badssl.com/ is what you will probably get if in a man in the middle attack.
I wouldn’t go for it on general principal … I mean the minute I decide to add the new star wars arcade rom build to my (extremely huge)MAME collection I can be cut off / kicked out ? just no …
Yes I have WPA2 but anyone connected to the router has the keys to decrypt the traffic. There are a fair number of internet connected devices in the modern person’s home. TVs have wifi connection for streaming. Alexa’s and Google homes, chromecasts, rokus etc. All of those have access to the wifi that is a lot of attack surfaces that you have access to the wifi traffic. If one of those is compromised it should not be easy to allow that compromise access to the router by sending passwords in the clear. It just does not make sense to send anything in the clear anymore.