It’s a nice perk to have free broadband, but if it’s a concern, you can always just bypass the whole thing and get your own broadband. If you can get your own cable TV, you can get your own broadband.
That’s not always possible.
I have several friends who live in high-rise buildings, where residents are not allowed to have any company add wiring to their units – they are required to use the installed service. And the building has an agreement with one broadband provider that they get the exclusive right to service units in the building. So unless the residents get a wireless link (which can be difficult connections in a high-rise building), they are stuck using the building-provided broadband.
The simplest safest is, if you have physical access to the router - connect your router in cascade-your WAN connects to a wired LAN port of the landlord’s router. After all they must have some provision for those real computers that don’t have wifi, just copper connection. Or, because the wifi signal sucks in some spots.
If you try to swap out the owners router, you may need to know login information for the ISP service. (DSL typically)
The site-provided router can do almost anything to your connection if it wants to (processing capability notwithstanding).
It can provide false DNS responses, so that your requests to find www. bank.com go to dirty hackers IP.
It can intercept DNS requests to external DNS providers (Google DNS/OpenDNS) so that won’t help you either.
It can intercept (and modify) unencrypted traffic (HTTP, SMTP, POP/IMAP).
It can redirect encrypted traffic if it wants (HTTPS, SMTPS, IMAPS).
You cannot stop any intervening network device from doing these things, anywhere.
BUT …
It cannot redirect HTTPS/SMTPS/IMAPS traffic to different servers without causing a certificate error unless the certificate/key has been stolen or a Certificate Authority has been compromised.
It cannot inspect or modify encrypted traffic without having installed a trusted certificate on your local device. For this to happen in a global sense, this would require a major compromise in the Certificate Authority.
There are SSL inspection devices that companies install to monitor outgoing HTTPS conversations. They require a specific root certificate to be installed on all the company machines. The SSL inspection device intercepts a request to https://www .mybank.com. The inspection device then connects to https://www .mybank.com and gets the presented certificate. It then forges a new certificate for www. mybank.com signed by the CA for which the client has a root certificate, and passes that to the client. The client verifies the forged certificate against the supplied root certificate, and opens a connection to the inspection device. The inspection device decrypts the traffic, examines it, possibly logs it, and then passes it through it’s own encrypted connection to https://www. mybank.com.
The only way this can work without a browser certificate error is the presence of the root certificate on the client device.
There are some mechanisms proposed that can prevent even this sort of trusted MITM inspection.
HTTP Public Key Pinning was one, but it was not well supported and seems to have died.
DNS Certification Authority Authorization has been recently been made mandatory, but will have to rely on DNS over TLS to be safe.
So can any router, or any point in the intermediate chain. Your best bet to avoid this is - again - a VPN tunnel from a trusted point - your PC or your own router - to a reliable commercial VPN service. The higher up the internet food chain you go, the less likely traffic can be compromised and the less likely it can go undiscovered for any length of time.
A VPN, as mentioned previously, is a totally encrypted tunnel from your trusted point to the VPN point. All the intermediate routers see is “I have a packet of encrypted data from me to VPN”. Even your DNS requests are part of this encrypted traffic. Since the connection is established between the two sites, like mentioned for other traffic it would take an interesting compromise of certificate authority to allow someone to imitate the VPN endpoint.
So you have to ask - what is your goal? If you think someone is playing deep hacker games with your traffic, don’t use it, however you avoid it. If you want to do something the landlord disallows - use a VPN. If you just don’t like the idea that the landlord - or someone else in the building - is watching your traffic, tracking what you do and which websites - use a VPN. If your concern is that using someone else’s network means your network, devices and shares are open and visible to others -landlord or tenants - cascade through your own router with your own security. (Many networked non-PC devices come with no security or default passwords.)
A PC believes a certificate when it says “I am XXX” if the root for that certificate (or that certificate) is in the root certificate store for that PC. Enterprises accomplish this through use of domain policy and domain administrator rights to push the necessary certificate to the PC’s in their domain. So if someone wants to fake a certificate without warning you, they have to have administrative rights and access to your PC. If they get this far, a fake root certificate is the least of your worries.
Not really.
The point is that if they have wired cable TV to their unit (good bet) they can choose to buy internet service over that cable as an add-on and then connect their personal internet router to that wired service.
Thereby avoiding the building’s untrustworthy wifi.
It still remains the case that ultimately we have to trust every single machine between us and the other end. But going the way I describe removes one layer of untrustworthy gear close to you.
Exactly. If you have coax coming into your unit, you do not need new wiring, just a splitter.
As a business practical consideration for the landlord, I’m seriously doubting they have the ability or interest to monitor you individually, and that might simply be some boilerplate their attorney put into their contracts to scare people into not doing anything illegal and abusing their connections. Internet connections for broadband are sold at a flat-rate, so the landlord wouldn’t be concerned about it until the ISP contacts them to complain about abuse of some sort. If you want to test this, ask to see an example of recent data usage report or how do you go about checking your individual usage, because these reports might not even exist.
If you have a cell phone with a data plan, create a personal hot-spot. This won’t be going through the landlord’s connection at all. Use that for all financial transactions such as banking and whatever else you are concerned about being private. Use the broadband for web surfing and things like Netflix. Anything personal use the hot-spot.
I am baffled by people who think they shouldn’t check their bank accounts over “public wi-fi.” SSL/TLS connections are effectively single-web-site VPNs. Data is encrypted between you and your bank regardless of whether the wi-fi is encrypted or not.
If, while connecting to your bank, you’re presented with a bad SSL/TLS certificate (man-in-the-middle attack) and you care even a little bit about security, you’ll notice and kill the connection attempt. If you don’t know enough to pay attention to a bad cert, you probably didn’t care (or didn’t know) about network security in the first place.
MD2000 does a respectable job of describing what network security people call “the chain of trust” here:
MD2000 is right about that last part, too. If an attacker has enough control of your machine to plant a fake root certificate, they’ve already got complete control and you’re already hosed, VPN or no.
In the OP’s place, I wouldn’t want random neighbors port-scanning my machines if they were so inclined. I would do what MD2000 suggests (a bit obliquely) in an earlier post: get a wireless bridge[sup]1[/sup] and feed that into your own router. It would look approximately like this:
[Internet]
|___________
[Landlord’s router w/wi-fi]
|_____
[Your shiny new wireless bridge]
|___
[Your router via its WAN port]
|_ |_ |______
[Your wi-fi] [wired eth0] [wired eth1] [etc.]
Those wired “eth” connections are shorthand for the wired ethernet ports on your own router.
This way, no none could snoop on your wireless signals without considerable effort, even if they were on the landlord’s network. You could also have your router connect to a VPN service so that all the traffic it passed to the untrusted landlord network was encrypted.
Oh, and you should set your DNS servers to something other than what your landlord provides via DHCP. Google’s public DNS servers support DNSSEC, as do many others. Using DNSSEC will help protect against DNS poisoning attacks, but your DNS queries will still be visible to your landlord. That’s one thing a VPN service would prevent.
One thing that might be helpful is remembering that, short of child porn or The Silk Road, no one really cares what web sites you look at. My dad won’t get a Facebook account because he’s convinced that the NSA is monitoring Facebook (not unlikely) by assigning individual agents to “watch his activity” (bloody unlikely). There is no NSA agent watching my mom click “like” on photos of her grandkids or surf on over to the AARP website. There are likely algorithms scanning huge streams of data, but nothing more personal than that.
Similarly, there are no nefarious hackers who want to see all the documents stored on your computer. There are automated scripts (programs) trying to root your machine and add it to a botnet that can be rented out. Those scripts probably look for useful numbers, too, perhaps of the credit card or social security persuasion. But no one will be reading your journal.
[sup]1[/sup]I’d recommend something like the $50 Asus RP-N54. Google the model name if you’re interested.
Wireless bridges are now more often called “range extenders” because that’s how people tend to use them. But they can also “grab” a wifi signal out of the air and allow you to connect to it with an ethernet cable. They “bridge” the wireless/wired gap.
You’d connect the bridge’s wireless interface to your landlord’s wi-fi network and the wired interface to your router’s WAN port.
This allows you to use your existing router in exactly the same way you would if you had the interwebs coming out of a cable modem’s ethernet port (or whatever). The only difference is minor: you’ll be double-NATed. If you don’t know what that means off the top of your head, you probably will never notice. It’s not a big deal unless you’re trying to host a server.
To be honest, I’d be more interested in answers to the following questions for the landlord:
What is the total bandwidth supplied to the building?
Is there enough total bandwidth
How many units is this divided between?
Is there enough data per unit?
Are individual unit connections rate-limited?
Can a bandwidth hog suck all the bandwidth impacting the whole building?
Is there a data cap on the entire building?
Could the building run out of data for the month?
If so, is there a data cap per unit?
Can one unit use all the allocated bandwidth?
Are individual units isolated (i.e a switched network or a shared network)?
Can other residents snoop my traffic?
Who manages the connections and what security is in place on the management system?
Who do I need to trust to manage my connection?
Those are all good questions, but no landlord I’ve ever met would be able to answer any of them.
Probably not themself. But they should have a contact in the bandwidth supplier who would be able to answer them, in some detail.
I would rather go back to dial-up 2 decades ago than accept conditions from any landlord. Or satellite if I could afford it.
An employer can tell you what to do on his machine, but not what to do on yours. If a landlord is allegedly worried about liabilty he can offer disclaimers in advance. I will avoid illegalities because I want to, not because of some intrusive little busybody. It’s no different to telling you what you can and can’t read in your home.
Well, certainly. But then why not ask for the contact directly instead of going through the motions with the landlord?
I applaud the sentiment, but it’s a pretty good bet this hypothetical landlord is “imposing” the same conditions his hypothetical ISP imposes on every subscriber. Including you if you went to that ISP directly.
Bottom line: IMO you’re tilting at windmills.
How will the tenants be able to connect to the internet? Which of these is building providing:
- Building-wide wifi?
- Ethernet ports in each unit? (ethernet plugs in the wall like telephone plugs)?
- A broadband router in each unit? (each unit has it’s own cable modem)?
If it’s wifi only, that will be the hardest to live with. There will be more contention for bandwidth and all the troubles that come with wifi.
If it’s the 2nd or 3rd, there are methods you can use to make sure no one can snoop your data (the web addresses or packets), as well as not be able to snoop the computers on the network.
It’s also good to ask who is managing the broadband. If it’s just the building maintenance people, it’s very likely that the equipment will not be maintained proactively. They may only upgrade the systems when people complain about poor performance. But a bigger issue is that they may be lax about upgrading firmware, which means security holes may go unpatched.
Much better answers above than my original reply. Pay no attention to this post.
Then the landlord is under the onus to find a provider not making such conditions.
Conditions we don’t have over here — or would routinely ignore: the pathetic attempts by Cameron [ it seemed to be a personal thing, rather than a conservative thing: to protect our children from porn and to make intellectual property rights unassailable by preventing illegal downloads ] get no further than forbidding ISPs to permit certain websites by High Court order: the ISPs have no wish nor appetite to control viewing.
And some ISPs, famously Andrews and Arnold, a small private [ expensive ] company in Berkshire, have fast, unlimited, uncensored broadband as part of policy. Plus free IPv6 if you want it.