Will using a VPN protect me against fake wireless hotspots?

Any 802.11 access point (AP) or Ad Hoc can advertise an interesting SSID to lure unsuspecting clients. For example, in major airports and conference centers, you're likely to find at Ad Hoc(s) advertising the "Free Public WiFi" SSID. Most are other clients that at some point in the past tried to connect to "Free Public WiFi" and are now returning that favor – usually without user awareness or malicious intent. Nonetheless, it is never safe to assume those Ad Hocs – or APs that advertise hotspot SSIDs – are legitimate or harmless. Always protect your traffic against man-in-the-middle attacks that can be performed by wireless imposters.

Wireless security with VPNs To learn more about the role of VPNs in providing enterprise wireless security, check out this Wireless Lunchtime Learning Series tip: The role of VPN's in wireless network security.

VPNs can certainly help, and I highly recommend their use in Wi-Fi hotspots. However, VPNs are not necessarily the only or best answer. Why? The real culprit that makes your Wi-Fi client vulnerable to a fake hotspot is weak or absent server authentication. Anytime your Wi-Fi client launches a session, verify that it has in fact reached the intended server.

Before logging into any Wi-Fi hotspot, try to check the hotspot's credentials. If WPA/WPA2-protected access is available (e.g., tmobile1x), configure your Wi-Fi client to validate the server's certificate. If you frequent hotspots which use a connection manager (e.g., Boingo), those programs provide server validation on your behalf. Otherwise, eyeball the hotspot login page before entering your password or credit card number. Check for SSL protection (that is, a URL starting with https) and look for browser warnings about the SSL server's certificate. If a hotspot login page triggers browser warnings (or mental alarm bells), don't ignore them.

Once connected to a Wi-Fi hotspot, try to use only mutually-authenticated, end-to-end encrypted sessions. If you're only browsing public websites, you might opt to go skinny-dipping – but keep in mind that the websites you visit could be faked by a phony hotspot which returns a copy of the real deal, modified to contain malicious scripts or phishing URLs. For this reason, it's safer to send all hotspot traffic – sensitive or not – over secure sessions.

For example, when checking email, try to configure your email client to send POP and SMTP over TLS. Today, many email servers support or require TLS to prevent disclosure of email logins, passwords, and message content. Email clients configured to require TLS will validate the email server's certificate and either refuse a session to a phony server or alert you to a problem with the server's certificate. Here again, don't simply ignore email client warnings or make TLS optional.

Wireless hotspot security

Learn how to navigate wireless hot spots securely in this podcast: Wireless hotspot security.

For more complete protection, use a VPN tunnel to secure ALL of the traffic sent and received at a Wi-Fi hotspot. However, keep in mind that VPNs are not always immune to man-in-the-middle attacks. To be safe, use a VPN with strong mutual authentication – for example, IKE Phase 1 certificate authentication, followed by XAUTH user authentication. Avoid VPNs that use weak pre-shared keys or provide no server authentication at all. Furthermore, understand the traffic actually tunneled by your VPN – "split tunnels" secure only selected ports or destinations, letting other traffic bypass the VPN.

Finally, combine SSL/TLS or VPN tunneling with a host firewall that prevents unwanted traffic from leaking in or out of your Wi-Fi client. In Wi-Fi hotspots, a common mistake is to leak LAN broadcast traffic – especially NetBIOS file/printer sharing messages. Today, many commercial hotspots block inter-client traffic to neutralize this risk. However, if you've connected to a fake AP or Ad Hoc, you can't depend on the hotspot to protect you. If you take these basic steps to defend yourself, then you won't have to worry about the possibility of encountering a fake hotspot AP.