Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Secure your internet connection at Starbucks Internet
I do a fair amount of development while seated in a Starbucks. I don't often drink the coffee or eat the food, but I do connect to the Internet using their fine T-Mobile HotSpot service. Up until last week, my HotSpot connection was a regular old unsecured AirPort connection. That meant that much of my traffic was sniffable by others in the vicinity. I didn't like that much, so I did a little digging. T-mobile offers Connection Manager software for Windows users which solves this need, but no love for OS X users, though.

There was one sentence in the T-Mobile security policy that suggested that a secure connection was possible without Connection Manager. So I called tech support and they were astonishingly helpful. The tech walked me through an Internet Connect setup which resulted in me connecting securely via TTLS. The basics of the process are: Open Internet Connect and add a new 802.1x configuration. I also had to click the Configure button for TTLS and enter PAP as the 'TTLS INNER Authentication.' The other authentication methods are left as default. After setting everything up, the end result looked like this. The process is a bit complex, so you might want to call them if you're unsure of anything in that screenshot.
    •    
  • Currently 2.11 / 5
  You rated: 4 / 5 (9 votes cast)
 
[52,076 views]  

Secure your internet connection at Starbucks | 11 comments | Create New Account
Click here to return to the 'Secure your internet connection at Starbucks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Secure your internet connection at Starbucks
Authored by: dborod on Aug 20, '07 08:52:32AM

One also needs to make sure that the "Pass Argument" dorp-down in Automator has the value "as arguments" rather than "to stdin" in order for this to work as advertised.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: DJRizzo on Aug 20, '07 07:44:25PM

I did this a few weeks ago. It took a few minutes to get the tech to understand exactly what I was asking for; but after he figured it out he read a list of instructions to me that were easy to follow (they should just post them on their support site).

The secure connection works great at the Starbucks I usually visit. I find it a bonus that I don't have to use my browser to connect. I love that Windows users have to download their connection software - I've never liked ISP connection software! However, I've had connection problems at one location and had to resort to the old unsecure method.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: dan55304 on Aug 21, '07 06:02:13AM

I was going to slam using a merchant's wifi without supporting their business. I love Starbucks but hate that their wifi isn't free access. So, did they go paid because of all the freeloaders or are their freeloaders because it's paid? Hmmm.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: BobVB on Aug 21, '07 12:18:50PM

Neither actually - I've had their HotSpot service from before T-mobile purchased it (mobilestar or something was the previous owner?). It was back when people thought they could make a business out of providing wifi and Starbucks can actually continue to get away from it because its, well, Starbucks.

Though I usually have a cup of coffee I feel no obligation to - paying for the wifi access is all the purchase I need to justify my presence.

Oh and the setup works fine and a great tip - nice to have that added level of security.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: Skurfer on Aug 21, '07 01:34:52PM
This is secure from your machine to… where? One of T-Mobile's routers? What about the rest of the machines your traffic goes through on the way to its destination? I think it's better to just always assume someone's watching your traffic - always - and act accordingly. (Use SSL, SSH, SCP, SFTP, SSH tunnels, etc.)

[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: weitzman on Aug 21, '07 02:21:59PM

do you use encryption on your home wifi? why? i bet you do, and this hint exists for the same reason ... yes, using SSL and such when sites provide them is a good idea.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: Skurfer on Aug 22, '07 06:55:36AM
do you use encryption on your home wifi? why?

Yes, because when using encryption, every client device needs a huge numeric key just to connect. That makes it much more difficult for unwanted people to use my network. This unintended side-effect of authenticating connections is why I use WPA or WEP. The fact that it's also encrypted is a nice bonus, but it's practically irrelevant (unless I'm transferring something private between machines in my house over an insecure file sharing protocol, which is rare).

I also didn't mean to imply that there's no value to this hint. This may be a way to protect your T-Mobile credentials and prevent others from abusing your account. Another commenter said that this allowed you to connect without a web browser, and that alone probably makes it worthwhile.



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: blueshead on Aug 22, '07 11:39:32PM

This is also the way I log into the free Earthlink City Wide service in New Orleans, As they only offer Windows software...



[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: mematron on Aug 23, '07 09:09:39PM
You are only connecting to the service in much the same way you connect with a web browser. Connecting with your browser uses ssl and like the connection manager for windows it's just providing secure authentication. After you are connected to the service all of your traffic is sent in plain text.

All you've done is recreated in part what the connection manager does. The T-Mobile Connection Manager superior for novices because it has a built-in Wi-Fi scanner, has 1-click login, and lets you know when you are connected to a T-Mobile Hotspot.

The only way to be more secure is to use SSH. Use it right after you authenticate yourself on the network. Here's an example of what I do:

ssh -D 8080 -f -C -q -N username@server address

Then you select "Socks Proxy" in the "Proxies" tab under the active network interface inside the Network Settings. For the Proxy address, type in 127.0.0.1 and for the port type in 8080

Here's page that explains it very well, cause hey, someone already explained it so I don't have to http://macapper.com/2007/05/22/advanced-os-x-secure-tunneling-via-ssh

If anyone thinks that this isn't a better solution just try running "tcpdump" or "wireshark" and see all the nice packets flow by in plain text.

SSH can be cracked as well but to the casual observer you'll be free to download your pron in privacy.

Nothing is 100% secure but for now, SSH is your best strategy.

[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: honer123 on Aug 31, '07 05:09:09AM
To build on mematron's comment, using Squid on the other end of the tunnel will truely hide all of your web surfing traffic. I say this because if you use the method he mentioned where you send your web traffic through a SOCKS connection, you will still send your DNS requests out to the local DNS servers. So they may not be able to see what your surfing, but they will be able to see that you are surfing --www.bigknockers.com--, or whatever.
The way to avoid this is to set up Squid on the SSH server you are connecting to, then tell your browser to use a proxy of localhost at 3128(Squid's default port). If you can set up and connect to an SSH box, then you can set up Squid. Not too hard to configure at all, and as a result all of your traffic to the web is truely hidden.


[ Reply to This | # ]
Secure your internet connection at Starbucks
Authored by: gork on Aug 30, '07 11:05:03AM

It is important to understand exactly what is going on here and why this actually works.

802.1x does not encrypt your traffic. It is a secure (in the case of TTLS anyway) protocol that authenticates you to the network. In the case of 802.11 networks in addition to authenticating your access to the network they will also negotiate a pairwise master key (PMK) which in a properly configured network will be unique between the access point and your computer. This key is then used to encrypt the traffic with WPA. This key in conjunction with WPA is what protects your traffic from being observed by other wireless users -- either unauthenticated users with no keys or authenticated users with different PMK's. It is worth noting that your traffic could be intercepted and later decrypted if the PMK you are using can be discovered or brute-forced.

Once your traffic hits the wired network though, it's in the clear. I highly doubt that T-Mobile is going through the truble of maintaining 802.1x authentication on all of its wired infrasturcture much less running transport mode IPSec on it. Obviously you still need to take the precautions of using SSL/SSH and avoiding insecure protocols but secure authenticated access to wireless networks is still critical in the scheme of things.



[ Reply to This | # ]