Why is using VPN so difficult?

9 Comments

mather-_660I was in the Manchester Central library over the last weekend, a newly refurbished space that has very recently been reopened to the public. I was only visiting Manchester, so it seemed like a good thing to do and I have to say I was very impressed with the space. There were computers and interactive kiosks throughout, even the cafe tables had a “Surface” like feel to them with images and documents you can read and manipulate with your fingers. As expected there was free Wi-Fi.

I connected to it, and duly fired up my VPN. It didn’t connect. Confused, I tried again. Still failed. Free, public Wi-Fi which blocks VPN! All I wanted to do was check the viewing figures of the latest Host Unknown video, but even that could potentially expose my Google username and password to anyone snooping; with BSides Manchester just around the corner I wasn’t about to become the subject of someone’s Wi-Fi pineapple presentation, so I tweeted my concern (as you do) and disconnected.

4_1024x1024There isn’t a piece of general security guidance that gets published that doesn’t include the advice to only connect through a public Wi-Fi point unless you are using a VPN. The risk of having your personal details, usernames and passwords transmitted and subsequently intercepted is too high and YOU MUST NOT DO IT! USE A VPN AT ALL TIMES!

Great advice, except that VPN has still not been adopted properly by any major hardware or software manufacturers of computers, tablets and smartphones. There needs to be a built in, simple and ubiquitous approach to VPN now that mirrors the adoption of anti-virus of 15 years ago and encryption of 5 years ago. There are paid for solutions for enterprises and the more technically minded and free solutions of both for the small business and home user. But not when it comes to VPN. No Apple VPN, or Google VPN for the average home user to be able to use with little effort or even understanding.

Where is VPN? Why can it not be made more accessible?

Where is VPN? Why can it not be made more accessible?

The VPN solutions on offer are typically smaller packages that the average person would simply not come across, basically the technology has yet to be commoditised. If you have a problem convincing someone to use a decent complex password, think about trying to explain to them about using a VPN.

Even Apple, whose interface design in my opinion is some of the best in the industry has missed a trick with iOS7; VPN is buried in the settings apps, rather than being on the easy access swipe menu where you can quickly and easily enable it and disable it. And what about the option to have it permanently running, automatically reconnecting when the device goes into standby? I have lost count of the number of times I have been using free Wi-Fi at a conference or hotel only to realise that at some point my VPN has disconnected me without realising it, and I am supposed to be a security professional.

Convenience always wins over security (a wise person once said) and so until VPN is made as transparent as antivirus and encryption (when installed properly) we are simply wasting our time trying to educate the greater population about using it the next time they are in Starbucks.

(Note: the Manchester Central Library Twitter account did respond, and we are in the process of communicating about the evils of open, password free Wi-Fi. Perhaps some InfoSec locals may also wish to reach out to them to educate and discuss?)

9 thoughts on “Why is using VPN so difficult?

  1. Craig West (@Wh1t3Fox)

    I came across the same situation and what I did was setup a listening port on my ssh server for port 80. Now I can bypass the public WiFi restrictions and create my own SOCKS proxy since the ssh tunnel is going through port 80.

    Like

    Reply
    • Thom Langford

      There are plenty of technical ways to address VPN being blocked, but they are not available to the average person. If security is not transparent or easy it will simply be ignored in favour of convenience and productivity.

      Like

      Reply
  2. JGJones

    VPN was something I keep telling myself to setup and keep putting off. Issues like this is one of the reason I put it off. However the more I have learnt (and continue to learn) about cyber-security, the more I learn why a VPN is essential. I do use a VPN now as well as the ssh solution mentioned by Craig West.

    My problem is remembering to turn it on though when out and about.

    And free public wifi is only getting more common. For example – go to a typical large modern shopping centre and you probably would often find they provide a free wifi service (ie via O2/BT) – Leeds’ new shopping centre – Trinity provide a full free wifi coverage for example. And so many people, with smart phones to start with.

    I don’t have a wifi pineapple, but it would be very educational if I was to use it in Trinity in Leeds (or any other wifi sniffers)

    Like

    Reply
  3. T Hype (@THypeSR)

    I haven’t seen any ‘Free’ wifi block the newer SSL or ESP based VPN’s (including OpenVPN). Typically PPTP and L2TP are blocked in most cases. I have used HMA when necessary (before setting up my own private OpenVPN server, or when international to get better speed).

    Nice thing about Android or Jailbroken iPhone is that I have actions defined that when I connect to an unsecured Wifi, VPN automatically launches. From the OpenVPN client I can choose my personal server or connect to one of HMA’s.

    The bigger issue with public wifi and even password protecting it is no central AAA authority. For instance, in the US, Comcast has xfinitywifi hotspots available to all home customers (ok, good idea)…however, it is unsecured with a captive page you must enter your xfinity credentials (billing) on to get access (bad, bad idea!). This portal is a dream for a sniffer or cracker- since the SSID is the same and if you connect once the average person chooses ‘always connect to this’ – it is very easy to spoof the page and gain someone’s credentials. Same goes for any of the Meraki hotspots or business hotspots that boast ‘Facebook login’ – very easy to set up a fake page and harvest people’s credentials. A shared key is no better – someone on the network, with the shared key, could easily ARP spoof the router and capture network traffic and decrypt it later.

    Don’t know the solution (does it exist?) but this is something I wrestle with on even my home wifi – convenience for house guests with no password, but the security pro in me knows it is a bad idea and I would hate for someone to ‘war drive’ by and capture my friends data.

    Like

    Reply
    • Thom Langford

      I think the technical challenges you state perfectly underscore this problem. The technology is not yet commoditized and so people will continue to do whatever is easiest, secure or not.

      Like

      Reply
    • Stuart Moore

      Sadly I’m finding O2 free WiFi hotspots (UK) are blocking VPN. This covers the Waitrose supermarket cafe I’m in at the moment, and many Costa Coffee shops. I using the openvpn and HMA clients.

      Like

      Reply
  5. Robert Greene

    I find most Wi-Fi HotSpots block VPN connections. After having a look around the network I also find I’m on the same network as their cash registers, POS terminals and other computer’s. In one case they were also using uTorrent.

    Like

    Reply
  6. Jim Strachan

    Yep, most (all? – I’ve yet to find one that allows it) public networks in my area (Edinburgh and south) block VPNs. Cafes, First Bus network, libraries – thus rendering the security advice about always using a VPN on a public network entirely spurious!

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.