Something I use all the time when surfing (With Firefox, unsure is there’s something like it for others) is the add-on NoScript. It prevents all scripts from executing until they’re allowed, so it will break alot of websites before you’ve allowed some, but I find it to be the best protection for my browser.
It’s also neat being able to block more of Google’s tracking… Alot of sites has “google-analytics.com” in it. ;p
I’d say this is an intermediate difficulty add-on to use, and I really recommend it.
Only negative is that performing certain actions, like purchasing stuff with confirmation and some WYSIWYG real time editing functions won’t work unless you disable NoScript completely, else the XSS protection makes it… uncertain.
Yeah, properly validating it is the rub, isn’t it. If a client wants to check, it will have to query each of the domains back to the root to build the signature chain. If your DNS server is DNSSEC-aware, then it will have those in its cache, but it’s still several round trips before trusting the result enough to connect to the server.
Though, most domains are not signed, so you just need to climb the hierarchy to find a properly signed lack-of-DNSSEC record, and then you know that you can totally trust these unauthenticated DNS records. And most deployed DNS servers don’t understand DNSSEC at all, so you need to find a more remote DNS server with more latency per round trip, or just do the whole recursive query yourself, defeating the purpose of DNS caching.
In practice, if a client does DNSSEC at all, then it is non-validating and DNSSEC-aware. The client just asks the configured DNS server to do DNSSEC validation, and the server just says that it has done so. The communication between the client and the server is also unauthenticated, so if your ISP doesn’t support DNSSEC and you have configured Google DNS instead (e.g., because Google does DNSSEC validation even though Google.com has no DNSSEC records), then every agent in the Internet between you and Google can spoof a reply, saying this is the result of your query and you can totally trust it because it says that it has done DNSSEC validation on this.
I don’t see a good solution to this. DNSCurve has the same problems; it just has smaller records and eliminates the possibility of running DNS slave servers that you don’t control and has even less adoption. TLS security doesn’t depend on the server that you’re connecting to actually being the right one, but everybody ignores its warnings anyway. We really need to move to a security model with trust agility.
But if you insist, then the only 802.11ac router that I would buy right now is the TP-LINK Archer C7, purely because it’s fully supported by OpenWRT. No closed-source Ethernet and WiFi on this. I do not trust its manufacturer-provided firmware to run any longer than needed to replace it with OpenWRT.
But most of the TP-LINK product line is low-performance Mediatek (née Ralink) or binary closed-source Broadcom, including the TP-LINK Archer C5 v2. Yes, the router that they sell you now is not the router that they sent to the reviewers last year. Even buying the C7 is risky, because consumer router manufacturers suck donkey balls. (C7 v1 has pre-standard-ac WiFi that doesn’t work properly. C7 v2 works. Not much information in the wild about C7 v3, but at least it’s software-compatible with v2.)
The router that I use is the Buffalo WZR-600DHP. Same reason. Everything else in Buffalo’s product line sucks.
To shop for routers, I look for support for OpenWRT, and I also look for specs and model revisions on TechInfoDepot.info. Since most router companies completely change the router without changing the model number, SmallNetBuilder is almost useless.
Trying to do router security yourself is very tedious.
How about using two different browsers; one for internet and one for configuring the router?
Of course you should always replace the factory credentials.
(There’s some logistics involved in installing (or rather downloading) the second browser with the same browser that you used to configure the router in the first place, but that could probably be solved with thumbdrives.)
Your assumption that an off-the-shelf router is going to be more reliable than your ISP’s offering is questionable, unless you are ready to buy a new router every year or so. Router manufacturer will not maintain legacy products forever, and firmware upgrades will depend on your good will. On the other hand, your ISP might maintain the router firmware for years, monitor security flaws all along, and force patches onto your router remotely.
How does the Apple time capsule stand in the security list? I have been thinking of upgrading to it for some time. Mainly due to in built storage. However not sure about its flexibility with other major OS. I have microsoft, ubuntu, mac, android and ios devices. I guess its pretty common to have these many devices however security is the last thing most of us think about.
Time Capsule is sort of middling quality. Mostly, it seems more secure because it doesn’t support the normal range of insecure behaviors. WPS? Eliminated. UPnP? Eliminated. (It does have NAT-PMP, though not enabled by default.) Web administration interface? Eliminated. I don’t think you can even install a third-party firmware on it.
The downside for security, Apple is really secretive and slow at fixing vulnerabilities. I don’t remember hearing about any particular Airport/Time Capsule issue, but I wouldn’t be surprised if there are mistakes in the code that are exploitable.
The main reason not to use Airport/Time Capsule is performance. The WiFi range and speed on those things is unimpressive.
I’m pretty bummed that I read through that entire cryptostorm article, thinking there was something there because Jeff linked to it. As I was reading, I kept thinking this sounded more and more like a conspiracy theory with almost no actual technical content (just “look - something I don’t understand! Must be malicious!”) but struggled through the entire thing before concluding it’s mostly BS.
A quick Google later confirmed my suspicions that it’s already being well-debunked…or maybe my router is just compromised and that’s what they want me to think.
This is very true.
Most do not know what risks they are taking by connecting to an unknown network!
This compromise in security could easily lead to personal and bank details that can be stolen.
I never knew one could be attacked by only an infected router alone.
Thank you for all your tips!
Some of these steps are too difficult for standard users which would mean that they are still vulnerable.
Never access anything but HTTPS websites.
This should be spread so that everyone can be safe.
I was already suspecting when it mentioned the OCSP url 404 thing as if it was something significant, and I gave up 3/4ths through, when i saw this:
It claims “numerous proven methods” and links a bunch of askubuntu questions with GPG errors from APT, no proofs
That’s when I looked into what kind of organization this thing is, and on the surface it looks like a VPN service with a neat sense of aesthetics, but they also have wacky stuff like a collection of “suspicious looking certificates”, with criteria such as “Subtle typos in the names of companies. Start times that are 1:00:00 exactly. That sort of thing”.
Uhhhhhh… well if they say so.
@codinghorror can you add an edit around that cryptostorm link, warning readers that it’s bullshit? At best, it’s an inconclusive info dump, there’s nothing indicating that messing with DNS or BGP will break HTTPS.
DefCon this year was full of different vulnerabilities on the IoT, including in cars. It was like a playground out there for hackers. Lots of fun, unless you get hacked, I guess.
The Netgear Nighthawk is an awesome router and it offers vpn for you to use when away. I generally use my phone’s wifi hotspot when out and about though, because in addition to security, the bandwidth is much better.
Looks like a typical overpriced consumer-level router. Who knows, Asus may have a good offering. It’s just the look of the thing that reminds me of years of Linksys WRT54G hardware upgrades (read downgrades).
Why not try a Ubiquiti? I use a Motorola Modem for DOCSIS, connected to a Ubiquiti Picostation. The little thing is a workhorse and it has all the advanced features I could ever want. I actually purchased it with the intent of loading custom firmware (ie it was replacing my crippled DD-WRT router) but liked the stock capabilities enough that I didn’t bother.
It can be configured to work as SOHO, wireless bridge, and mesh network node. With all the usual advanced networking capabilities. They’re cheap but surprisingly powerful for the cost.
My solution to this is to use a VDSL modem that just passes through the PPP level packets for my Linux server/router/firewall to do the PPPoE part of things. This way I have full control and it’s all my responsibility for keeping it up to date and configuring correctly. No trusting some ‘open’ firmware vendor to not put hardcoded credentials (I’m looking at you OpenELEC, or have they fixed that in later versions?) and to otherwise be on the ball.
So for anyone comfortable with using a custom firmware on a ‘router’ I’d advise going this route instead. WiFi is a separate unit and goes inside the Linux router, preferably on its own sub-net with firewall rules controlling what it can access internally.
And, yeah, I need to get around to setting up a home VPN (for my phone to use when on random WiFi), given I finally have decent (for a home connection) upstream bandwidth.
In my earlier Mirai blog post, I offered some guidelines that are both practical and achievable in the home router and IoT device market. My hope with the following guidelines is to inspire innovative technical solutions among device vendors and service providers to redesign or update home routers to limit the risk that these devices will end up being used for nefarious purposes:
Design home routers and IoT devices to operate with read-only filesystems, making run-time installations of malware impractical.
Disable any packet crafting/spoofing/promiscuous mode on the firmware level to avoid malicious use of network resource on these devices.
Provide automated updates for firmware with either planned downtime or no downtime to resolve vulnerabilities proactively.
The purpose of these lightweight, low-cost devices is to transit network data or stream live data (like IP cameras) with little reason for any persistence. In fact, some of the newer home routers do operate within a chroot and a read-only file system, making it hard to both exploit these devices and install third-party software for persistence. Even if a would-be attacker learns or guesses an administrative password, malicious code installation performed by VPNFilter and Mirai would not be successful on these devices.
