I use mobile data on my phone.
I carry my laptops in a case. It’s not hard to fit a router in that case.
Never use public wifi.
https://www.techtarget.com/searchsecurity/definition/Wi-Fi-Pineapple
It’s not possible to authenticate public wifi. Anyone with a stronger radio can override a public wifi AP name and impersonate it. And this DHCP option 121 allows them to strip your VPN away.
Until you do have a problem.
I mean, duh. But people are famously dumb and accept invalid certs quite often. If you took the time to make this comment and reply to my message you might assume that someone of our caliber would know this; no?
Recent ish browser changes have made this a bit harder and more obvious to an end user but you would still be surprised.
You’re right, I missed the fact it exploits DHCP to route the traffic bypassing the VPN’s encryption all together.
But my broader point was: don’t trust public/hostile networks. Rather than this specific issue was already known. I don’t use public wifi, I always hotspot off my corp-secure phone.
I mean that’s going to take a side channel attack to get its effects.
Every os us sometimes vulnerable to some things
rip the option out of the DHCP app and manage routes in a way that the vpn can see? Why the DHCP service can augment routes is weird anyway…
Can you give an example of what a host is?
One of my interview questions is what are the 4 stages of DHCP ? You don’t have to give me DORA, you don’t have to name them correctly, you don’t have to tell me what’s unicast and what’s broadcast. Just give me something which shows you have a basic understanding.
Nobody can answer that bloody question.
The only noteworthy discovery they made is the fact that option 121 defaults to using the network interface used for the DHCP traffic. Everything else seems to be just dressing the option 121 as a boogieman it’s not (VPN vulnerability) when in actuality, it’s a network design option that can be used maliciously. This can be used to redirect any traffic to any service or device, so not VPN specific.
It’s literally just routing.
there are also very small portable rotuers with vpn capability for exactly the purpose you describe
For most people I guess there isn’t a relevant threat scenario to avoid this. Https is pretty ubiquitous.
I’m not concerned about it. I use Walmart and Mcondalds Wifi all the time. All my traffic goes over encrypted wireguard to a cloud VPS I pay for. Have never had any issues.
Note: Your link doesn’t work btw
Happens a lot in McDonalds, does it?
Can be said about everything.
What’s wrong with mint?
It’s a feature. Around the time DHCP was being developed, it was perfectly acceptable to trust anything that didn’t get filtered by the firewall. Workstations often had a public IP address, and ssh had not yet replaced telnet/rsh. RIPv2 was still used for routing.
Why not use DHCP to provide dynamic routing updates?
yes it’s situational but sounds pretty vulnerable to me
business people travel and want to access their company networks from places like hotels, coffee shops, other companies guest wifi, etc
Yea, but they’re trying to close up control of the net, and getting Joe Schmoe afraid of VPNs is one of the steps
Is that actually necessary to the job though?
I could tell you nearly every bit of a TCP header from memory because I interact with raw traffic a ton. I couldn’t name the 4 stages of DHCP because it has never been something I need to know