# Mitigate the risk of using a WEP only router?

## Budoka

If I put a travel router with WPA2 capability between my box and a public wifi router that only has WEP capability (Yeah I know but out of my control) am I now better protected?

I am using a travel router to connect to a public wifi that only has WEP. The travel router then broadcasts the signal under a new AP name and uses WPA2. But I am confused.

So in this scenario, I know that the traffic between my Gentoo box and the travel router is encrypted with WPA2 but is the traffic between the travel router and the wifi router also WPA2? Or does it revert to WEP because that is what the wifi router uses? Or is it now WPA2 encrypted traffic over WEP? Also, what does it look like when I am sending data outside of the network ie Internet banking etc. ?

Hopefully, my question isn't too confusing.

----------

## eccerr0r

Reverts to WEP.

I would hope most internet banking is done with SSL anyway so it (mostly) doesn't matter that it's WEP.

----------

## Budoka

 *eccerr0r wrote:*   

> Reverts to WEP.
> 
> I would hope most internet banking is done with SSL anyway so it (mostly) doesn't matter that it's WEP.

 

Thanks. So basically the travel router even though WPA2 does little to add security because the WIFI router is WEP. Correct?

Whenever I do anything banking related etc I go through a VPN. Rather err on the side of caution.

----------

## NeddySeagoon

Budoka,

Look into using a VPN.  

Public wifi suffers from everyone on the same network using the same key, so everyone can see each others data if they want to.

Some applications will use ssl some won't.

The only fix is to run your own encryption over the public wifi.

----------

## Budoka

 *NeddySeagoon wrote:*   

> Budoka,
> 
> Look into using a VPN.  
> 
> Public wifi suffers from everyone on the same network using the same key, so everyone can see each others data if they want to.
> ...

 

Thanks, Neddy. I generally, as a rule, use a VPN. Which actually just reminded me of something...

I noticed that when I use just the travel router without VPN all of my ports are Stealthed but my box apparently responds to ping. When I turn my VPN on SSH, HTTP, and HTTPS are opened and everything else is still stealthed. Is one preferable over the other? I generally check any new network I jump on with Shields Up before sending traffic over it. But am not great at interpreting the results. LOL

----------

## NeddySeagoon

Budoka,

When you use a VPN your host should show a few open ports over the carrier IP address and everything else over the VPN tunnel.

The open ports on carrier IP address are just to allow your carrier dhcp lease to be renewed. 

Everything else should go over the VPN.

----------

## szatox

 *Quote:*   

> VPN (...) The only fix is to run your own encryption over the public wifi.

 You make it sound like if retail connection was more secure.

The difference isn't all that significant. Your neighbour's kid may find it harder that way, but even things like accidentally hijacking the internet with misconfigured BGP have been reported...

----------

## NeddySeagoon

szatox,

Is that with cable (TV) internet?

I've heard a few horror stories but I live in a wee village. Cable is not an option.

Wifi is insecure everywhere.  I wouldn't do banking or shopping over my own wifi, never mind wifi that I knew was shared.

----------

## szatox

Doesn't matter. People are more or less  the same everywhere.

Wiifi or no wifi, if you wanna do something that needs security, make sure you use SSL and the certificate presented by server is valid. If you do, open wifi doesn't matter.

If you don't, well, the wires are long. Everything depends on how bold the eavesdropper is. Bonus point if he is a malicious employee on ISP's staff. Who knows what you would discover if you actually put some effort into diagnosing that flapping connection to another segment...

BTW, a short article on security of BGP: https://www.bishopfox.com/blog/2015/08/an-overview-of-bgp-hijacking/

First, you need at least /24 IPv4 pool, and preferably /22... Then you can route all the internet through YOUR wires  :Wink: 

----------

## NTU

If you're concerned about wireless security, use OpenWRT and operate on frequencies that are not supported by common devices and also violate FCC regulations way beyond spec to the point of rendering the modem incompatible with common laptops and wifi dongles. Then you won't even need WEP/WPA!

----------

## eccerr0r

 *NTU wrote:*   

> If you're concerned about wireless security, use OpenWRT and operate on frequencies that are not supported by common devices and also violate FCC regulations way beyond spec to the point of rendering the modem incompatible with common laptops and wifi dongles. Then you won't even need WEP/WPA!

 

Yay security by obscurity.

----------

## NeddySeagoon

NTU,

That will attract the attention of all sorts of people for all the wrong reasons.

None of them will be interested in your data either.

----------

## Budoka

 *NeddySeagoon wrote:*   

> 
> 
> The only fix is to run your own encryption over the public wifi.

 

That is what I was hoping to accomplish putting the WPA2 travel router between me and the Public Wifi. But seems that doesn't get the job done. Anyway thanks as always.

----------

## NTU

 *eccerr0r wrote:*   

>  *NTU wrote:*   If you're concerned about wireless security, use OpenWRT and operate on frequencies that are not supported by common devices and also violate FCC regulations way beyond spec to the point of rendering the modem incompatible with common laptops and wifi dongles. Then you won't even need WEP/WPA! 
> 
> Yay security by obscurity.

 

You mean invisibility, but yes, very much so. Do people roll around in vans scanning for secret radio waves? Must have missed that memo.

By the way, t'was a joke.

----------

## NeddySeagoon

NTU,

There aren't any empty spaces in the radio spectrum.

By moving out of one of the very small unlicensed bands, you move into someone elses space.

They will notice and call out the vans you mention.

----------

