How-to Guide Protect Yourself Against MITM Attacks

Discussion in 'Tutorials & Guides' started by Umbra, Oct 28, 2016.

  1. simmerskool

    simmerskool Level 4

    Apr 16, 2017
    170
    329
    non-profit corporate consultant
    USA
    Windows 7
    Emsisoft
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,162
    29,627
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    More or less, it is a web service version.
     
    Sunshine-boy likes this.
  3. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,185
    IRAN
    Windows 10
    ESET
    IF you use Yandex browser you don't need it.
    I can't use it any more cuz government blocked it(5 months ago):p


    DNS spoofing protection
    Protect active security technology scans files and website for viruses, blocks fraudulent webpages, protects passwords and bank card details, and keeps online payments safe from theft.

    DNSCrypt
    The world's first browser with support for DNSCrypt technology. Encrypts Domain Name System (DNS) traffic. For example, it protects from a trojan DNSChanger, a tracking Internet provider, or hackers. This option must be enabled in the browser settings.
     
    simmerskool likes this.
  4. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    435
    1,414
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Just make sure your connection is HTTPS using TLS and it will get validated that way. Any site that cannot be validated will not be resolved using HTTPS and your browser will tell you that it could not connect or reset the connection or connection timeout.

    I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you.

    This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: GRC | DNS Nameserver Spoofability Test

    Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway. :)
     
  5. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
     
    HarborFront likes this.
  6. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,752
    Far East
    Agreed. That's why you need to select a VPN provider which has secure DNS server
     
    Glashouse likes this.
  7. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    or overide the vpn providers settings and use your prefered ones...
     
    HarborFront likes this.
  8. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    435
    1,414
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Rightfully so. A good VPN will encrypt all of your traffic and tunnel DNS queries to its own DNS servers. Now it's up to the VPN provider to protect you. :)
     
    HarborFront and Sunshine-boy like this.
  9. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,752
    Far East
    Sunshine-boy and DeepWeb like this.
  10. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    You don't have to worry about ARP unless you are connected to a LAN.

    COMODO has a setting for ARP spoofing.

    Research ARP cache poisoning or spoofing online. You might have to read multiple articles and piece it altogether.
     
    Sunshine-boy, SHvFl and HarborFront like this.
  11. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    The whole point of changing the DNS is precisely to protect against DNS poisoning\spoofing. The better VPNs offer secure DNS.
     
    Sunshine-boy, SHvFl and simmerskool like this.
  12. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,752
    Far East
    I think Zonealarm firewall also has such a feature

    How about if your laptop is connected to public WiFi? Thanks
     
    SHvFl likes this.
  13. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    How WiFi Hotspot Hacks Occur
     
    Sunshine-boy, SHvFl and HarborFront like this.
  14. simmerskool

    simmerskool Level 4

    Apr 16, 2017
    170
    329
    non-profit corporate consultant
    USA
    Windows 7
    Emsisoft
    would you please share the names of a few vpn that you KNOW offer secure dns. I'm looking into 2 vpn and unclear how secure their dns is, at least at first look...
     
    Sunshine-boy, frogboy and SHvFl like this.
  15. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,391
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    #75 SHvFl, Jul 19, 2017
    Last edited: Jul 19, 2017
    Private internet access, airvpn...

    Basically they force their dns which is rooted through their servers. So it doesn't leak or use your isp or location dns.
     
  16. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    simmerskool likes this.
  17. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,752
    Far East
    If I'm not wrong Windscribe VPN has it

    Actually. AV software like paid products from Avast have Secure DNS too

    Secure your DNS | Defend against DNS hijacking attack
     
    Sunshine-boy and Transhumana like this.
  18. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    I only recommend IVPN, but it is expensive

    Search online for "That one privacy guy" and it will take you to a page where all major VPNs are reviewed

    Find the Excel comparison spreadsheet
     
    Sunshine-boy and simmerskool like this.
  19. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    Just look two posts before yours :)
     
    frogboy likes this.
  20. simmerskool

    simmerskool Level 4

    Apr 16, 2017
    170
    329
    non-profit corporate consultant
    USA
    Windows 7
    Emsisoft
    Thank you! :)
     
    SHvFl likes this.
Loading...
Similar Threads Forum Date
3 Practical Tips to protect yourself against anti-ransomware Backup, Sync and Encryption Mar 24, 2017
Hacking Alert Protect Yourself from KRACK WiFi Vulnerability Security News Oct 19, 2017
Cloudbleed: How to Protect Yourself After the Data Leak News Archive Feb 25, 2017