[dspillett]

My solution has always been to use a VPN, not just on an untrusted network but on any wireless network (for any comms using an insecure protocol any wireless network, even one run by yourself to the highest standards, is an untrusted network anyway). When WEP was broken it didn't affect me because the WLAN was just a transport and my traffic was protected by the VPN. When WPA was broken it didn't affect me because the WLAN was just a transport and my traffic was protected by the VPN.

Of course this creates two problems which make it impractical for the man-on-the-street: choosing the solution and host (in my case OpenVPN with end-points running on my home network and a hosted VM as a backup in case that link is down) and keeping yourself (your server, your client, your configuration) up-to-date as new exploits are found. But I'm not a man-on-the-street in this instance so it works for me. There are a number of solutions that claim to provide out-of-the-box methods that the untrained can use without any effort, but there is still the "which service do I trust?" issue to contend with from both security and reliability points of view.

A side problem is client support on devices, particularly mobile phones, though from my selfish PoV that is a lot easier now: OpenVPN seems reliable on my Android devices, Windows Phone is effectively dead, and I never had an iDevice so haven't needed to care. The final problem is a human one: remembering to turn it on if you don't have ti on all the time automatically.

The same works when providing wireless access to or via a network you care about, such as wireless access in an office environment. The access point could be left as open as open can be (though security in depth: there is no harm in turning WPA2 on as an extra layer of protection) but don't let it route anything that doesn't look like your VPN traffic and let the VPN handle security.

If you need to provide wireless access for guests (visiting clients for instance) have a separate WLAN with all the usual protections that doesn't route to your other local network legs at all (without going out and back in via a VPN of course). Beyond that, their security is their problem.

[lmm]

I go a little further in the same direction: I treat even my wired home network as an untrusted network transport. My home server exposes exactly the same things to the LAN that it does to the public Internet (indeed as far as I'm concerned the LAN just is part of the public Internet - with IPv6 my home server even has the same address from either). My only open ports are secure protocols like SSH or HTTPS or PostgreSQL-with-SSL.

I do use OpenVPN to run a few nonsecure "legacy" nonsecure protocols - the servers for those listen only on the VPN interface which isn't bridged to the physical LAN - but these days I very rarely need it.

[aglionby]

I'm with you on the majority of your comment, but I'd contend that VPNs are definitely accessible for your average person, assuming they're are actually aware of them and how they help. Sure you don't get the same guarantee regarding logs etc. if you use a commercial option instead of rolling your own, but that's a different threat to the one described in the article.

In terms of trust, I'm happy going with bigger names which have more to lose if they turn out to not be doing what they say. Private internet access (no affiliation) for me ticks this box, is a really simple install on my phone + laptop, and has anonymous payment methods as well if that's something that's important to you.

[IgorPartola]

There are two places where I found this approach problematic because I want to VPN to my home LAN.

First, client devices with OpenVPN don't support tap only tun. This means that when I'm not home, I can't e.g. my home NAS, etc.

Second, like most Americans, my home internet connection is dog slow. I get 80/5 Mbps. The 80 is tolerable, but the 5 is a drag. Surfing the web when first I have to VPN home...

Bonus problem: even with a business ISP setup, I am still under restriction with what I can do with my own IP address, can't get a static IPv6 allocation, etc.

[dspillett]

I'm lucky enough to reliably see 76 down 17 up, the best you can get for a residential location in the UK generally unless FTTP is available to you, which is more than sufficient for most of what I do (mail and other mainly-text-with-some-images comms, HN, StackExchange, shopping, SSH & remote desktop or equivalent for various admin). On shared wireless or 3G/4G getting 17+ as a sustained rate is pretty rare in my experience anyway. And I've got a couple of static IPv4s play with, and a /48 IPv6 should I ever get around to using that properly, which I can do pretty much anything I like with and the ISP doesn't shape traffic beyond basic QoS measures either. It isn't a cheap connection, but nice...

Another advantage of the VPN endpoint being at home is that location sensitive applications think I'm there. This seems to reduce "are you a human?" checks in some places, and extra "characters 3, 9, and 11 from your password" requests during credit card payments.

One extra disadvantage, that doesn't affect me but would be a concern to someone gaming or taking part in other timing sensitive tasks, is extra latency, but you'll experience that on any VPN.

I've not found lack of tap support an issue, as I've only needed TCP & UDP via IPv4 anyway so normal routing options over tun do the trick. The lack of local broadcast support can break name resolution in some cases but that is nothing I can't fix with a hosts file entry or static hack in the LAN's DNS resolver.