I was reading this question when I thought: Some emergencies requires that you log on in e-mail or another sensitive sites in public internet computers. Remember that points:
- You cannot install anything;
- You will use probably internet explorer 6+
- You will use probably Windows XP
I think that maybe an on-line service will met that requirements...
You can't. Two-factor authentication with one-time passwords (OTPs?) would be the first requirement, as your keystrokes and login procedure no doubt will be recorded. This would make it harder for an attacker to reuse anything another time...
...however even if you then establish an encrypted tunnel - there is of course nothing preventing all the information you pass through it to be dumped as you don't control your endpoint.
So as long as you're only protecting the access rights, sure, it can be done decently protected (though nothing is ever secure). But all the information available to you during that session should be thought of as public property as you can't control its distribution when the client is compromised.
It could be using hardware logging so even if you break into the terminal and boot your own operating system, you wouldn't know if it's safe ^^
I doubt you can guarantee security from a public terminal. If your sensitive services are available via HTTPS, that will give you some protection from line sniffing or proxy servers between the workstation and the server. However, there is no guarantee that there will not be a recording application on the computer itself such as a key-logger or desktop recording software monitoring everything that you do. If possible, boot your own micro-OS from a portable USB storage device and work with that and connect to the server through a secure VPN or other encrypted connection. Even that isn't foolproof though, as a hardware key-logger could potentially be installed on the keyboard or connecting cable (thieves have even done this sort of thing with ATM machines to get your card's magnetic strip and your pin number).
A lot of this depends on how much you trust the public machine. Who is running it? If the machine or network is under the control of someone or an organization you do not trust to handle privacy issues competently, there aren't many options available to you to ENSURE your privacy. The machine may have keyloggers (hardware or software) or other monitoring software.
If you must do this though, or if your primary concern is people who may use the public terminal after you and have similar access abilities, I'd go with the following:
I have installed a SSH Java applet on the Linux boxes I need to go to and have
skeyauthentication (one time key) enabled for both login andsudowith a list of at least 50 valid keys in my pocket (without any indication that could help a thief identify to which box these keys are valid).To access my e-mail I use Emacs with Gnus from this console.
This setup works for me as most installations of Windows have some sort of Java pre-installed and the SSH applet I works even on ancient versions of Java.
I am aware that this way the communication I do while working is not safe. I primarily try to protect from login-attempts and replay-attacks using the one-time passowords offered by
skey.First do a quick scan of the hardware physically (look for keylogger hardware on the keyboard plug/cable). For the truly paranoid, bring your own keyboard. (as keylogging modifications may be present inside the keyboard.)
Boot into your own pre-prepared OS from usb stick or cd. (prevents any malware or spyware already present on the machine from affecting you). An OS on read-only media might be more secure.
Even after all that, you still can't trust the machine as it is still possible for rootkits to be present.
At that point you can start an ssh or vpn connection to your home machine/network, and work remotely. Just be aware that any key negotiation may be intercepted by a man in the middle attack. You can put your ssh key on the read-only media along with the os.
You can never really truly trust interacting with a public machine in the end, no matter what measures you take.
Always be aware of the possibilities of the hardware logging your keystrokes, man in the middle attackers on the network, etc...
As is usually the case when it comes to security, you provide layer upon layer of protection, and hope that your layers are thicker than the determination and ingenuity of any potential attacker to compromise you.
You can either go very far with all this, or decide that a simple ssh tunnel with your keys on a usb stick is sufficient. There will always be risk, and how far you are willing to go to diminish that risk is up to you in the end.
(Personally I wouldn't touch a public computer to do anything important with a ten foot pole, no matter what measures I think I have in place.)
I've heard people suggest copying any passwords or other sensitive information one character at a time using the mouse. The aim is to fool key sniffers since the basic ones (probably most keysniffers) won't look for the mouse copy/paste.
And you can always try to copy/paste non-sensitive characters into another window or mix mouse copy/paste with keystrokes to confuse the picture even further.
Having tried this while travelling overseas it gets frustrating pretty quickly! :)
Here's a totally different way around this - a web-based virtual desktop where you get a bunch of virtualised desktop apps like email, browser etc but nothing is touched on the client machine, it's quite secure and often free'ish. The one I've played with is g.ho.st
We use a commercial service, iPass. Main reason we chose them was availability with a nearly world wide. They do use a safe word password generating pendant (small fob for a key ring). While nothing is totally secure, this will discourage 99.99% of the people trying to steal passwords or login ins.
It's possible to browse semi-anonymously and over SSL using a proxy web service like the old
nph-proxy.cgiscript. Put this on a web host and accessible by HTTPS. This will also help to bypass network-based content filters.nph-proxy.cgican be slow and it doesn't handle embedded stuff like flash, but it usually gets the job done when no other method is available.Please also beware of keyloggers when using public computers. Read few more tips to use public computers safely at below post: http://www.etechplanet.com/post/2010/06/27/Using-a-Public-Computer-Safely-Information-Security-Awareness.aspx