Strong encryptionAll internet traffic is redirected over a secure encrypted VPN tunnel. WifiMask uses VPN technology with so-called "Top Secret"-level encryption:
CarefreeFirewall rules are activated as soon as you hit "Secure connection" and when the app is reconnecting.
Deeper dive into the world of WifiMaskA more technical explanation, I will try to keep it fun and easy to understand though.
What happens when the app is "Reconnecting...", am I still safe?
As soon as the internet connection is lost and the app is reconnecting, firewall rules kick in to prevent leaking your un-encrypted data on the Wi-Fi network.
While the app is trying to get its connection back up with a WifiMask router, only traffic over ports which are secured and encrypted by default are allowed, like HTTPS and SSH (ports 443 and 22), and traffic over ports needed to get the network back up again, which are DNS and DHCP (port 53, 67 and 68).
All other ports and unencrypted traffic like HTTP, SMTP, POP3 for email are blocked.
This means you have a secure connection from the moment you hit "Secure connection" until you press "Disconnect" manually.
As soon as the app has its connection back up, all internet traffic is redirected over the secure connection and the firewall rules are disabled, allowing you to visit HTTP pages again through a secure and encrypted tunnel.
What about the security of the website, my account information and password?
First of all, your creditcard details never touch our servers. These are only verified directly from your browser with our payment provider over a secure connection at https://stripe.com. The only thing we get back from them is a verification ID connected with your email address and the last 4 numbers of your creditcard.
Your password never ends up in clear-text on our servers. Your password is "hashed" before it's saved in our database, which means your password is send on a one-way trip to hashplanet which changes its language and appearance and doesn't make sense to anyone anymore.
For example, the hashed version of the password "nevergonnagiveyouup" (very bad password) can be something like this:
$2y$10$gZiSFGX.BC/ WOoctszVci.cGaOMVthB/ X7.4734Xco7mofg38M8Q6
So how is your password verified? The hash of your provided password when logging in is compared with the existing hash in the database. Only if they are equal, you can login. We use the hashing algorithm "bcrypt" with a cost factor of 10, which makes every Hashcracker's head explode.
This website is protected with a Web Application Firewall (WAF) for an extra layer of protection against all sorts of web attacks, like SQL injection and XSS, fancy synonyms for "cracking", which is often mistranslated into "hacking". When the WAF's security rules prompt you the message "Not Accessible" in your browser then you know the FBI will knock down your door and lift you from your bed the next morning. Or let us know what happened and we will call them off.
What about DNS leaking, DNS hi-jacking and IPv6 leaking?
Maybe you've heard about it, WifiMask is not vulnerable to it.
DNS servers translate the domainname of a website, like wifimask.com, into an IP-address, because webservers are only reachable at an IP-address in the end. DNS leaking happens when you enter a domainname in your browser and when this request for translation into an IP-address is not redirected over the encrypted connection.
Which means your government spy hiding at the toilet but still within reach of the public Wi-Fi signal can see what websites you are visiting and make educated guesses about your interests and weaknesses to make you say things later when waterboarding.
WifiMask protects you from this by redirecting this type of traffic through the WifiMask encrypted tunnel so you can maintain your flawless image and deny everything.
DNS hi-jacking happens when the grandma in the corner is able to act as your DNS server on the Wi-Fi network, redirecting your website visits to servers under her control, probably containing (grand)malware, impersonating your banking website to complete her retirement income or to use it to inject funny ads in your browser about false teeth, just for a laugh.
WifiMask protects you from this grandma by configuring the WifiMask router as your DNS server, bypassing the grandma's DNS server. Give her the thumbs up to let her know everything is fine.
IPv6 leaking is not a sexual disease either and happens when only IPv4 traffic is redirected over a secure connection, and not IPv6 traffic. Today more and more websites are accessible over IPv6, the new internet addressing mechanism because IPv4 is running out of numbers. At the same time most browsers, if not all, prefer IPv6 over IPv4. So when you are applying for a job as a CIA agent on the IPv6 website cia.gov on a public Wi-Fi without a WifiMask connection, this secret news will spread fast and reach terrorist organisations before you are even invited at the job interview.
WifiMask protects you from this by enabling and redirecting IPv6 traffic over its secure encrypted connection by default. This way you can show your face connected to your body at the job interview. This also means you are always able to access IPv6-only websites, even at locations where your internet provider is only IPv4 capable, because you get an IPv6 address from us over the secure connection.