10 Dec 16 – Public Wi-Fi is dangerous
December 9, 2016 at 5:38 PM #5109
Particularly during this holiday season!December 10, 2016 at 10:35 AM #5111
But great for anonymity 🙂December 10, 2016 at 1:42 PM #5130
OK, I will change my behavior on public WiFis. Question: Is anything safe on a public Wifi? If so, what? Thanks for being there, guys.December 10, 2016 at 1:50 PM #5132
I wouldn’t worry too much. The more people using it, the more likely a malicious individual is present. So a small restaurant is probably safer than an airport. If you’re logging into (or logged into) a website, be sure the URL begins with https (note the “s” and the end) so any personal data sent is encrypted. If you’re just browsing the web and not logged in anywhere, that is safe (assuming you don’t care about someone possibly knowing what sites you visited).December 10, 2016 at 3:30 PM #5136
Just use a VPN.December 10, 2016 at 4:40 PM #5139
DocSmith – anything that doesn’t involve private information – looking something up on Google, checking movie times, etc. should be safe.December 13, 2016 at 6:31 PM #5142
For more information on this topic, you may wish to read the article posted over at c|net by Laura Hautala.
I’d like to present an opposing viewpoint. I don’t think public Wi-Fi is substantially more dangerous than being on your own home Internet connection. If you’re performing sensitive operations without encryption, it doesn’t matter if that link is your home or public Wi-Fi, it’s still equally dangerous and dumb. The medium doesn’t change anything, if you’re banking, filling out your tax report, or accessing your online email (e.g. Gmail) without encryption/HTTPS, you’re doing it wrong. If you’re doing any of those things (or anything sensitive), and you get a certificate warning, do no proceed, it’s likely the Wi-Fi operator is mounting MitM attacks. (And again, really applies to usage at home too.) You should be keeping your device (tablet, phone, laptop, etc.) and apps up-to-date anyway, and that will handle the case of attackers gaining a beachhead on your device due to a vuln in your OS or apps. If you’re really worried that your home router is providing some sort of firewalling that your host itself can’t, there are often alternatives you can put on your host, such as ufw and/or AppArmor for Linux, or ZoneAlarm for MS Windows. If you’re really uncomfortable with even your IP metadata being revealed, you can minimize that by subscribing to an encrypted tunnelling service such as Tunnel Bear.
Unreasonable T&C, we really can’t do anything about. Again, if you’re genuinely concerned, you can take the time to read them and refuse to partake if you see something like “we reserve the right to tap your emails and brick your mobile.” What I’d really like to see is legislation which enacts a common set of rules and which also specifies that any additional rules of a specific operator are null and void. That would eliminate all these per-operator agreements which take substantial time to read, so that people wouldn’t have to do that everytime.December 17, 2016 at 1:11 AM #5149
It’s about the potential for a middleman, right? If you’re on public wifi, that could be dozens of strangers. If you’re on your home network, that should be limited to people working at the ISP. Am I missing something?
On a related note, I worry when a hotel gives me a wifi password but doesn’t give me the network name. As if any random person couldn’t just setup their own wifi network and name it something related to the hotel.December 17, 2016 at 7:00 AM #5153
Your title summarizes it all. From a security standpoint, it’s really only marginally worse. It only takes one compromised router along the way to ruin your day if you’re accessing something sensitive; doesn’t matter if it’s on the same network segment as your device or five hops toward the destination. The only significant difference would be, the guy on the other side of the Starbucks gives you a disapproving look like, Ashley Madison…for realz??? But still, your defense against that is an encrypted tunnel, in which case that same lookey-loo sees only your tunnel broker’s IP address and not that of Ashley Madison. If you’re doing something sensitive like banking, is it really going to matter much whether the other Starbucks patrons see that you bank at keyBank vs. M&T? You’re going to be under HTTPS anyway so that the contents are known only to M&T and you.December 22, 2016 at 10:32 PM #5166
If my bank can decipher what I’m sending them, someone else along the way can, too. Obviously my bank or other intended site can exhume my data; I have no doubt that a sniffer along the way can intercept the keys and decrypt as easily as the bank can.December 23, 2016 at 10:29 AM #5170
Your assertion is fundamentally incorrect. There is only one way to decrypt an encrypted message, and that is to know (or discover) the encryption key. Your bank knows the key, and securely transmits a session key with a protocol such as Diffie-Hellman Key Exchange for example. The only way anyone else can know what’s in that network stream is to reveal that session key, either by cryptanalysis or by guessing. Given properly designed cryptographic algorithms and sufficiently large keys, the chance that anyone else besides your browser and the bank’s server(s) can discover that key is extraordinarily close to zero.
It’s maths. Unless you can break maths, or find an as-yet-undiscovered flaw in the programming, you’re not eavesdropping on anyone’s communication. You will have what amounts to digital noise.
You must be logged in to reply to this topic.