10 Dec 16 – Public Wi-Fi is dangerous

Home Forums The Poll Discussion 10 Dec 16 – Public Wi-Fi is dangerous

This topic contains 10 replies, has 6 voices, and was last updated by  RChandra 9 months, 3 weeks ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #5109
    Nick Francesco
    Nick Francesco
    Keymaster

    Particularly during this holiday season!

    #5111
    Christian
    Christian
    Participant

    But great for anonymity 🙂

    #5130

    DocSmith
    Participant

    OK, I will change my behavior on public WiFis. Question: Is anything safe on a public Wifi? If so, what? Thanks for being there, guys.

    #5132
    Christian
    Christian
    Participant

    I wouldn’t worry too much. The more people using it, the more likely a malicious individual is present. So a small restaurant is probably safer than an airport. If you’re logging into (or logged into) a website, be sure the URL begins with https (note the “s” and the end) so any personal data sent is encrypted. If you’re just browsing the web and not logged in anywhere, that is safe (assuming you don’t care about someone possibly knowing what sites you visited).

    #5136

    Larry
    Participant

    Just use a VPN.

    #5139
    Nick Francesco
    Nick Francesco
    Keymaster

    DocSmith – anything that doesn’t involve private information – looking something up on Google, checking movie times, etc. should be safe.

    #5142

    RChandra
    Participant

    For more information on this topic, you may wish to read the article posted over at c|net by Laura Hautala.

    I’d like to present an opposing viewpoint. I don’t think public Wi-Fi is substantially more dangerous than being on your own home Internet connection. If you’re performing sensitive operations without encryption, it doesn’t matter if that link is your home or public Wi-Fi, it’s still equally dangerous and dumb. The medium doesn’t change anything, if you’re banking, filling out your tax report, or accessing your online email (e.g. Gmail) without encryption/HTTPS, you’re doing it wrong. If you’re doing any of those things (or anything sensitive), and you get a certificate warning, do no proceed, it’s likely the Wi-Fi operator is mounting MitM attacks. (And again, really applies to usage at home too.) You should be keeping your device (tablet, phone, laptop, etc.) and apps up-to-date anyway, and that will handle the case of attackers gaining a beachhead on your device due to a vuln in your OS or apps. If you’re really worried that your home router is providing some sort of firewalling that your host itself can’t, there are often alternatives you can put on your host, such as ufw and/or AppArmor for Linux, or ZoneAlarm for MS Windows. If you’re really uncomfortable with even your IP metadata being revealed, you can minimize that by subscribing to an encrypted tunnelling service such as Tunnel Bear.

    Unreasonable T&C, we really can’t do anything about. Again, if you’re genuinely concerned, you can take the time to read them and refuse to partake if you see something like “we reserve the right to tap your emails and brick your mobile.” What I’d really like to see is legislation which enacts a common set of rules and which also specifies that any additional rules of a specific operator are null and void. That would eliminate all these per-operator agreements which take substantial time to read, so that people wouldn’t have to do that everytime.

    #5149
    Christian
    Christian
    Participant

    equally dangerous

    It’s about the potential for a middleman, right? If you’re on public wifi, that could be dozens of strangers. If you’re on your home network, that should be limited to people working at the ISP. Am I missing something?

    On a related note, I worry when a hotel gives me a wifi password but doesn’t give me the network name. As if any random person couldn’t just setup their own wifi network and name it something related to the hotel.

    #5153

    RChandra
    Participant

    Your title summarizes it all. From a security standpoint, it’s really only marginally worse. It only takes one compromised router along the way to ruin your day if you’re accessing something sensitive; doesn’t matter if it’s on the same network segment as your device or five hops toward the destination. The only significant difference would be, the guy on the other side of the Starbucks gives you a disapproving look like, Ashley Madison…for realz??? But still, your defense against that is an encrypted tunnel, in which case that same lookey-loo sees only your tunnel broker’s IP address and not that of Ashley Madison. If you’re doing something sensitive like banking, is it really going to matter much whether the other Starbucks patrons see that you bank at keyBank vs. M&T? You’re going to be under HTTPS anyway so that the contents are known only to M&T and you.

    #5166

    gmd3006
    Participant

    If my bank can decipher what I’m sending them, someone else along the way can, too. Obviously my bank or other intended site can exhume my data; I have no doubt that a sniffer along the way can intercept the keys and decrypt as easily as the bank can.

    #5170

    RChandra
    Participant

    Your assertion is fundamentally incorrect. There is only one way to decrypt an encrypted message, and that is to know (or discover) the encryption key. Your bank knows the key, and securely transmits a session key with a protocol such as Diffie-Hellman Key Exchange for example. The only way anyone else can know what’s in that network stream is to reveal that session key, either by cryptanalysis or by guessing. Given properly designed cryptographic algorithms and sufficiently large keys, the chance that anyone else besides your browser and the bank’s server(s) can discover that key is extraordinarily close to zero.

    It’s maths. Unless you can break maths, or find an as-yet-undiscovered flaw in the programming, you’re not eavesdropping on anyone’s communication. You will have what amounts to digital noise.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

Comments are closed.