I'm one of those 82%. The risk is vastly overblown. If you use apps (for e.g. banking), they're already communicating over encrypted connections, and they're not going to accept unknown certificates. They're completely secure. The Google Play Store and the Apple App Store are completely secure. Your browser is going to warn you about certificates that don't match expectations. You have to go out of your way to fall victim to any MITM attack. The risk from a hostile WiFi is pretty close to zero unless you're the kind of person who blindly clicks on links in email you get, and people like that are unsafe in any environment.
No, they are not. They will never be. They might be secure, but not completely. It is true that we are getting safer, but you should not stop thinking about the risks that will never go away.
Just like there certainly are some cities or places you should actually worry about being randomly stabbed, there are some public open access networks that should raise your concerns.
I don't say that you should always be overly concerned when using a wifi. Though, you should pay attention at which wifi you log on and what services you access while doing that.
Do you really need to check you email on a public wifi? If it's not necessary, then just don't do it. It's the small things. Sure you can take this into the extreme (which is never a bad thing in this case), but even if we don't, then we should not teach people that every public wifi is perfectly fine. Please remain thoughtful.
I believe you are very much mistaken. The risk/reward profile of both acts are wildly different: the chances of getting caught while operating a honeypot AP in a public environment are vanishingly small, not so with running around brandishing a knife.
Think of it like gas station card skimmers (where the risk is substantially higher than the rogue AP) where the financial motivation is already enough for some people to try it. I might be a tad cynical on this, but since there's money to be made I bet it happens more often than we hear about.
Your threat model should be localized. There are plenty of places where the threat of stabbing is low, and should not occupy your mind. There are plenty of places where the threat of stabbing is high, and you should be aware of your surroundings.
Likewise, your threat of being preyed upon on an open AP is dependent on what you're doing on that AP. Surfing HN? Who cares. But if I'm checking my bank account balance or touching sensitive info, I'm absolutely going to fire up a vpn first.
> No, they are not. They will never be. They might be secure, but not completely...
You are right in that nothing is ever "completely" secure.
But we take risks ALL THE TIME. In a primitive sense, risk assessment can be thought of as a product...
risk = severity_of_outcome x probability_of_occurence
Just how risky is it to get on a public wifi? What could happen? What does happen? Are there "safe" things you can do on a public wifi? Are we talking about giving up treasure to casual script-kiddies? Or is it only nation-state-actors that we need to worry about, or maybe jealous-obsessive hacker boyfriends? What can happen if I just leave wifi enabled on my phone? What can happen if I connect and do nothing? What are the exploits?
A lot of these things are unclear-- even for "experts" on HN.
In the absence of actual credible stories about the bad things that happen on public wifi, people will DISMISS the risk. Some may choose a more paranoid approach and never use public wifi, but I think that's just about as unreasonable as the opposite.
No. They are an insecure transport, like most of the internet. The majority of high profile sites, services, and apps will now use TLS by default, but this is one of the few edge cases where a reputable VPN provider would help protect end users from poorly secured apps and services. I would trust the VPN folks vetted by Mozilla, but I am biased because I worked at Mozilla for years and have a great deal of trust for the folks there, or for the technical audience at HN I would recommend using one of the cloud service provider templates for standing up your own VPN server.
You should do your initial vpn setup and first connection over a known good secure connection. Good vpn apps also pin certs and will warn you about migrating hosts or unexpected IPs.
It doesn't, it simply protects the transport between the untrusted network location (e.g. coffee shop, airport, or Apartment 23C's unsecured wifi) and your VPN endpoint, which presumably has a suitably "safe" transport.
Without digging into too much detail, or providing a whack of data because I am not writing long form about this and I spent too much time writing comments on HN this morning :P, but my observation has been that the majority of unsecured apps have service endpoints that are deployed in cloud service provider environments, so if you have a VPN end point that terminates inside the same region, then it is highly unlikely that your traffic will hit the Internet before arriving at it's destination. That said, it's TCP/IP, so all it takes is a routing change and all of those assumptions go out the window...
Beyond that, MITM and traffic monitoring is happening all of the time in many network service providers, not all of it's nefarious -- alot of traffic analysis is just sampling to make sure that the network is working well and to understand whats happening. That said, there are many service providers and jurisdictions that opportunistically capture data or modify traffic in flight for purposes other than quality of service (e.g. ISPs injecting advertisements into HTTP traffic, surveillance, etc)
Using a VPN in this way doesn't protect you against those kinds of threats - the value in using a VPN here is about preventing local eavesdroppers from monitoring network metadata that can be used to classify your traffic and track you.
There are many examples, but one clear one is for marginalized people, such as folks from the LGBT community using specific apps (e.g. gay dating apps such Grindr or Growlr) that could out them to a monitoring service while in a jurisdiction or community hostile to them. Having that traffic tunneled safely to a "known safe" destination, e.g. an AWS or GCP instance in a safer region, would provide a measure of protection.
I had a discussion with a colleague about this about a year ago, but I think it would be very awesome to build an open source VPN service that leveraged AWS & GCP VPCs and inter region peering so that it would egress in the same cloud provider regions as destination IP blocks to prevent as much traffic as possible from flowing over the public internet, but I haven't had the time to put into it.
Yes I would mind, but only because I stopped maintaining a list when I stopped working for a browser vendor (Mozilla) and an organization that has an intercepting proxy as a part of it's core product(OpenDNS).
It's not a hard experiment to run, and "mainstream" has different meanings in different locations. Get a femto cell or other remote access point set up an open wireless network in a high traffic area, especially in a place where there is a transit hub, and hang out for several hours.
You could also grab the Alexa top 1 million or Cisco Umbrella top 1 million, and scan them for http endpoints, and work backward from there for sites that don't bounce you to a TLS endpoint.
AFAIK just ProtonVPN right now, but I haven't worked at Mozilla in almost 5 years. Tweet @MozillaSecurity and they will probably point you in the right direction, most of them are super helpful!
I disagree strongly here. We should be encouraging users to take responsibility and agency for their actions. As admins and tech-aware people in our circles, we should be constantly encouraging better habits like typing URIs manually, decreasing the use of search engines for non-search purposes, and trying to spread literacy.
Besides, it's not like we should ever trust a search engine as an authority on anything but the results that bring the host company more money.
Personal responsibility is the main benefit; teaching people to look twice at what they do on the Internet. And frankly speaking, if manual user entry is less secure than software that the user does not own from metal to UI, then we need to upgrade the users, not the Web. Demanding a manual entry means that the user is taking deliberate action, not following whatever some piece of software is telling them to be correct.
Personal responsibility, in and of itself, is not usually considered to be a benefit. It is considered a thing one has to undertake to achieve a benefit.
You seem to be suggesting that if I intend to visit mywebsite.com, that typing "myw", seeing "mywebsite.com", and hitting enter is somehow less deliberate than typing "mywebsit.com" and going to a site that was not my intent.
Given that only the first one of these things reflects my intent, describing the second as deliberate and the first as not-deliberate requires some odd twisting of definitions.
Your fear, it seems to be, is that tools we use might influence how we act. This is nothing new. Stories started to rhyme less when we figured out how to write things instead of memorizing them. That was still probably undoubtedly an improvement. So can you perhaps clarify what specific influences that our tools have might be bad? For example, my browser suggesting "mywatertower.com" instead of "mywebsite.com" because the first paid for a higher position.
That seems a reasonable end state to fear, but I have no reason to believe we're heading that direction. Do you? Is inconveniencing (literally) billions of people and forcing them to take less secure paths to do what they want worth avoiding a possibility that certainly doesn't seem imminent?
To me, it's definitely worth it to "inconvenience" people and demand conscious behavior. With the largest browser vendor being the largest advertising agency and the largest search engine, encouraging anyone to have anything beyond the barest minimum to do with them goes against everything I believe in. Search engines should not be able to intercede in direct Web activity; they should be used for content discovery and nothing else. You should not be able to type three letters and get a full URL unless you personally wrote a macro to do that.
Then again, when users stopped having to specify protocol for every server, that was probably the beginning of the end of deliberate browsing. My fear is really that people take the Web and the Internet as a whole for granted; and I want to see procedures put in place to demand that all users be aware of their actions, what data they share with servers, and all of what's being downloaded to their computer.
I don't like having to remind people that there is no "Cloud", only someone else's computer. And you're saying you trust that other person's machine and security more than your own by storing critical data there. Or pointing out what having one CDN for so much of the Web did last month.
> You should not be able to type three letters and get a full
URL unless you personally wrote a macro to do that.
Should you be unable to drive unless you can, IDK, build an automatic transmission? This point of view reduces, as far as I can tell, to the idea that good user interfaces should only be extended to those privileged with enough expertise to build them themselves.
This requires a level of literacy that most users will never be able to meet, by virtue of most people not having time to learn a programming language since they have other responsibilities.
It's also not clear why you aren't extending this backwards: why is it okay to use a browser I didn't write myself (or at least compile from source)? What about my OS? Do you really expect every user to have full knowledge of their entire system? That puts severe limits on the potential tooling we can use, and goes counter to one of the core ideas of software engineering: abstraction.
> And you're saying you trust that other person's machine and security more than your own by storing critical data there.
Yes, I trust security teams and engineers whose job is security and reliability more so than I trust myself, in much the same way that I'd trust a surgeon to do surgery better than myself. I realize that there's certification/training differences that may be relevant, but in general, the same ideas apply.
Manually typed URIs lack spell check. Google has this built in. The probability of Google not taking you to Chase but some malicious site is far far lower than a typo of a manual url being registered.
I don’t know if you are right, it depends on whether your word “typo” is a typo - itself a very meta thing!
“You typo an address” — well, then, sure. But how did you manage to typo an address that’s exactly where the attacker put their stuff, and the bank didn’t catch them?
Now, if you meant “type”, then NO. Unless the browser includes a certificate authority that gave out a certificate to the attacker for that domain, the browser will flag this “valid” SSL cert.
No, attacker can just MITM your DNS traffic and synthesise lots of typosquats of their own. They can't do the actual bigbank.com or facebook.com domains thanks to various protections like HSTS, but typos are unlikely to have HSTS preload etc, and they can have vast numbers of them at basically zero cost.
Not at all, since the DNS traffic to 1.1.1.1 is still unencrypted and unauthenticated (unless you're using DNSCrypt or similar, or the domain you're looking up uses DNSSEC and you're using a validating resolver).
Things have improved lately, but it wasn’t that long ago that the Chase banking app on iOS did not check the certificate hostname at all, meaning that MITM for the TLS it used was trivial.
There are risks, and fortunately they are reducing.
The risk to individuals is vastly overblown, but if 82% of people connect to any free WiFi they find and 1‰ of those are passing credentials insecurely, an attacker needs to sample on average 1220 people. That's about a hit a day at a busy coffee shop.
So y'all and I don't see a risk, but a malicious actor sees a valid strategy.
My brother uses match.com and he kept getting his credentials stolen. He claimed he had a really good password. It happened every time he made a new account. Came down to using public Wifi. The way match.com did authentication was horrible and some info was in clear text. I didn't believe it, but did a web search at the time and found there were a lot of people in the same boat.
Someone's location also impacts their risk, but generally as long as one isn't in a very dense, high-value-of-information area, the realistic risk that cybercriminals are staked out somewhere like a Starbucks in Topeka, KS waiting to lure people into a MITM is probably less than the actual device getting stolen.
Is it really each app that verifies its own certificate? Or is it relying on an iOS/Android service to verify the chain of trust? I don't know what the UI would look like, but at the time you connect to WiFi couldn't the user unwittingly accept a pushed certificate, functionally similar to the browser add exception button for an invalid certificate warning, but system wide?
I disagree with the comment "go out of your way to fall victim to any MITM attack". If you're trusting employer provided or controlled equipment and haven't personally verified the certificate lists, they totally could MITM your connections without your knowledge if they've already added the exceptions. I know some employers do this, and I know network equipment vendor sales staff have used the ability to MITM employees as an explicit product feature and sales tactic including boasting about the ease with which they can procure faked certs for Google, Microsoft, et al, for this purpose.
I am inclined to believe alot would, since it's easy to, and many users don't understand the implication of doing so. It's simply the button in the way of getting wifi. It's not that users are dumb, it's that the industry has made this a painful footgun that is easy to trigger.
The solution is to raise more public awareness of VPNs, and their benefits.
Also, automating the setup of self-hosted VPNs (like OpenVPN) on a home machine (like a Raspberry Pi plugged into the router) would go a long way. I personally prefer not to use third-party VPN providers, as I don't really know whether I can trust them.
This then just pushes the layer of trust to the developers of the installers.
The OPs point is, at some point in the chain you have to trust someone and in his opinion coffee shops are less likely to want to do bad things with your WiFi connection than VPN providers et al. Which I think is a fair point when you look at the costs of scale. ie it’s easier and cheaper to set up a rogue VPN provider or boobytrapped installer than it is a coffee shop.
Personally though, the reason I don’t connect to random WiFi networks is most of the ones in the UK ask you for your email address. I’d rather rag my mobile data allowance than hand my email address over to 3rd parties.
>Personally though, the reason I don’t connect to random WiFi networks is most of the ones in the UK ask you for your email address. I’d rather rag my mobile data allowance than hand my email address over to 3rd parties.
This is why I have a few spare email addresses that I don't log into. They have no personal information about me (most of these mailboxes were last accessed on computers I don't have anymore or via the public library).
That’s one option and it does make a lot of sense. Sadly free WiFi in the UK has largely been pretty awful. I’ve lost count of the number of times I’ve had a faster mobile connection than (for example) hotel WiFi. So I’ve just given up trying.
That said, things may have improved in the last couple of years...
A VPN just pushes link-layer security off to someone else. Now instead of trusting your coffee shop, you're trusting your VPN vendor. Why a VPN vendor deserves any more trust than your coffee shop is beyond me.
Trusting the link layer is an unnecessary band-aid. It doesn't need to be trusted, and you should always operate with the assumption that it's not trusted. Only trust end-to-end encryption and authentication.
I agree with the first line - with the proviso that there are (IMO) trustworthy third parties that have vetted some VPNs (for example, Mozilla's partnership). I also agree that E2E could resolve a number of issues, but I don't think it's practical or useful advice.
Your second line steps toward security absolutism, since it just pushes out the trust boundary one step further and requires even more technical expertise to be actionable, especially in contrast to using a VPN provider.
The advice to only trust E2E encryption is only useful if you trust both the E2E service provider and the implementation, especially where the service provider owns the only compatible implementations, and the implementation is closed source.
The recent observations that FB could, either willfully, or under coercion, completely undermine their E2E implementation illustrates that, in general, solutions that are user friendly, readily accessible, and operating at scale, are subject to manipulation for economic, law enforcement, or political reasons.
If you can't trust the other end of the E2E implementation, there is nothing a VPN can do to get you closer to trusting them. Of course Facebook has all the requests you sent to them. You sent them! Using a VPN doesn't prevent Facebook from misusing the data they collect on you.
Perhaps using a VPN prevents them from logging your IP address. But they still have your username that you logged in with, your phone's device ID, your session cookies (which were created when you were at home on WiFi), your browser's signature, etc. Again, using a VPN isn't going to stop any of that.
The likely outcome of using a VPN is that Facebook's analytics will know exactly who you are, but their global rate limiter will cut off your access because your IP address is now shared with a thousand other people, some of whom are using a VPN to spam them.
There is still the rest of the internet, like the part between Cloudflare terminating SSL, and the backend on shared hosting, running bare HTTP. Point being that if you're using sites that are lazy about transport security, no VPN will help you.
i used to run a little gig where the free wifi was the gateway, and the access points were a threesome of 802.11 extenders jacked up with an amplifier and labled as per wifi provider.
basically MITM ing the starbucks feed and evesdropping out of prurient curiosity. it was easy and got boring after a while so i stopped. never went beyond snooping, but i could have screwed a lot of people if i was an evil guy.
They haven't opened it up yet because of some changes with the iOS networking side of things. Last update was they were finishing that up over the past/next few weeks.
I find public WiFi without password unhygienic just like the average pub toilet or an internet café Windows XP computer. I might get away fine using them but I always feel a bit dirty afterwards.
Paid for an unlimited 4G plan just to not have to use public WiFi anymore anywhere.
Any security professional who says there's a large _security_ risk when using free wifi has completely lost their marbles.
App stores require apps use https nowadays, and nobody is MITMing https, full stop.
If you want to talk about risks of using public wifi, then privacy should be the topic. DNS queries are not encrypted. Imagine how valuable it would be for a chain like Starbucks to know what websites their customers are looking at while in the store? I don't know if they do that, but it's multiple orders of magnitude more likely than a free wifi access point posing a security risk to end users.
That "nobody" is wrong. Entire governments are MITM'ing all connections. Businesses are interfering as well. So there is a risk, but you have to question risk/reward rates.
Yes: all connections. Both those from public WiFi and from secure wired connections and anything else. Point still stands: there is no extra risk form using a public WiFi as long as your traffic is encrypted.
Any security professional asserting this doesn't know whereof they speak. There are entire product categories of MITM devices ("TLS inspection") for sale. Another poster mentions nation states doing this openly.
Buy aside from many corporations and some nations states, nobody is doing this, full stop.
When it comes to cybercrime, it's a prospect of "how much time & money will it take to make X dollars"
Maybe at one point in the future, purchase of theoretical MITM devices and deploying them in a dragnet of free wifi access points without the FBI finding out will be profitable. But for now, there's much cheaper and more profitable ways to make money criminally.
The OP was correct. Yes TLS inspection exists, but requires a special CA certificate installed on the device. Yes, state actors have compromised CA's. Yes yes yes it's all possible and does happen. No, you're not being MITM'ed when you connect to a restaurant wifi.
If everything needs to be qualified to the millionth degree, with every caveat laid out and explained, we won't have time to discuss interesting things. The OPs comment is correct general advice.
I'm well aware of how inspection works. You are more than welcome to make your own risk evaluations, but you're looking at this through too narrow a lens.
The OP may be sort-of correct for your average first-world facebook-phone user with "nothing to hide", so I kind of agree with your last sentence. But it is way too blithe and unconcerned, and, well, they won't be the first self-described "security expert" who's judgement I find lacking.
Corporate TLS Inspection products rely on each user (or the system administrators) installing the MITM certificate on all corporate systems. Unless users are also installing 'public' root certificates, this is a non-issue. And if users are installing bad root certificates, then a fully closed wifi network will not be very good protection either way.
Now, nation states, which may be able to obtain valid PKI certificates for MITM purposes, are a whole other level of adversary. Still, again, anyone who can do that will probably not be deterred by you using a WPA-PSK2 protected Wi-Fi AP.
So, overall, I don't see what kind of increased security risk you would be exposing yourself to by using public wifi networks.
The point is, that the user has to do explicit action to allow TLS MITM. You cannot MITM until the user allows that, or uses a device that was already configured to allow that.
In corporations, you need to enroll custom CA cert for that - usually done when enrolling devices into MDM, or when joining domain - you cannot MITM random devices.
For nation states, they started to require the custom CA cert as well via legislation, see the recent Kazakhstan story.
Most free access points have a http endpoint that requires you to 'sign in' first, that is MITM'd and then sslstrip any outbound https requests from there.
SSLStrip does not work for iphone or android apps since HTTPS is explicit.
SSLStrip also does not work for major social networks or financial institutions that implement HTTPS Strict Transfer Policy, which is basically all of them.
The only way you can use SSLStrip nowadays is if you have BofA/whatever phishing links on your wifi portal's home page, which is a pretty hard sell phishing wise.
Why does not having a WiFi password mean that the information must travel unencrypted?
And why is a password enough to encrypt that information, even if said password is written in large letters on a wall for everybody to see?
I'm sure that there are a good technical reasons, but at the same time it seems like there should be a better way to have convenient and safe WiFi networks in public spaces.
I think the answer is that public WiFi hotspots don't have any way of verifying that they are who they say they are, whereas TLS works because you have a trusted third party (the CA) that verifies the keypair.
So, if a WiFi hotspot used something like TLS, the data would be encrypted, but you have to way to verify that you're not going through a malicious third party's hotspot on the way to the public WiFi.
The best security is the one you don't have to educate people about. Today's HTTPS implementations such as HSTS/Preload, DoT/DoH, etc can thwart most of the dumb attacks easily. In mobile apps, you can even pin a particular certificate and it's pretty much safe from.someone with the network access.
I work on security, and I connect to open wifi networks all the time when I travel. I trust myself to not install random root certs and not ignorant to go past https warnings.
For my own apps, I have HSTS preloaded, proper CSP headers, and don't TLS < 1.2.
I think the point that some of the naysayers here are missing is that while SSL and a VPN aren't _perfect_ security, they're more than enough for Joe NineToFive. They eliminate the vector of a random person running a honeypot network trying to scoop up low-hanging banking credentials. If you have a knowledgable, perhaps state-level adversary trying to get you in particular, then yes, connecting to random hotspots is probably not a great idea, but you either already knew that or were compromised long ago.
Because the alternative is no wifi. Give me a more secure option, I'd take that. Otherwise, I'm gonna trust TLS does it's job. I know there could be a "heartbleed" zero-day out there, but beats no internet at all.
101 comments
[ 3.0 ms ] story [ 168 ms ] threadNo, they are not. They will never be. They might be secure, but not completely. It is true that we are getting safer, but you should not stop thinking about the risks that will never go away.
Do you really need to check you email on a public wifi? If it's not necessary, then just don't do it. It's the small things. Sure you can take this into the extreme (which is never a bad thing in this case), but even if we don't, then we should not teach people that every public wifi is perfectly fine. Please remain thoughtful.
Likewise, your threat of being preyed upon on an open AP is dependent on what you're doing on that AP. Surfing HN? Who cares. But if I'm checking my bank account balance or touching sensitive info, I'm absolutely going to fire up a vpn first.
But we take risks ALL THE TIME. In a primitive sense, risk assessment can be thought of as a product...
Just how risky is it to get on a public wifi? What could happen? What does happen? Are there "safe" things you can do on a public wifi? Are we talking about giving up treasure to casual script-kiddies? Or is it only nation-state-actors that we need to worry about, or maybe jealous-obsessive hacker boyfriends? What can happen if I just leave wifi enabled on my phone? What can happen if I connect and do nothing? What are the exploits?A lot of these things are unclear-- even for "experts" on HN.
In the absence of actual credible stories about the bad things that happen on public wifi, people will DISMISS the risk. Some may choose a more paranoid approach and never use public wifi, but I think that's just about as unreasonable as the opposite.
pretty sure you get 50% success rate
No. They are an insecure transport, like most of the internet. The majority of high profile sites, services, and apps will now use TLS by default, but this is one of the few edge cases where a reputable VPN provider would help protect end users from poorly secured apps and services. I would trust the VPN folks vetted by Mozilla, but I am biased because I worked at Mozilla for years and have a great deal of trust for the folks there, or for the technical audience at HN I would recommend using one of the cloud service provider templates for standing up your own VPN server.
My understanding is a MITM attack can happen between your VPN provider and the service, just like it may work on the wifi point.
Without digging into too much detail, or providing a whack of data because I am not writing long form about this and I spent too much time writing comments on HN this morning :P, but my observation has been that the majority of unsecured apps have service endpoints that are deployed in cloud service provider environments, so if you have a VPN end point that terminates inside the same region, then it is highly unlikely that your traffic will hit the Internet before arriving at it's destination. That said, it's TCP/IP, so all it takes is a routing change and all of those assumptions go out the window...
Beyond that, MITM and traffic monitoring is happening all of the time in many network service providers, not all of it's nefarious -- alot of traffic analysis is just sampling to make sure that the network is working well and to understand whats happening. That said, there are many service providers and jurisdictions that opportunistically capture data or modify traffic in flight for purposes other than quality of service (e.g. ISPs injecting advertisements into HTTP traffic, surveillance, etc)
Using a VPN in this way doesn't protect you against those kinds of threats - the value in using a VPN here is about preventing local eavesdroppers from monitoring network metadata that can be used to classify your traffic and track you.
There are many examples, but one clear one is for marginalized people, such as folks from the LGBT community using specific apps (e.g. gay dating apps such Grindr or Growlr) that could out them to a monitoring service while in a jurisdiction or community hostile to them. Having that traffic tunneled safely to a "known safe" destination, e.g. an AWS or GCP instance in a safer region, would provide a measure of protection.
I had a discussion with a colleague about this about a year ago, but I think it would be very awesome to build an open source VPN service that leveraged AWS & GCP VPCs and inter region peering so that it would egress in the same cloud provider regions as destination IP blocks to prevent as much traffic as possible from flowing over the public internet, but I haven't had the time to put into it.
It's not a hard experiment to run, and "mainstream" has different meanings in different locations. Get a femto cell or other remote access point set up an open wireless network in a high traffic area, especially in a place where there is a transit hub, and hang out for several hours.
You could also grab the Alexa top 1 million or Cisco Umbrella top 1 million, and scan them for http endpoints, and work backward from there for sites that don't bounce you to a TLS endpoint.
Does mozilla have a list of "vetted" VPNs? I'm interested in seeing that list.
Besides, it's not like we should ever trust a search engine as an authority on anything but the results that bring the host company more money.
It's undoubtedly less secure and it's upside is...what exactly?
You seem to be suggesting that if I intend to visit mywebsite.com, that typing "myw", seeing "mywebsite.com", and hitting enter is somehow less deliberate than typing "mywebsit.com" and going to a site that was not my intent.
Given that only the first one of these things reflects my intent, describing the second as deliberate and the first as not-deliberate requires some odd twisting of definitions.
Your fear, it seems to be, is that tools we use might influence how we act. This is nothing new. Stories started to rhyme less when we figured out how to write things instead of memorizing them. That was still probably undoubtedly an improvement. So can you perhaps clarify what specific influences that our tools have might be bad? For example, my browser suggesting "mywatertower.com" instead of "mywebsite.com" because the first paid for a higher position.
That seems a reasonable end state to fear, but I have no reason to believe we're heading that direction. Do you? Is inconveniencing (literally) billions of people and forcing them to take less secure paths to do what they want worth avoiding a possibility that certainly doesn't seem imminent?
Then again, when users stopped having to specify protocol for every server, that was probably the beginning of the end of deliberate browsing. My fear is really that people take the Web and the Internet as a whole for granted; and I want to see procedures put in place to demand that all users be aware of their actions, what data they share with servers, and all of what's being downloaded to their computer.
I don't like having to remind people that there is no "Cloud", only someone else's computer. And you're saying you trust that other person's machine and security more than your own by storing critical data there. Or pointing out what having one CDN for so much of the Web did last month.
Should you be unable to drive unless you can, IDK, build an automatic transmission? This point of view reduces, as far as I can tell, to the idea that good user interfaces should only be extended to those privileged with enough expertise to build them themselves.
This requires a level of literacy that most users will never be able to meet, by virtue of most people not having time to learn a programming language since they have other responsibilities.
It's also not clear why you aren't extending this backwards: why is it okay to use a browser I didn't write myself (or at least compile from source)? What about my OS? Do you really expect every user to have full knowledge of their entire system? That puts severe limits on the potential tooling we can use, and goes counter to one of the core ideas of software engineering: abstraction.
> And you're saying you trust that other person's machine and security more than your own by storing critical data there.
Yes, I trust security teams and engineers whose job is security and reliability more so than I trust myself, in much the same way that I'd trust a surgeon to do surgery better than myself. I realize that there's certification/training differences that may be relevant, but in general, the same ideas apply.
“You typo an address” — well, then, sure. But how did you manage to typo an address that’s exactly where the attacker put their stuff, and the bank didn’t catch them?
Now, if you meant “type”, then NO. Unless the browser includes a certificate authority that gave out a certificate to the attacker for that domain, the browser will flag this “valid” SSL cert.
There are risks, and fortunately they are reducing.
A VPN is still a good idea.
So y'all and I don't see a risk, but a malicious actor sees a valid strategy.
I disagree with the comment "go out of your way to fall victim to any MITM attack". If you're trusting employer provided or controlled equipment and haven't personally verified the certificate lists, they totally could MITM your connections without your knowledge if they've already added the exceptions. I know some employers do this, and I know network equipment vendor sales staff have used the ability to MITM employees as an explicit product feature and sales tactic including boasting about the ease with which they can procure faked certs for Google, Microsoft, et al, for this purpose.
Places of business ... Yeah I guess I do that, and really, I've no idea if that is actually that business's wi-fi.
Granted I run a VPN at nearly all times anyway.
The solution is to raise more public awareness of VPNs, and their benefits.
Also, automating the setup of self-hosted VPNs (like OpenVPN) on a home machine (like a Raspberry Pi plugged into the router) would go a long way. I personally prefer not to use third-party VPN providers, as I don't really know whether I can trust them.
The OPs point is, at some point in the chain you have to trust someone and in his opinion coffee shops are less likely to want to do bad things with your WiFi connection than VPN providers et al. Which I think is a fair point when you look at the costs of scale. ie it’s easier and cheaper to set up a rogue VPN provider or boobytrapped installer than it is a coffee shop.
Personally though, the reason I don’t connect to random WiFi networks is most of the ones in the UK ask you for your email address. I’d rather rag my mobile data allowance than hand my email address over to 3rd parties.
This is why I have a few spare email addresses that I don't log into. They have no personal information about me (most of these mailboxes were last accessed on computers I don't have anymore or via the public library).
That said, things may have improved in the last couple of years...
Trusting the link layer is an unnecessary band-aid. It doesn't need to be trusted, and you should always operate with the assumption that it's not trusted. Only trust end-to-end encryption and authentication.
Your second line steps toward security absolutism, since it just pushes out the trust boundary one step further and requires even more technical expertise to be actionable, especially in contrast to using a VPN provider.
The advice to only trust E2E encryption is only useful if you trust both the E2E service provider and the implementation, especially where the service provider owns the only compatible implementations, and the implementation is closed source.
The recent observations that FB could, either willfully, or under coercion, completely undermine their E2E implementation illustrates that, in general, solutions that are user friendly, readily accessible, and operating at scale, are subject to manipulation for economic, law enforcement, or political reasons.
Perhaps using a VPN prevents them from logging your IP address. But they still have your username that you logged in with, your phone's device ID, your session cookies (which were created when you were at home on WiFi), your browser's signature, etc. Again, using a VPN isn't going to stop any of that.
The likely outcome of using a VPN is that Facebook's analytics will know exactly who you are, but their global rate limiter will cut off your access because your IP address is now shared with a thousand other people, some of whom are using a VPN to spam them.
There is still the rest of the internet, like the part between Cloudflare terminating SSL, and the backend on shared hosting, running bare HTTP. Point being that if you're using sites that are lazy about transport security, no VPN will help you.
Is there a technical reason for not having access points that are secure/encrypted and open?
HTTPS is able to do protocol negotiation in the open, then provide a secure channel. Why is there no such thing at the WiFi link layer?!
I found some discussion at https://security.stackexchange.com/questions/35867/why-isnt-... and https://security.stackexchange.com/questions/149422/why-isnt... , with wildly varying answers.
Paid for an unlimited 4G plan just to not have to use public WiFi anymore anywhere.
App stores require apps use https nowadays, and nobody is MITMing https, full stop.
If you want to talk about risks of using public wifi, then privacy should be the topic. DNS queries are not encrypted. Imagine how valuable it would be for a chain like Starbucks to know what websites their customers are looking at while in the store? I don't know if they do that, but it's multiple orders of magnitude more likely than a free wifi access point posing a security risk to end users.
No: there are exceptions apps can apply for.
> nobody is MITMing https
Kazakhstan is by forcing you to install their certificate to get online.
How about my company?
However that same security professional better be complaining about home/corporate WIFI.
Any security professional asserting this doesn't know whereof they speak. There are entire product categories of MITM devices ("TLS inspection") for sale. Another poster mentions nation states doing this openly.
Buy aside from many corporations and some nations states, nobody is doing this, full stop.
Maybe at one point in the future, purchase of theoretical MITM devices and deploying them in a dragnet of free wifi access points without the FBI finding out will be profitable. But for now, there's much cheaper and more profitable ways to make money criminally.
If everything needs to be qualified to the millionth degree, with every caveat laid out and explained, we won't have time to discuss interesting things. The OPs comment is correct general advice.
The OP may be sort-of correct for your average first-world facebook-phone user with "nothing to hide", so I kind of agree with your last sentence. But it is way too blithe and unconcerned, and, well, they won't be the first self-described "security expert" who's judgement I find lacking.
Now, nation states, which may be able to obtain valid PKI certificates for MITM purposes, are a whole other level of adversary. Still, again, anyone who can do that will probably not be deterred by you using a WPA-PSK2 protected Wi-Fi AP.
So, overall, I don't see what kind of increased security risk you would be exposing yourself to by using public wifi networks.
"Nobody can open this lock, full stop." "...well, except for nation states, and people who can touch it."
For nation states, they started to require the custom CA cert as well via legislation, see the recent Kazakhstan story.
Not true: https://tools.kali.org/information-gathering/sslstrip
Most free access points have a http endpoint that requires you to 'sign in' first, that is MITM'd and then sslstrip any outbound https requests from there.
SSLStrip also does not work for major social networks or financial institutions that implement HTTPS Strict Transfer Policy, which is basically all of them.
The only way you can use SSLStrip nowadays is if you have BofA/whatever phishing links on your wifi portal's home page, which is a pretty hard sell phishing wise.
And why is a password enough to encrypt that information, even if said password is written in large letters on a wall for everybody to see?
I'm sure that there are a good technical reasons, but at the same time it seems like there should be a better way to have convenient and safe WiFi networks in public spaces.
So, if a WiFi hotspot used something like TLS, the data would be encrypted, but you have to way to verify that you're not going through a malicious third party's hotspot on the way to the public WiFi.
> And why is a password enough to encrypt that information, even if said password is written in large letters on a wall for everybody to see?
I work on security, and I connect to open wifi networks all the time when I travel. I trust myself to not install random root certs and not ignorant to go past https warnings.
For my own apps, I have HSTS preloaded, proper CSP headers, and don't TLS < 1.2.
SSL != trust