Ask HN: Is Public WiFi Dangerous?
- Man-in-the-middle attacks: thwarted by certificate authority checking by the browser and/or certificate pinning in mobile apps. Browser will not let you advance if the certificate is invalid. - Replay attacks: OAuth tokens expire and good sites will use nonces. - Packing sniffing on open networks: thwarted by TSL over http and encrypted traffic (unless you have a root certificate installed). - DNS lookups are somewhat plaintext, but now started to be done over https. Even then, attackers would know what you're connected to, but not what you are saying. - Port scanning/direct attacks: Firewalls by default lock down ports and well-patched machines prevent this - Email (SMTP) and other protocols: are all encrypted as well to prevent snooping.
Is using public Wifi actually dangerous? If so, what's the attack vector?
143 comments
[ 3.4 ms ] story [ 206 ms ] threadMy personal preference would be to just use a VPN when on any untrusted network. At least then you only have to worry about the security of one "site," more or less. And of course your own open ports.
Most of the "shame on public WiFi" comes from VPN companies, which are just trying to fearmonger into a sale. Sure, DNS over HTTPs isn't as widespread as it should be. Sure, some websites aren't encrypted, still. But that doesn't mean that routing all of your insecure traffic to a VPN provider so they can handle it instead is going to increase your security. It just moves the threat model from "your public WiFi network and people on it" to the VPN provider.
If you really want to be safe, you could run your own VPN with algo (https://github.com/trailofbits/algo) or manually setup WireGuard and route traffic e.g., back to your home ISP, instead. That's probably my best suggestion, rather than using any of the cliche VPN providers that advertise everywhere.
Is there a source confirming this, or is this just speculation?
I would call that a half-truth. When I was a kid (in the early 2000's) it was exceptionally easy to crack public wifi networks. A lot of that had to do with misconfiguration and every company scrambling to create public wifi APs. It makes sense that these memories and experiences live on and have become slogans of companies vying for privacy.
Once I figured out packet injection (before cellphones) I actually cracked some random company WEP in a parking lot when my friends and I got lost in order to look up directions.
Nowadays things are a lot less fun. :(
I remember buying a network adapter with packet injection capabilities SPECIFICALLY for this haha
Driver support for packet injection in Kali Linux is fantastic now, making it easy to spray de-auth packets with most hardware and capture your auth packets without having to wait.
I tested out Hashcat recently with my GTX 1060 (a modest card), and could burn through 170k WPA2 hashes a second. That's a long way from brute force, but doable for most wordlist attacks.
But you're not a kid anymore and nowadays it's way harder to crack public wifi networks.
Fearmongering by VPN vendors is very real.
I wouldn't have a problem browsing my home banking on a public wifi network. Everything is tls-encrypted, my browser can do dns-over-https, and anything important (including the login) requires me to enter an one-time code from my non-smart token.
And by the way, on a public wifi you might be pray of the occasional wifi attacker where as if you're using a vpn from a vpn vendor you're by definition giving all your traffic to a company whose main specialty is networking, usually under the vague promise not to log your traffic.
This may be because public wifi networks are public, which means they're open, which means there's no wifi password or encryption. Cracking a public wifi network takes all the effort of merely joining the wireless network with a mobile device.
*where instead of returning the proper "name not found" DNS error, the recursive server redirects to a site owned by the provider to show ads. Not to be confused with typo squatting where domain speculators register domains showing ads hoping people mistype URLs.
What usually happens these days is a redirect to the HTTPS site, but that first request can still be attacked.
[Kind of a plug: I made a test for this in my tool, DomainProactive (https://domainproactive.com). I would appreciate feedback on this kind of error.]
should be the default.
This is why an https only mode is important. In Firefox it can be enabled somewhere in the settings.
[1]: https://blog.chromium.org/2021/03/a-safer-default-for-naviga...
Many devices include ipsec hardware acceleration, while wireguard ciphers are purely in software. With your typical Ubiquiti or Mikrotik device you can have much more performant connection encrypted with aes+sha than with chacha+poly.
This led to serious vulnerabilities and backdoors.
> while wireguard ciphers are purely in software
This is a feature, not a bug. It's quite difficult to trust commercial routers.
> you can have better performance with ipsec than with wireguard
Citation needed. Modern CPUs are very cost-efficient at this.
This is a matter of implementation; not whether the implementation is in hw or sw. Do you have any examples, where there was a such issue for example in Cavium Octeon (used by Ubiquiti in their USG routers), Qualcomm IPQ-xxx or Marvel Armada SOCs (used by multitude of other vendors)?
> This is a feature, not a bug. It's quite difficult to trust commercial routers.
It is difficult to trust many routers; even if they are open source, their maintenance might be not exactly transparent.
> Citation needed. Modern CPUs are very cost-efficient at this.
Typical routers do not have desktop or server class modern CPU. They run on 700-1400 Mhz, and they are busy with things like firewall rules (why do you thing that Fasttrack on Mikrotiks exists?) or, when a beefier CPU is available, with BGP. You can test it for yourself and see, that with hw accelerated AES and SHA you can saturate your available bandwidth and with Wireguard you can saturate only a fraction (unless you have low enough bandwidth...).
[1] - The community fork at least. Upstream is no longer updated: https://github.com/subspacecommunity/subspace
But there are still tons of sites with their own IPs, or pool of IPs, in which case seeing the destination IP will reveal what domain you're visiting with no need to observe DNS traffic or SNI. i.e. 199.232.125.140 is Reddit and only Reddit. If you visit https://199.232.125.140 you get an error that the cert is for *.reddit.com.
If your goal is to prevent your network operator from seeing even the domains you're accessing, encrypted DNS + encrypted SNI helps but doesn't get you all the way there. A VPN (or Tor) is the only true solution there. However I imagine this is a relatively uncommon need, at least for most people on HN.
https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an... https://news.ycombinator.com/item?id=28103770
100% of what I have been doing for years.
[1] https://news.ycombinator.com/item?id=21712280
[0]: https://github.com/trailofbits/algo
[1]: https://pivpn.io/
I just learned about Algo but have been a long time user of PiVPN (from when they only supported OpenVPN!) on my Raspberry Pi, so in the case that I wanted to reinstall the server, I wonder if the change would bring something new to the table.
Unless you've manually specified them in your network/adapter settings, which means they won't be taken from the DHCP lease.
The question is, is it dangerous enough to:
- Use a VPN? Yes, if the VPN is free, trustworthy, and not blocked by the wifi.
- Not use the Wifi, and instead pay for data/roaming? Nah.
- Tell lay users that "avoiding public wifi" is one of the top things they should do to stay secure online? Hell no. User attention is expensive, and wifi is relatively safe.
"I don't use public wifi without a VPN" is the new "I never click links in email." It's something semi-technical users say to show off how much less pleasant their online experience is for no particularly good reason. ;)
But I'm being a bit tongue in cheek--most users are not going to want to set up Algo. And you're right that otherwise, the VPN is probably as sketchy as the wifi itself.
a) I'm traveling b) I remember to turn it on c) I'm not blocked by the wifi (which is common)
IOW, while Algo is great, and I'm pretty paranoid, "distrusting public wifi" is sufficiently far down my personal threat model stack rank that I don't really care about it much.
I agree with most of your points; I'd just like to say that I'd never trust a "free VPN"... (Outside of "it's free since I host it".) I'd put most of my effort into vetting which VPN is best audited/trustworthy.
As an aside, the other big threat that sidesteps HTTPS certificate validation would be for the attacker to only serve HTTP. The browser will call this out in the URL bar at least. This can be mitigated by sites sending HSTS headers (forcing you to use HTTPS for future connections), but this isn't necessary universal. And requires having visited the site earlier on a "safe" network.
They actually wrote an article explaining how/why it's free: https://blog.windscribe.com/free-vpn-myths-debunked-70a0aa46...
Obviously do your own research.
And browsers are starting to offer HTTPS-by-default mode where the browser just interprets HTTP as HTTPS (in links, in bookmarks, almost everywhere) and if the HTTPS server won't accept the connection you get a full-page interstitial where you can choose to let it go for one site that doesn't have HTTPS if you're comfortable with that.
Do I trust ProtonVPN’s free tier less than I trust a random access point named (say) “NYC Free WIFI”? I would say no: I know who ProtonVPN is, and I’m only trusting them, not all their other users.
I agree a lot of free VPNs are shady as fuck, but free tiers from reputable companies are reasonable, and if anything may be more trustworthy than your home ISP.
That said, I think this is a bit too absolute. ProtonVPN has a free tier, for example, and they’re seemingly a legit company (who make their money from the paid tier). I would not disrecommend ProtonVPN—it’s probably as or more trustworthy than most free public wifi.
But the same argument for public wifi applies to VPNs: you shouldn’t be that worried, because important things don’t rely on network trust anyway.
Using dyndns service on my domain so that I can refresh a subdomain to always point home.
You're right that progress has been made on most of the attack vectors, but as you point out, DNS lookups are still often done in plaintext. CT and pinning help, but not every site does it yet. Not all protocols are TLS yet, and of those that are, some are vulnerable to downgrade attacks (including SMTP).
It's definitely safer than it was, but there are still enough potential pitfalls that I'd avoid it for anything important - or at least use a tunnel. Besides, 4g is usually better anyway.
But I think you're largely correct. If I'm on wi-fi that I trust less than my VPN provider of choice, I use the VPN. And then I move on and live my life.
If you're concerned about privacy, your cell providers is _way_ more likely to be mining your data for resell unless you live in a country where that is prohibited.
I wouldn't blame you for just accepting the risk, situationally I might do the same, but it _is_ a risk.
Funnily enough, I checked and the domain is available, so I guess such an attack is harder than I thought :D
There's quite a jump from "I used the WiFi in that new coffee shop" to "And also I let them replace all my bookmarks" and unless I missed something big it feels like you might just as well approach such gullible customers and ask for their bank login details to make buying coffee easier.
Cyber crims are financially motivated and today there are far easier/lower risk options for hackers. Just look at the people who lose 6 figure crypto balances to automated twitter scams or fake crypto celeb live-stream stream replays.
If I was going to worry about a network in this scenario, it'd be the cellular network used for SMS if you have the misfortune of having any accounts where that's the only MFA option.
source : I go in coffee shops and scan the networks.
But being connected to a wi-fi network isn't a requirement to sniff wireless traffic. It's possible to also monitor traffic, and AFAIK an APs internal ACL won't matter much in that regard.
There are some attacks on the browser like trying to strip the ssl in a way that the browser will not complain or trying to catch an unencrypted something or another.
But you also have other things like mitming software updates for other applications, OS misconfigurations.
I'd say overall less dangerous but still somewhat dangerous.
Android [can] have better defenses than a Windows laptop:
- Android has MAC randomization.
- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.
- Bromite has an option to always check for https - enable it.
- Tor Browser is a bit easier to get on Android.
- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.
- For me, I would wipe the stock OS off the device and run Lineage de-Googled.
That's good advice for going online in general but nothing about public wifi makes this particularly more dangerous.
>Android [can] have better defenses than a Windows laptop:
>- Android has MAC randomization.
Windows has that too [1]
>- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.
You are conflating Chromium and Chrome but all Chromium based browser have this under security settings [2]
>- Bromite has an option to always check for https - enable it.
Again this is all Chromium browsers under security settings [2]
>- Tor Browser is a bit easier to get on Android.
Huh? [3]
>- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.
You aren't using SMTP directly from a consumer ISP connection anyways. If the ISP doesn't drop the traffic, the server you are connecting to will probably reject the message as spam.
>- For me, I would wipe the stock OS off the device and run Lineage de-Googled.
Sure that's great if you are privacy conscious but has no bearing on whether public wifi is safe. If anything, one could argue you are slightly less safe since Google tends to be very aggressive about signing and certificate pinning so you could be more more likely to notice if someone is doing an MITM.
[1] https://support.microsoft.com/en-us/windows/how-to-use-rando...
[2] chrome://settings/security
[3] https://www.torproject.org/download/
A busy public WiFi controlled by a hostile party is more likely to engage in port scans and other intrusive probes, so yes, this advice holds extra weight.
Similar issues apply to Tor guard nodes, which would be slightly more dangerous.
...did not know about Microsoft MAC randomization, thanks.
>You are conflating Chromium and Chrome but all Chromium based browser have this under security settings
Brave browser does not implement this URL after a cursory examination. It will be interesting to see if the OpenBSD chromium package offers it.
Tor is in Play and F-Droid. I doubt it is in the Windows store, but I could be wrong.
>You aren't using SMTP directly from a consumer ISP connection anyways. If the ISP doesn't drop the traffic, the server you are connecting to will probably reject the message as spam.
The parent post mentioned SMTP. If the recipient is local and valid, the remote MTA will likely accept for delivery.
>If anything, one could argue you are slightly less safe since Google tends to be very aggressive about signing and certificate pinning
Google has also unquestionably had a caustic and corrosive impact upon privacy in a myriad of realms. They can and do receive subpoenas constantly, and the only way out of their databases is wiping all of their closed-source components from your devices.
I mean if you define the party as hostile then yeah but that also all applies to a non-public network controlled by a hostile party but [Citation Needed] that this is something that people are likely to encounter in the wild. If were at all common it would be pretty noticeable because you'd notice any certificate shenanigans and it wouldn't take that long for a technical person to come along and notice any port scanning. That's before considering that OS's typically have a more aggressive firewall posture on public networks to begin with not making them particularly juicy targets.
>Brave browser does not implement this URL after a cursory examination.
Brave has to be a snowflake but it's just a restyling of the same settings page: brave://settings/security
>Google has also unquestionably had a caustic and corrosive impact upon privacy in a myriad of realms. They can and do receive subpoenas constantly, and the only way out of their databases is wiping all of their closed-source components from your devices.
Security != Privacy and those are frequently completely at odds. It's hard to argue that public wifi is anything but a privacy nightmare but from a purely technical security perspective, I must just shrug at public wifi now.
Hostile guard and exit nodes are free to probe the origin and destination hosts, and this activity is unified on public WiFi. In Tor, they are separate issues on entry to and exit from the network. The issue is the same, and care should be taken. A hostile router will allow exactly this behavior, in both directions.
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-to...
Your Brave URL does not work on my android device, nor is it listed in brave://about and is running v1.36.116.
OpenBSD does have a chrome://settings/security page, but makes no mention of DNS-over-HTTPS, and is currently at 93.0.4577.82 after a "pkg_add -u". I might check the Ubuntu snap later.
If you are compromised by a privacy issue, you are no less compromised than you are by a security issue. Your metadata in Google's systems is an attack surface that, for many people, would not outweigh the security benefits that their aggressive scanning awards.
Before passing any sensitive data over it, you must understand what can be seen, and where.
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-to...
I could count on one hand the number of real black hats actually sitting in random cafes around the world waiting to attack unsuspecting college students writing term papers. It's an unwarranted fear inspired by security people and the media. If you want to hack people, phishing and botnets are so much easier.
Nation states _probably_ have 0click rces they could shoot at you if you’re important enough.
I very much doubt you know what you’re talking about.
For the average Joe, these advanced cyberweapons and backdoors simply aren't going to be used against them. Instead, you're far more likely to come across a call center scam or fake email.
That's pretty much every poster on HN, TBH.
Everyone would be careful to protect their screens from snooping, but a lot of folks would connect to POP mail servers without concern.
Wireshark was hard to run on anything but Linux in those days, and WiFi on Linux could be hard to get stable except on certain hardware, but it could be done.
Today, I don't imagine Wireshark would show you much of interest on a WPA2 WiFi network.
The short answer is no, despite what the VPN sponsor of your favorite YT videos might say. This is actually a good question to ask if you want to assess how up-to-date someone's infosec knowledge is. In a few sentences, you can tell if they're just regurgitating the classic scary myths about public WiFis or have a more nuanced take* that boils down to 'no' (bonus points if they go on a tangent about how cool WiFi deauth attacks are).
* Unlike this comment.
Then you are placing your trust in your VPS provider (unless you are running the VPN on your home network, and then you are trusting your ISP).
At the end of the day you have to trust someone right? (ignoring the can of worms that is TOR). I know my ISP is untrustworthy and salivating over my data. I am unable to easily translate the privacy policies of a VPS provider, but VPN providers are at least explicitly claiming that they don't sell your data.
Unencrypted (password-less) WIFI traffic is trivial to sniff. Decide how much you care about the unencrypted portions of your traffic: SNI headers, HTTP, DNS, flow logs of which IPs you are connecting to, etc.
The main reason seems to just be that some people care about the fact they can see what servers you connect to and what your MAC is, and that people don't always check whether things are encrypted, combined with the historical fact that there used to be plenty of important things that weren't encrypted. Now there's only a few.