Public wifi access point security

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Public wifi access point security

Postby GS3 » Sun Jul 23, 2017 9:08 am

I am starting this thread prompted by another thread where someone is asking about "locking down" Linux Mint so it cannot be modified by malware which may be acquired by connecting to public wifi access points.

Over the years I have had this discussion many times and I believe there is a lot of misinformation and erroneous beliefs going around. I believe people have an unfounded fear of public access points because "everyone knows they are dangerous" and this mantra just gets repeated without basis. I believe public wifi access points are not as dangerous as most people think and I will explain why.

The entire Internet is, by its very nature, an insecure channel where any server has access to packets which transit it. Anyone who believes otherwise is fooling themselves. When we send a text email that text can be read by any and all servers where it jumps. If it goes through a Russian or Chinese server there is a chance email addresses are being harvested for spam lists. If it goes though American servers there is an even better chance it is being read and analyzed by American authorities. That is just the nature of the Internet.

Using wifi with WPA encryption is pretty secure and not a serious cause for concern. I do not see how I should not trust the owner of the coffee shop any less than the other thousands of anonymous owners and operators of the other internet nodes my packets are transiting.

The Internet is essentially entirely insecure and anyone who believes a coffee shop wifi is "insecure" compared to the "wired" internet has a very serious misunderstanding about security on the "wired" internet.

The way we deal with this insecurity is by the use of encryption and an encrypted packet is protected by the encryption and not because someone has no access to it. If you establish a correctly configured https connection with your bank web site then it should be safe no matter who can see the packets because they have no way of decrypting them without the key.

In summary, if your connection is correctly encrypted you can use any insecure channel because it is the encryption which protects the information.

If your connection is not encrypted then you must assume the information can be read by anyone and you should not send sensitive information unencrypted. You should only send information you do not care about it becoming public.

I see many people paying for VPN services because they believe this somehow allows them to use "insecure" wifi access points securely. The result often is, besides a waste of money, slower and more troublesome connections because they have to establish several levels of security and encryption.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

I2k4
Level 4
Level 4
Posts: 431
Joined: Thu Feb 02, 2012 8:33 pm

Re: Public wifi access point security

Postby I2k4 » Sun Jul 23, 2017 9:39 am

I'd agree it's pretty hard to find ANY hard data as to the actual as opposed to hair-on-fire risk of using public wifi - just googled "statistical risk public wifi" and got nothing but the usual warnings and advice, not supported by any research into the actual chance of being hacked in some way. I would disagree that most coffee shop hotspots are WPA protected or even require a password login - I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number - and the public login passwords are usually permanent and known to hundreds of people. Even when logged into a firewalled hotspot, there's a question of who else is logged into the same network at the next table.

One of the reasons I dual boot Mint on my laptops is for occasional public wifi use - my guess is the probability of a garden-variety coffee shop hacker knowing anything about or having any tools or malware to hack Linux is dramatically lower than for Windows. If I used public wifi more often I would install the UFW firewall on my own box, and look into a VPN. These days, I'm inclined to think browser-based email or other personal data websites, and identity theft are likely a bigger risk than network eavesdropping or malware installation.
TRUST BUT VERIFY any advice from anybody, including me. Ubuntu / Mint user since 10.04 LTS. M17.3 Cinnamon (Dell 1520). Dual booting M17.3 XFCE / W7 (Acer netbook) and M18.2 Cinnamon / W7 (Lenovo desktop). Testing M18.3 64bit on persistent live USB.

Hoser Rob
Level 9
Level 9
Posts: 2888
Joined: Sat Dec 15, 2012 8:57 am

Re: Public wifi access point security

Postby Hoser Rob » Sun Jul 23, 2017 10:07 am

What rubbish. Almost 1/3 of wifi hotspots have no security. And are you aware of how poorly maintained many hotspots are???

User avatar
Moem
Level 11
Level 11
Posts: 3997
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Public wifi access point security

Postby Moem » Sun Jul 23, 2017 10:32 am

I2k4 wrote: I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sun Jul 23, 2017 11:13 am

Hoser Rob wrote:What rubbish. Almost 1/3 of wifi hotspots have no security. And are you aware of how poorly maintained many hotspots are???
OK then. Please answer the following questions.

Suppose I establish an encrypted https connection with this site and I log in using my user name and password. Suppose I am doing that over an open wifi and anyone can capture those packets. Do you believe they can get and read the decrypted clear contents? How so? And, if you believe they can, how can the owners and operators of all the other nodes along the way not do the same thing? Please explain the reasoning and process in detail because this is something important and interesting.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 9:54 am

I just saw some ignorant lawyer repeating on TV the same misinformation and it ticks me off because anyone who knows a bit about encryption and security knows how false the "public wifi risk" is but it just keeps being repeated by those who want to pretend they know something and they just repeat what they heard without any understanding of the issues at hand.

For many years knowledgeable experts have given correct information, like AskLeo:
https://askleo.com/how_do_i_use_an_open ... ot_safely/

how_do_i_use_an_open_wifi_hotspot_safely

It can be absolutely safe to send and receive email from a coffee shop, or any other location that provides unsecured or “open” Wi-Fi. In fact, I do it all the time. But you do have to follow some very important practices to ensure your safety.
...
Secure connections - any connection that begins with https instead of http is an encrypted connection. So while your landlord or neighbors might see which sites you are visiting, the data actually sent to or displayed from the web site on an https connection is encrypted. Using an https connection to a service like GMail is one way to secure your email from snooping.
The article is well worth reading in its entirety.

Again, I repeat, WIFI is a very minor aspect of security problems. By telling people to just avoid public WIFIs people get a false sense of security.

Let us assume both client and server are not compromised because then the security problem would be in the compromised machine and not in the communication between them.

A client establishes a https connection with a server. For this to be compromised would require some major fail at very high internet levels. Traffic cannot be redirected to a another fake server without causing a certificate error unless the certificate/key has been stolen or a Certificate Authority has been compromised which would be a huge fail and is certainly not doable by any private party. Maybe American three letter agencies resort to this kind of thing but if they are spying on you then WIFI vulnerability is the least of your problems. https://xkcd.com/538/.

With a properly encrypted connection a packet sniffer can know that the client is sending and receiving packets from a certain server but the packets are encrypted and can only be decrypted by the client and by the server.

If you want to hide even the identity of the servers you are visiting then you can use a VPN service or look into https://en.wikipedia.org/wiki/Onion_routing https://en.wikipedia.org/wiki/Tor_(anonymity_network)
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 10:09 am

Moem wrote:
I2k4 wrote: I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care? He just wanted to use any internet connection to find out a restaurant's phone number and he found it. Why would he care if it was somebody else's WIFI? All he needed was Internet access and he got it.

It's like I asked some guy on the street for directions to a certain restaurant and he gives me directions and I get to the restaurant and then someone tells me "You know that guy you asked for directions? He totally fooled you! Yes, he gave you correct directions to the restaurant but he told you his name is Malcolm when it is really Lewis. He fooled you well!"
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

User avatar
Faust
Level 4
Level 4
Posts: 213
Joined: Thu Jul 14, 2016 3:40 am

Re: Public wifi access point security

Postby Faust » Sat Nov 18, 2017 11:57 am

There is a fair bit of misinformation / misunderstanding in this thread .

You can reduce your attack surface to almost zero , but you will experience some latency .
Expecting to have both speed and security is just plain silly , the same goes for using any public wi-fi without a quality VPN .

What is a quality VPN ?
Well for starters .... one that doesn't spew your IP on reconnect ( if the connection is dropped ) ....
...and a multi-hop capability is the cherry on top !
Many VPN providers make claims about these things but very few of them are valid .

I can post some links on these issues if anyone is interested in further info :)
Last edited by Faust on Sat Nov 18, 2017 12:23 pm, edited 2 times in total.
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

User avatar
Moem
Level 11
Level 11
Posts: 3997
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Public wifi access point security

Postby Moem » Sat Nov 18, 2017 12:04 pm

GS3 wrote:
Moem wrote:
I2k4 wrote: I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care?

Because using wifi offered by random strangers may be unsafe. Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Faust
Level 4
Level 4
Posts: 213
Joined: Thu Jul 14, 2016 3:40 am

Re: Public wifi access point security

Postby Faust » Sat Nov 18, 2017 12:18 pm

Moem wrote: Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.


Arrh ! ... precisely that !
It takes literally minutes to set up a "Man-in-the-Middle" , and there's a bit of kit from a US company that costs a hundred bucks or so ( completely legal BTW )
that will make it simple to do .
Even the dumbest of script-kiddies could do it .
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 12:50 pm

Moem wrote:
GS3 wrote:
Moem wrote:How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care?

Because using wifi offered by random strangers may be unsafe. Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.
You repeat this assertion without supporting it. Can you explain in detail how this would happen?

Suppose I connect to some random network, go to google and search for the address and phone number of some restaurant. What exactly can anyone gain by seeing my unencrypted traffic?

Suppose I now go to my bank website which is using https. All traffic is encrypted. How can anyone along the internet decrypt that traffic? (Answer: they can't)

So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 12:54 pm

Faust wrote:
Moem wrote: Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.
It takes literally minutes to set up a "Man-in-the-Middle"
You realize a "Man in the middle" does not work with https? The client will get a certificate error warning. Of course, some people will ignore the warning but the advice they need is not "do not connect to wifis" but rather "do not be an idiot and ignore warnings".
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

User avatar
Moem
Level 11
Level 11
Posts: 3997
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Public wifi access point security

Postby Moem » Sat Nov 18, 2017 1:25 pm

GS3 wrote:So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?

Don't take my word for it... inform yourself.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 2:03 pm

Moem wrote:
GS3 wrote:So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?

Don't take my word for it... inform yourself.
It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

In spite of what that page says I do not believe it is possible to do a successful "man in the middle" attack with https without triggering a certificate warning. If this is possible I would like to see proof because it would be a major weakness which I do not believe exists. In any case it would be independent of whether traffic is over wired or WIFI.

Again, can anyone explain by what mechanism encrypted traffic could be decrypted? And why or how it would be unsafe over wifi but safe over the wired network?

We get a lot of unsupported assertions and I'd like to see some explanations, not just repetitions of assertions which are many years out of date.
Last edited by GS3 on Sat Nov 18, 2017 2:07 pm, edited 1 time in total.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

User avatar
Moem
Level 11
Level 11
Posts: 3997
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Public wifi access point security

Postby Moem » Sat Nov 18, 2017 2:06 pm

GS3 wrote: It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

It seems you need to read a little bit further, to the part about malicious hotspots.
Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.

In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi...
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 2:11 pm

Moem wrote:
GS3 wrote: It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

It seems you need to read a little bit further, to the part about malicious hotspots.
Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.

In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi...
Sorry that edited my last post while you posted. Here it goes again:

In spite of what that page says I do not believe it is possible to do a successful "man in the middle" attack with https without triggering a certificate warning. If this is possible I would like to see proof because it would be a major weakness which I do not believe exists. In any case it would be independent of whether traffic is over wired or WIFI.

I believe some weaknesses were found in older versions of ssl but I believe current versions are secure. I will try to find more information on this.

In any case, if ssl is vulnerable then wifi is not the problem as packets traveling over the wires are just as vulnerable.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo

GS3
Level 2
Level 2
Posts: 84
Joined: Fri Jan 06, 2017 7:51 am

Re: Public wifi access point security

Postby GS3 » Sat Nov 18, 2017 2:30 pm

Wikipedia has some information on SSL / TLS : https://en.wikipedia.org/wiki/Transport_Layer_Security

It seems vulnerabilities arise from tricking the browser into reverting to insecure older versions which may be retained for compatibility.

I do not have my Linux machine at hand but I seem to remember Firefox only accepts the latest version and will not use obsolete versions. I seem to remember this can be configured in a long configuration page. I would have to look it up and I do not remember what the default setting is. I forget how to access this configuration page where we can set the protocols the browser will use.

I am pretty sure encrypted traffic on an updated and properly patched machine is as close to unbreakable as it gets.

There is more risk in just having accounts with banks or other sites because, as recent history shows, they are far from invulnerable.

And, again, the fact that it is wifi only adds an infinitesimal risk and you should always assume any traffic you send is public.

By the way, this site, forums.linuxmint.com, gives me a warning that "parts of this page are not secure". I am definitely not posting my bank account information until this is corrected. :)

Edited to add: This page https://support.mozilla.org/es/questions/967266 explains how to configure SSL-TLS versions in Firefox.

I checked my machine and it is set to not accept SSL and to only accept TLS 1.0 and up. I do not know if that is the default or if I set it that way and I do not remember.
HP Compaq Elite 8300 CMT - Linux Mint 18.2 Sonya - Kernel 4.4.0-53-generic X64 - Cinnamon 3.4.4 - Nemo


Return to “Newbie Questions”