Public wifi access point security

[GS3]

I am starting this thread prompted by another thread where someone is asking about "locking down" Linux Mint so it cannot be modified by malware which may be acquired by connecting to public wifi access points.

Over the years I have had this discussion many times and I believe there is a lot of misinformation and erroneous beliefs going around. I believe people have an unfounded fear of public access points because "everyone knows they are dangerous" and this mantra just gets repeated without basis. I believe public wifi access points are not as dangerous as most people think and I will explain why.

The entire Internet is, by its very nature, an insecure channel where any server has access to packets which transit it. Anyone who believes otherwise is fooling themselves. When we send a text email that text can be read by any and all servers where it jumps. If it goes through a Russian or Chinese server there is a chance email addresses are being harvested for spam lists. If it goes though American servers there is an even better chance it is being read and analyzed by American authorities. That is just the nature of the Internet.

Using wifi with WPA encryption is pretty secure and not a serious cause for concern. I do not see how I should not trust the owner of the coffee shop any less than the other thousands of anonymous owners and operators of the other internet nodes my packets are transiting.

The Internet is essentially entirely insecure and anyone who believes a coffee shop wifi is "insecure" compared to the "wired" internet has a very serious misunderstanding about security on the "wired" internet.

The way we deal with this insecurity is by the use of encryption and an encrypted packet is protected by the encryption and not because someone has no access to it. If you establish a correctly configured https connection with your bank web site then it should be safe no matter who can see the packets because they have no way of decrypting them without the key.

In summary, if your connection is correctly encrypted you can use any insecure channel because it is the encryption which protects the information.

If your connection is not encrypted then you must assume the information can be read by anyone and you should not send sensitive information unencrypted. You should only send information you do not care about it becoming public.

I see many people paying for VPN services because they believe this somehow allows them to use "insecure" wifi access points securely. The result often is, besides a waste of money, slower and more troublesome connections because they have to establish several levels of security and encryption.

[I2k4]

I'd agree it's pretty hard to find ANY hard data as to the actual as opposed to hair-on-fire risk of using public wifi - just googled "statistical risk public wifi" and got nothing but the usual warnings and advice, not supported by any research into the actual chance of being hacked in some way. I would disagree that most coffee shop hotspots are WPA protected or even require a password login - I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number - and the public login passwords are usually permanent and known to hundreds of people. Even when logged into a firewalled hotspot, there's a question of who else is logged into the same network at the next table.

One of the reasons I dual boot Mint on my laptops is for occasional public wifi use - my guess is the probability of a garden-variety coffee shop hacker knowing anything about or having any tools or malware to hack Linux is dramatically lower than for Windows. If I used public wifi more often I would install the UFW firewall on my own box, and look into a VPN. These days, I'm inclined to think browser-based email or other personal data websites, and identity theft are likely a bigger risk than network eavesdropping or malware installation.

[Hoser Rob]

What rubbish. Almost 1/3 of wifi hotspots have no security. And are you aware of how poorly maintained many hotspots are???

[Moem]

I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?

[GS3]

What rubbish. Almost 1/3 of wifi hotspots have no security. And are you aware of how poorly maintained many hotspots are???

OK then. Please answer the following questions.

Suppose I establish an encrypted https connection with this site and I log in using my user name and password. Suppose I am doing that over an open wifi and anyone can capture those packets. Do you believe they can get and read the decrypted clear contents? How so? And, if you believe they can, how can the owners and operators of all the other nodes along the way not do the same thing? Please explain the reasoning and process in detail because this is something important and interesting.

[GS3]

I just saw some ignorant lawyer repeating on TV the same misinformation and it ticks me off because anyone who knows a bit about encryption and security knows how false the "public wifi risk" is but it just keeps being repeated by those who want to pretend they know something and they just repeat what they heard without any understanding of the issues at hand.

For many years knowledgeable experts have given correct information, like AskLeo:

https://askleo.com/how_do_i_use_an_open ... ot_safely/

how_do_i_use_an_open_wifi_hotspot_safely

It can be absolutely safe to send and receive email from a coffee shop, or any other location that provides unsecured or “open” Wi-Fi. In fact, I do it all the time. But you do have to follow some very important practices to ensure your safety.
...
Secure connections - any connection that begins with https instead of http is an encrypted connection. So while your landlord or neighbors might see which sites you are visiting, the data actually sent to or displayed from the web site on an https connection is encrypted. Using an https connection to a service like GMail is one way to secure your email from snooping.

The article is well worth reading in its entirety.

Again, I repeat, WIFI is a very minor aspect of security problems. By telling people to just avoid public WIFIs people get a false sense of security.

Let us assume both client and server are not compromised because then the security problem would be in the compromised machine and not in the communication between them.

A client establishes a https connection with a server. For this to be compromised would require some major fail at very high internet levels. Traffic cannot be redirected to a another fake server without causing a certificate error unless the certificate/key has been stolen or a Certificate Authority has been compromised which would be a huge fail and is certainly not doable by any private party. Maybe American three letter agencies resort to this kind of thing but if they are spying on you then WIFI vulnerability is the least of your problems. https://xkcd.com/538/.

With a properly encrypted connection a packet sniffer can know that the client is sending and receiving packets from a certain server but the packets are encrypted and can only be decrypted by the client and by the server.

If you want to hide even the identity of the servers you are visiting then you can use a VPN service or look into https://en.wikipedia.org/wiki/Onion_routing https://en.wikipedia.org/wiki/Tor_(anonymity_network)

[GS3]

I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care? He just wanted to use any internet connection to find out a restaurant's phone number and he found it. Why would he care if it was somebody else's WIFI? All he needed was Internet access and he got it.

It's like I asked some guy on the street for directions to a certain restaurant and he gives me directions and I get to the restaurant and then someone tells me "You know that guy you asked for directions? He totally fooled you! Yes, he gave you correct directions to the restaurant but he told you his name is Malcolm when it is really Lewis. He fooled you well!"

[Faust]

There is a fair bit of misinformation / misunderstanding in this thread .

You can reduce your attack surface to almost zero , but you will experience some latency .
Expecting to have both speed and security is just plain silly , the same goes for using any public wi-fi without a quality VPN .

What is a quality VPN ?
Well for starters .... one that doesn't spew your IP on reconnect ( if the connection is dropped ) ....
...and a multi-hop capability is the cherry on top !
Many VPN providers make claims about these things but very few of them are valid .

I can post some links on these issues if anyone is interested in further info

[Moem]

I recently sat in a parkette near an unprotected Starbucks and used it on my phone to google a nearby restaurant's phone number

How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care?

Because using wifi offered by random strangers may be unsafe. Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.

[Faust]

Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.

Arrh ! ... precisely that !
It takes literally minutes to set up a "Man-in-the-Middle" , and there's a bit of kit from a US company that costs a hundred bucks or so ( completely legal BTW )
that will make it simple to do .
Even the dumbest of script-kiddies could do it .

[GS3]

How do you know that the wifi access point that you used actually was Starbuck's?

Why would he care?

Because using wifi offered by random strangers may be unsafe. Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.

You repeat this assertion without supporting it. Can you explain in detail how this would happen?

Suppose I connect to some random network, go to google and search for the address and phone number of some restaurant. What exactly can anyone gain by seeing my unencrypted traffic?

Suppose I now go to my bank website which is using https. All traffic is encrypted. How can anyone along the internet decrypt that traffic? (Answer: they can't)

So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?

[GS3]

Pretending your machine is the access point for Starbucks, McD and so on is a common tactic used by cybercriminals to get people's login credentials and other sensitive data.

It takes literally minutes to set up a "Man-in-the-Middle"

You realize a "Man in the middle" does not work with https? The client will get a certificate error warning. Of course, some people will ignore the warning but the advice they need is not "do not connect to wifis" but rather "do not be an idiot and ignore warnings".

[Moem]

So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?

Don't take my word for it... inform yourself.

[GS3]

So, I ask again, in what way is "using wifi offered by random strangers may be unsafe" true?

Don't take my word for it... inform yourself.

It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

In spite of what that page says I do not believe it is possible to do a successful "man in the middle" attack with https without triggering a certificate warning. If this is possible I would like to see proof because it would be a major weakness which I do not believe exists. In any case it would be independent of whether traffic is over wired or WIFI.

Again, can anyone explain by what mechanism encrypted traffic could be decrypted? And why or how it would be unsafe over wifi but safe over the wired network?

We get a lot of unsupported assertions and I'd like to see some explanations, not just repetitions of assertions which are many years out of date.

[Moem]

It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

It seems you need to read a little bit further, to the part about malicious hotspots.

Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.

In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi...

[GS3]

It seems you did not read that page because it supports what I said that https is safe. That is the whole point of encrypting traffic.

It seems you need to read a little bit further, to the part about malicious hotspots.

Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.

In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi...

Sorry that edited my last post while you posted. Here it goes again:

In spite of what that page says I do not believe it is possible to do a successful "man in the middle" attack with https without triggering a certificate warning. If this is possible I would like to see proof because it would be a major weakness which I do not believe exists. In any case it would be independent of whether traffic is over wired or WIFI.

I believe some weaknesses were found in older versions of ssl but I believe current versions are secure. I will try to find more information on this.

In any case, if ssl is vulnerable then wifi is not the problem as packets traveling over the wires are just as vulnerable.

[GS3]

Wikipedia has some information on SSL / TLS : https://en.wikipedia.org/wiki/Transport_Layer_Security

It seems vulnerabilities arise from tricking the browser into reverting to insecure older versions which may be retained for compatibility.

I do not have my Linux machine at hand but I seem to remember Firefox only accepts the latest version and will not use obsolete versions. I seem to remember this can be configured in a long configuration page. I would have to look it up and I do not remember what the default setting is. I forget how to access this configuration page where we can set the protocols the browser will use.

I am pretty sure encrypted traffic on an updated and properly patched machine is as close to unbreakable as it gets.

There is more risk in just having accounts with banks or other sites because, as recent history shows, they are far from invulnerable.

And, again, the fact that it is wifi only adds an infinitesimal risk and you should always assume any traffic you send is public.

By the way, this site, forums.linuxmint.com, gives me a warning that "parts of this page are not secure". I am definitely not posting my bank account information until this is corrected.

Edited to add: This page https://support.mozilla.org/es/questions/967266 explains how to configure SSL-TLS versions in Firefox.

I checked my machine and it is set to not accept SSL and to only accept TLS 1.0 and up. I do not know if that is the default or if I set it that way and I do not remember.

[GS3]

I am reviving this old thread because it seems the myth of "public wifis are dangerous" just will not die. Repeat something a million times and it becomes the truth. I just had a discussion with a friend who uses a VPN believing this protects him when using public wifis. The problem is that he is having problems because of the long latency he is being logged out. I tell him to ditch the VPN but he still believes his bank account will be emptied the minute he does that.

VPNs are exploiting this myth to their advantage. I found a video at https://www.youtube.com/watch?v=WVDQEoe6ZWY which is quite informative and supports what I have been saying all along. VPNs are exploiting the fear of the misinformation. An https connection is encrypted and just as safe over any wifi as over any wired connection.

[I2k4]

Funny to see how this old thread progressed on the spurious proposition that my sitting 100 feet from Starbucks and logging in to the one and only Starbucks SSID could likely be a faked hacker trap for the VPN-less unwary. Oh well. I'm only adding to point out that FIrefox now provides (Edit/Settings/General/Network Settings/Settings button/Enable DNS over HTTPS. The setting offers a long list of alternative host services, but defaulting to Mozilla's enforceable legal contract with CloudFlare, which is now a publicly traded US corporation, covering strict conditions on data treatment.)

Security-interested users should do their own homework on DNS over HTTPS and consider their personal use cases, but my experience of the default has been no noticeable impact on browser performance, and it keeps my home ISP's or any public wifi ISP's nose out of Firefox browsing.