82% of People Say They Connect To Any Free WiFi That's Available in a Public Place, Survey Finds (decisiondata.org) 123
Have you ever been in a public place and hopped onto a public WiFi network? From a report: We conducted a survey of 1,195 US residents over the past two weeks asking about internet connectivity and one interesting trend stood out. 82% of respondents (980 total) said they connect to any freely available network while out in public. When asked about the security implications of such a decision, the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them.
Re: (Score:2)
Re: Sure, that's why we pay for a VPN (Score:2)
Between the time you connect the wifi and the VPN is connected + during those seconds - your phone has made 100-200 or more requests over that WiFi network.
Re: (Score:2)
My phone doesn't allow any requests until the VPN tunnel is open.
Are you sure about that? Have you run a sniffer to see what your phone is actually doing?
Re: (Score:1)
Umm, turn on the VPN and let it use mobile data until the wi-fi is connected. Assuming you have mobile data. "Mook" - what a great word!
Re: (Score:3)
People like this make security-by-obscurity possible for the rest of us.
Re: Sure, that's why we pay for a VPN (Score:1)
How do you know the VPN provider is not spying in you?
Re: (Score:2)
Well, I just ssh-tunnel to my own servers, but the article is probably about people that will gladly accept an SSL-interceptor in the data-path and surf the web that way.
And it won't be. (Score:2, Insightful)
"When asked about the security implications of such a decision, the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them." And it won't be until creepers start using it this do real damage and it starts getting reported on. It was less the 2 generations ago that most people never locked there doors as well.
Re: (Score:1)
I believe that what you really want is the Upside-Down-Ternet [ex-parrot.com]
Re: (Score:2)
Who's using Facebook over HTTP?
Re: (Score:2)
Who's using anything over HTTP? I can't think of a serious password-protected site that doesn't use https.
Re:And it won't be. (Score:5, Informative)
Sign in as anyone by grabbing their Facebook (and other ) tokens. Flip their images upside-down. Have a ball!
That worked before providers got serious about HTTPS everywhere. These days about all you can do with a rogue access point is cause certificate errors.
Re: (Score:2)
Yeah, intercepting is not possible in most cases, but most WiFi drivers are binary blobs full of holes that will never be patched. So you can't MiTM, but you may be able to hack the phone itself!
Re: (Score:3)
You can piss people off, too. A friend in the UK changes his phone's name to "Virgin Trains Free Wifi" and enables the hotspot when he's on a train...without free wifi.
He said it's usually hilarious, with people bitching out loud about how the wifi doesn't work, and then berating the train staff about how wifi doesn't work.
Re: (Score:2)
Re: (Score:2)
Yeah, the kind of people smart enough to do that aren't drinking lagers and complaining about wifi, they're trying to DoS your phone via the wifi radio.
Re: (Score:2)
Isn't it possible to MITM HTTPS in some cases? I thought this was how employers were spying on employees web activities.
Re: (Score:2)
Only if the employer can install their root certificate as trusted, and then use the system to generate new SSL certificates on the fly. Thus entirely possible on corporate machines, unlikely for privately owned phones and devices.
Re:And it won't be. (Score:4, Informative)
And less than two generations ago, people knew the difference between there and their.
Dumbass.
Re: And it won't be. (Score:2)
And less than two generations ago no one cared about harmless mistakes in casual forums.
Re: (Score:2)
I still don't lock my door. I also happily connect to public WiFi. Honestly the risk of doing so are minimal in the days where default OS policy is to lock down the firewall on public access points and pretty much every website on the internet is encrypted. /Disclosure: I connect to any public wifi I get my hands on. And yes I did consider the security implications of doing so and determined it to be well worth it.
Re: And it won't be. (Score:2)
I know the difference between a certificate installation and an accept button.
I think many of the people who are worried about this know just enough about security to worry, and not enough to actually evaluate the risk. Iâ(TM)ve evaluated the risk, and given the protections in place, I think itâ(TM)s acceptable. Of course, some may understand the risk and deem it unacceptable, which is fine, but I donâ(TM)t really see much of that here.
Are you just as worried about BGP hijacking, and what ar
Re: (Score:2)
> It was less the 2 generations ago that most people never locked there doors as well.
Crime rates were higher then too - people are just very conditioned to be fearful now.
Hey, we have to violate grandma's vag at the airport if you don't want to die.
Land of the Free, if Home of the Brave.
Re: (Score:3)
Flipping the question around: how often are you out of your house in a place with WiFi you trust? Corollary: how much do you trust your ISP? The only reasonably trustworthy mechanism is a VPN that I own completely. And even that isn't foolproof, depending on what data you consider to be sensitive.
What are the security implications? (Score:5, Insightful)
When asked about the security implications of such a decision
What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.
Re:What are the security implications? (Score:4, Interesting)
Yes. this is a non-issue. I think all of these articles are basically peddling by VPN providers. All of them are extremely shady operations. Their selling point seems to be mostly WE KEEP ABSOLUTELY NO LOGS. Yeah right.
Re: (Score:2, Informative)
When asked about the security implications of such a decision
What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.
These same people will ignore invalid cert warnings and open them up to MITM attacks. They will also happily click on HTTP spoofed websites when you change the domain resolution on them.
The security implications go even deeper so please if you connect to these, at the bare minimum use a VPN.
Re: What are the security implications? (Score:2)
To be honest I don't what you mean by the security implications go much deaper. In some sense you are better on public WiFi, your mobile phone company can no longer log your traffic and you are actually anonimising your connections to the Internet (doubt the government is getting all MAC addresses from every NAT router in cafes). Assuming cookie cleanliness and https etc
The biggest threat I see is that Android has often apps listening on inbound ports, amazingly. Don't know why, maybe debug. Though I've nev
Re: (Score:2)
To be honest I don't what you mean by the security implications go much deaper. In some sense you are better on public WiFi, your mobile phone company can no longer log your traffic and you are actually anonimising your connections to the Internet (doubt the government is getting all MAC addresses from every NAT router in cafes). Assuming cookie cleanliness and https etc
The biggest threat I see is that Android has often apps listening on inbound ports, amazingly. Don't know why, maybe debug. Though I've never seen these exploited, or anyone really caring.
So naive. Yes lets trust random wifi provider that you don't know over the cell provider you do know. Good luck subpeoning the random wifi provider when your identity is stolen.
I have an idea. Go find a random dude off the street and hand him your daughter for the prom. No need to go with the guy you vetted from the school and you know his parents.
Re: (Score:2)
It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.
Presumably, a larger chain will use real APs and implement client isolation so that other devices on the LAN aren't visible.
Re: (Score:2)
You can't ARP poison when ARP broadcasts are blocked through isolation.
And getting in the middle is the only way you're going to snoop HTTPS to any real degree.
Re: (Score:3)
These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
DNS is still cleartext, as is the Server Name Indication (SNI) field of the HTTPS ClientHello message. So the operator can see domain names and approximate sizes of what you're viewing, especially if an HTML document loads subresources (scripts, style sheets, and images) from third-party CDNs. A VPN will hide the domain names and obscure the sizes somewhat.
Re: (Score:2)
DNS over HTTPS also hides DNS requests. Cloudflare and Google and a few others offer free DNS servers that support it.
Re: (Score:3)
I like the approach you imply.
Anybody who's building any web service needs to do so in a way where they realize the "last few meters" of the link is likely highly insecure and being monitored. How do I protect my user?
Web browser developers should be doing the same, and making bypassing invalid MITM certs harder. Warning people of certs who's signatures change much before their expire date, etc.
Re: (Score:3)
What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
You have a computer say a laptop with Intel's active management hardware installed.
1. You connect to my AP.
2. While associating with AP I send DHCP option 15 to set domain name.
3. I obtain a valid certificate for above domain trusted by Intel.
4. I remotely takeover your computer despite whatever host based protections are in place such as stealth mode firewalls.
5. You're fucked
Re: (Score:2)
Right, but how do you do #3? How do you even know they are using intel active management hardware? Why would intel's software trust any random domain?
Re: (Score:3)
Right, but how do you do #3? How do you even know they are using intel active management hardware?
Simply open a connection to the corresponding TCP port. It can't be firewalled because the network interface is virtualized and not controlled by the host operating system.
Why would intel's software trust any random domain?
DHCP domain matches the domain of the verified certificate. Intel trusts the certificate because it has validated the trust chain. Intel trusts DHCP because... well you'll have to ask them why they do that.
Re: (Score:2)
Right, but how do you do #3?
The same way corporations get theirs. Purchase one from a trusted CA. Or steal one I guess you could do that too.
Re: (Score:2)
Re: (Score:2)
No trusted CA is going to give you a signed certificate for an Intel domain.
Not necessary. Corporations use their own domains to enroll systems not Intel domains.
Re: (Score:2)
Re: (Score:2)
It's a lot more complicated and requires repeated user input that varies based on AMT version and setup method. DHCP isn't among them.
Neither of the references you provided establish what you assert they do. There are multiple modes of operation each with different settings and requirements.
The capability I'm referring to is known as ACM (Admin control mode) which explicitly does NOT require any user consent or action. It's an entirely automated process for clients using PKI as the basis of trust.
Re: (Score:1)
"What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https."
Dammit, so if you log-in to my "free MITM-WIFI" I, as man-in-the-middle can't spoof everything you think as your secure HTTPS site?
There goes my dream of ruling the world.
Re: (Score:2)
These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
I've been running an open wifi in my neighborhood since 2012 and see about 30 unique visitors per day. In 2012 when I started there was a lot of unencrypted traffic including people sending email passwords in plain text. Nowadays everything is encrypted end to end.
I get a lot of IPhones connecting without the user's knowledge sometimes even downloading updates. So it's 100% of Apple users who agree to connect to free wifis.
Re: (Score:1)
The security issue is that sometimes people just type "mybank.com" in the browser's field and it tries http first, then "mybank.com" redirects to "https://mybank.com" if everyone's playing nice. A malicious network could act as a proxy, leaving the browser at http and using the entered credentials to connect to https, then show the https results within an http window. The user can't tell the difference because people don't bother to check for the ever shrinking lock icons, and many browsers hide the proto
Re: (Score:1)
The security issue is that sometimes people just type "mybank.com" in the browser's field and it tries http first
Not if you've ever visited "mybank.com", and "mybank.com" has HSTS enabled. If they have (and most banks do set this header) the browser will got to https, and ONLY https.
Re: (Score:2)
You might not ask this question if you looked at e.g. the monthly Android Security bulletins and see all of the remote attacks patched in e.g. the Qualcomm|WLAN drivers.
https://source.android.com/sec... [android.com]
Here's one I found in 5 seconds from this month's update:
https://source.codeaurora.org/... [codeaurora.org]
Stop the world! I want to get off! (Score:2)
Really? That's the only insightful comment so far? While I sort of agree, it seems a rather shallow insight. Security remains a chain, and open WiFi remains one of the weakest links... The villains always look for the easiest point of attack.
In solution terms, I think we missed the boat a long time ago. I wonder what would have happened if the system wasn't so firmly oriented around protecting the powers of the central network hubs and the governments that control the hubs. Can you imagine a world where mos
Re: (Score:2)
When asked about the security implications of such a decision
What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.
So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.
There are all kinds of attacks that can be implemented in such a privileged position. TLS downgrade attacks, padding oracle attacks, compromised SSL certificates, etc. They have to find a way to inject themselves between you and your desired endpoint and this is the easiest way put themselves in that position.
Doom (Score:2, Interesting)
> the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them
--We have failed as a society if the average person on the street has no concept of basic information security. This is why major companies and public services keep getting hacked.
--It only took one incident of data-loss for me to sharpen up my backup methods, and I'm also constantly learning from news headlines. I guess most people just don't care until the badthings happen specifically to
Re: (Score:3)
The average person on the street will never have any concept of basic information security. You're lucky if the guys who are actually in charge of information security do. The challenge is how to deal with that.
Re: Doom (Score:1)
Easy. Most basic information does not need to be secured.
Re: (Score:2)
--We have failed as a society if the average person on the street has no concept of basic information security.
No we haven't. We've succeeded as a society that the average person on the street doesn't need to worry about connecting to an open WiFi. Every goddamn website is encrypted, most internet services are encrypted, and modern OSes by default lock down the firewall when connecting to a never before seen wifi network and specifically ask you to opt in to your PC being open.
I don't think about security of WiFi access points because *I don't need to*. Much like I live in a city where I don't need to worry about th
Re: (Score:3, Informative)
Sample Size Determination [wikipedia.org]
Re: (Score:2)
I'd rather just use my data connection.
Provided you still have tethering this month. A lot of (especially U.S.) cellular carriers restrict subscribers' use of a phone as a hotspot for a laptop.
Re: (Score:2)
1. What U.S. carrier?
2. Then you'd have to prove to others that avoiding disclosing even the domain name of an HTTPS server over free Wi-Fi is worth $900 per year to them.
Only useful for ban evasion and data caps (Score:2)
Re: (Score:3)
Security question - apps (Score:2)
App Transport Security (Score:4, Informative)
The App Transport Security rule [apple.com] requires applications in Apple's App Store to use encrypted connections unless an application has "reasonable justification" otherwise. One common "reasonable justification" is an app made specifically for connecting to user-specified third-party servers using well-known unencrypted protocols, such as an IRC client or a WKWebView.
Re: Security question - apps (Score:1)
Spoken by someone that has no idea how MITM works even with HTTPS.
The problem isn't being connected to free WiFi (Score:2, Interesting)
HTTPS (Score:2)
Back when most websites were plain HTTP, this was definitely an activity to be discouraged.
But now that most of the web is all HTTPS, with certs and such, public wifi access points aren't quite the hazard they used to be.
But you know, be careful. Be mindful when using them. It's harder to do shenanigans to HTTPS, but not impossible. Pay attention to security warnings should they arise!
... and then, fire up the VPN (Score:4, Interesting)
I'll connect to any free wifi available, and then start my VPN. In this day and age, VPN software is cheap, and easy to use.
On te other hand, if these people do not know how to use a VPN... well, that's an issue.
Re: (Score:2)
Plagiarism (Score:2)
we conducted a survey (again, by whom is omitted)...
although you did link to a website, that may or may not be the submitter/surveyor, at this point this is a textbook example of plagiarism.
Some FUD here, IMO .... (Score:3)
I would probably also check a box in a survey if it asked if I generally connect to any available public free wi-hi hotspot when I'm traveling.
That said, I *do* consider security implications first.
I simply use a bit of common sense. For example? If I'm in a major airport and want to use free wi-fi, I make sure to find out what the official hotspot's SSID is supposed to be. I've often gone to airports and seen shady looking SSID's offered in my list, with names like "Free internet", or even "Free Airport Internet" -- which just don't look like the official ones such a place would provide to people. (You'd expect they'd include the name of the actual airport you're at, maybe?)
As a Comcast customer, I'm also given access to Xfinity hotspots all over the country, and get auto logged into them if I have their security certificate installed on my device for them first. So I have no real concerns about those.
what about (Score:2)
Paid WiFi like on a plane or other?
My iPhone autostarts VPN when on insecure WIFI (Score:2)
STEP 1. - Install a home router with Open VPN, suggest ASUS Merlin
STEP 2. - Install Open VPN app on your iPhone
STEP 3. - Turn on VPN in Settings and automagically happens on any insecure WIFI
Somebody please post android instructions and I think we will have it covered
Remind me the risks please (Score:1)
given that practically all sites I visit are HTTPS.