Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Wireless Networking Security IT Technology

82% of People Say They Connect To Any Free WiFi That's Available in a Public Place, Survey Finds (decisiondata.org) 123

Have you ever been in a public place and hopped onto a public WiFi network? From a report: We conducted a survey of 1,195 US residents over the past two weeks asking about internet connectivity and one interesting trend stood out. 82% of respondents (980 total) said they connect to any freely available network while out in public. When asked about the security implications of such a decision, the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them.
This discussion has been archived. No new comments can be posted.

82% of People Say They Connect To Any Free WiFi That's Available in a Public Place, Survey Finds

Comments Filter:
  • "When asked about the security implications of such a decision, the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them." And it won't be until creepers start using it this do real damage and it starts getting reported on. It was less the 2 generations ago that most people never locked there doors as well.

    • Re:And it won't be. (Score:4, Informative)

      by Red_Forman ( 5546482 ) on Thursday August 01, 2019 @01:59PM (#59024198)

      And less than two generations ago, people knew the difference between there and their.

      Dumbass.

    • I still don't lock my door. I also happily connect to public WiFi. Honestly the risk of doing so are minimal in the days where default OS policy is to lock down the firewall on public access points and pretty much every website on the internet is encrypted. /Disclosure: I connect to any public wifi I get my hands on. And yes I did consider the security implications of doing so and determined it to be well worth it.

    • > It was less the 2 generations ago that most people never locked there doors as well.

      Crime rates were higher then too - people are just very conditioned to be fearful now.

      Hey, we have to violate grandma's vag at the airport if you don't want to die.

      Land of the Free, if Home of the Brave.

    • Flipping the question around: how often are you out of your house in a place with WiFi you trust? Corollary: how much do you trust your ISP? The only reasonably trustworthy mechanism is a VPN that I own completely. And even that isn't foolproof, depending on what data you consider to be sensitive.

  • by hawguy ( 1600213 ) on Thursday August 01, 2019 @11:52AM (#59023536)

    When asked about the security implications of such a decision

    What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

    So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.

    • by hjf ( 703092 ) on Thursday August 01, 2019 @11:57AM (#59023568) Homepage

      Yes. this is a non-issue. I think all of these articles are basically peddling by VPN providers. All of them are extremely shady operations. Their selling point seems to be mostly WE KEEP ABSOLUTELY NO LOGS. Yeah right.

    • Re: (Score:2, Informative)

      by geek ( 5680 )

      When asked about the security implications of such a decision

      What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

      So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.

      These same people will ignore invalid cert warnings and open them up to MITM attacks. They will also happily click on HTTP spoofed websites when you change the domain resolution on them.

      The security implications go even deeper so please if you connect to these, at the bare minimum use a VPN.

      • To be honest I don't what you mean by the security implications go much deaper. In some sense you are better on public WiFi, your mobile phone company can no longer log your traffic and you are actually anonimising your connections to the Internet (doubt the government is getting all MAC addresses from every NAT router in cafes). Assuming cookie cleanliness and https etc

        The biggest threat I see is that Android has often apps listening on inbound ports, amazingly. Don't know why, maybe debug. Though I've nev

        • by geek ( 5680 )

          To be honest I don't what you mean by the security implications go much deaper. In some sense you are better on public WiFi, your mobile phone company can no longer log your traffic and you are actually anonimising your connections to the Internet (doubt the government is getting all MAC addresses from every NAT router in cafes). Assuming cookie cleanliness and https etc

          The biggest threat I see is that Android has often apps listening on inbound ports, amazingly. Don't know why, maybe debug. Though I've never seen these exploited, or anyone really caring.

          So naive. Yes lets trust random wifi provider that you don't know over the cell provider you do know. Good luck subpeoning the random wifi provider when your identity is stolen.

          I have an idea. Go find a random dude off the street and hand him your daughter for the prom. No need to go with the guy you vetted from the school and you know his parents.

    • It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.

      Presumably, a larger chain will use real APs and implement client isolation so that other devices on the LAN aren't visible.

    • by tepples ( 727027 )

      These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

      DNS is still cleartext, as is the Server Name Indication (SNI) field of the HTTPS ClientHello message. So the operator can see domain names and approximate sizes of what you're viewing, especially if an HTML document loads subresources (scripts, style sheets, and images) from third-party CDNs. A VPN will hide the domain names and obscure the sizes somewhat.

      • by AmiMoJo ( 196126 )

        DNS over HTTPS also hides DNS requests. Cloudflare and Google and a few others offer free DNS servers that support it.

    • I like the approach you imply.

      Anybody who's building any web service needs to do so in a way where they realize the "last few meters" of the link is likely highly insecure and being monitored. How do I protect my user?

      Web browser developers should be doing the same, and making bypassing invalid MITM certs harder. Warning people of certs who's signatures change much before their expire date, etc.

    • What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

      You have a computer say a laptop with Intel's active management hardware installed.

      1. You connect to my AP.

      2. While associating with AP I send DHCP option 15 to set domain name.

      3. I obtain a valid certificate for above domain trusted by Intel.

      4. I remotely takeover your computer despite whatever host based protections are in place such as stealth mode firewalls.

      5. You're fucked

      • Right, but how do you do #3? How do you even know they are using intel active management hardware? Why would intel's software trust any random domain?

        • Right, but how do you do #3? How do you even know they are using intel active management hardware?

          Simply open a connection to the corresponding TCP port. It can't be firewalled because the network interface is virtualized and not controlled by the host operating system.

          Why would intel's software trust any random domain?

          DHCP domain matches the domain of the verified certificate. Intel trusts the certificate because it has validated the trust chain. Intel trusts DHCP because... well you'll have to ask them why they do that.

        • Right, but how do you do #3?

          The same way corporations get theirs. Purchase one from a trusted CA. Or steal one I guess you could do that too.

          • No trusted CA is going to give you a signed certificate for an Intel domain.
            • No trusted CA is going to give you a signed certificate for an Intel domain.

              Not necessary. Corporations use their own domains to enroll systems not Intel domains.

              • Ah, interesting. Yeah I do understand why Intel would want to do that for corporate customers, but I also understand what a terrible, terrible security issue that is. Thanks!
    • by Anonymous Coward

      "What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https."

      Dammit, so if you log-in to my "free MITM-WIFI" I, as man-in-the-middle can't spoof everything you think as your secure HTTPS site?

      There goes my dream of ruling the world.

    • by mea2214 ( 935585 )

      These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

      I've been running an open wifi in my neighborhood since 2012 and see about 30 unique visitors per day. In 2012 when I started there was a lot of unencrypted traffic including people sending email passwords in plain text. Nowadays everything is encrypted end to end.

      I get a lot of IPhones connecting without the user's knowledge sometimes even downloading updates. So it's 100% of Apple users who agree to connect to free wifis.

    • by Anonymous Coward

      The security issue is that sometimes people just type "mybank.com" in the browser's field and it tries http first, then "mybank.com" redirects to "https://mybank.com" if everyone's playing nice. A malicious network could act as a proxy, leaving the browser at http and using the entered credentials to connect to https, then show the https results within an http window. The user can't tell the difference because people don't bother to check for the ever shrinking lock icons, and many browsers hide the proto

      • by Anonymous Coward


        The security issue is that sometimes people just type "mybank.com" in the browser's field and it tries http first

        Not if you've ever visited "mybank.com", and "mybank.com" has HSTS enabled. If they have (and most banks do set this header) the browser will got to https, and ONLY https.

    • You might not ask this question if you looked at e.g. the monthly Android Security bulletins and see all of the remote attacks patched in e.g. the Qualcomm|WLAN drivers.

      https://source.android.com/sec... [android.com]

      Here's one I found in 5 seconds from this month's update:
      https://source.codeaurora.org/... [codeaurora.org]

    • Really? That's the only insightful comment so far? While I sort of agree, it seems a rather shallow insight. Security remains a chain, and open WiFi remains one of the weakest links... The villains always look for the easiest point of attack.

      In solution terms, I think we missed the boat a long time ago. I wonder what would have happened if the system wasn't so firmly oriented around protecting the powers of the central network hubs and the governments that control the hubs. Can you imagine a world where mos

    • When asked about the security implications of such a decision

      What are the security implications of such a decision? These days any site that deals with sensitive data (banking, webmail, etc) is going to use https.

      So as long as users aren't sharing passwords among less secure sites (where the password could be snooped and reused) and don't ignore cert warnings (to prevent MiTM attacks), what is the real security issue? It's not like connecting to the "real" Starbucks open wifi network makes you any safer against traffic snooping.

      There are all kinds of attacks that can be implemented in such a privileged position. TLS downgrade attacks, padding oracle attacks, compromised SSL certificates, etc. They have to find a way to inject themselves between you and your desired endpoint and this is the easiest way put themselves in that position.

  • Doom (Score:2, Interesting)

    by Wolfrider ( 856 )

    > the majority of the respondents said they didn't think about such things, and that it wasn't a concern for them

    --We have failed as a society if the average person on the street has no concept of basic information security. This is why major companies and public services keep getting hacked.

    --It only took one incident of data-loss for me to sharpen up my backup methods, and I'm also constantly learning from news headlines. I guess most people just don't care until the badthings happen specifically to

    • The average person on the street will never have any concept of basic information security. You're lucky if the guys who are actually in charge of information security do. The challenge is how to deal with that.

    • --We have failed as a society if the average person on the street has no concept of basic information security.

      No we haven't. We've succeeded as a society that the average person on the street doesn't need to worry about connecting to an open WiFi. Every goddamn website is encrypted, most internet services are encrypted, and modern OSes by default lock down the firewall when connecting to a never before seen wifi network and specifically ask you to opt in to your PC being open.

      I don't think about security of WiFi access points because *I don't need to*. Much like I live in a city where I don't need to worry about th

  • 4/5G is faster than most wifi points connections the real reason people seek out public wifi is so they can change their ip address to evade bans as most services ban vpn ip ranges.
  • I'm sure a malicious open WiFi could give me invalid DNS entries. All web traffic is now pretty much https so I'm not that worried about a link being high jacked but I don't know about all my apps. Are they all using secure connections?
  • It's when you log into secure websites during that time. If you don't have to log in into someplace, there is not a problem. If you have to log in. That is why you use VPN.
  • Back when most websites were plain HTTP, this was definitely an activity to be discouraged.

    But now that most of the web is all HTTPS, with certs and such, public wifi access points aren't quite the hazard they used to be.

    But you know, be careful. Be mindful when using them. It's harder to do shenanigans to HTTPS, but not impossible. Pay attention to security warnings should they arise!

  • by williamyf ( 227051 ) on Thursday August 01, 2019 @01:16PM (#59024010)

    I'll connect to any free wifi available, and then start my VPN. In this day and age, VPN software is cheap, and easy to use.

    On te other hand, if these people do not know how to use a VPN... well, that's an issue.

    • by DogDude ( 805747 )
      Why do you think a VPN keeps you safe? Who is your VPN provider, and why do you trust them with all of your Internet traffic?
  • from a report (by whom?)...
    we conducted a survey (again, by whom is omitted)...
    although you did link to a website, that may or may not be the submitter/surveyor, at this point this is a textbook example of plagiarism.
  • by King_TJ ( 85913 ) on Thursday August 01, 2019 @02:09PM (#59024240) Journal

    I would probably also check a box in a survey if it asked if I generally connect to any available public free wi-hi hotspot when I'm traveling.
    That said, I *do* consider security implications first.

    I simply use a bit of common sense. For example? If I'm in a major airport and want to use free wi-fi, I make sure to find out what the official hotspot's SSID is supposed to be. I've often gone to airports and seen shady looking SSID's offered in my list, with names like "Free internet", or even "Free Airport Internet" -- which just don't look like the official ones such a place would provide to people. (You'd expect they'd include the name of the actual airport you're at, maybe?)

    As a Comcast customer, I'm also given access to Xfinity hotspots all over the country, and get auto logged into them if I have their security certificate installed on my device for them first. So I have no real concerns about those.

  • Paid WiFi like on a plane or other?

  • STEP 1. - Install a home router with Open VPN, suggest ASUS Merlin
    STEP 2. - Install Open VPN app on your iPhone
    STEP 3. - Turn on VPN in Settings and automagically happens on any insecure WIFI

    Somebody please post android instructions and I think we will have it covered

  • given that practically all sites I visit are HTTPS.

This is the theory that Jack built. This is the flaw that lay in the theory that Jack built. This is the palpable verbal haze that hid the flaw that lay in...

Working...