Originally published at: https://boingboing.net/2020/02/01/the-eff-says-public-wifi-isn.html
…
my concern is the sensitive stuff is often also most likely to not use https (eg:
for example a social worker i met on a flight had to use a non https portal on the public web to upload hippa protected info. (bonus points for doing so on plane wifi which is a weird world i refuse to participate in… i tell folks i am OFFLINE when flying)
anyways, the city/state/county points at the workers to use a vpn, workers point at county it’s their job to secure the site. and the clients are mostly indigent, so no one’s scared of one suing so nothing happens
*sucks in air through teeth*
6 Likes
In my experience there may be some holdouts but that isn’t as true any more. For sure most government websites that the general public uses are https and same with medical and financial sites. Internal use tools are slower to catch up than public facing but I think the majority of people can use public WiFi safely within the caveats listed. I will feel better when htst is more universal as that is needed to mitigate DNS hijacking if people aren’t using dns over https or other secure to the endpoint DNS, but it the risk compared to 10 years ago is really improved.
the problem is they’re not internal. they’re on the public web, no vpn needed
1 Like
So is this saying that using an HTTPS address on the local coffee shop wifi (password protected of course) will prevent Man in the Middle attack? Because I can set up a copycat wifi at the local Starbucks and you will have to go through me to set up the HTTPS connection… I don’t even trust the VPN providers. I use a router with file based keys.
The largest risk on a public wifi (or any network for that matter) is a MITM attack that occurs during the initial http➡️https redirect. If an attacker can insert themselves into that exchange (whether through MAC spoofing, decoy SSID, etc) they can then redirect your browser to a convincing look-alike website, complete with a “valid” SSL certificate. From there the attacker can proceed to serve malware, capture credentials, or any other data from the user.
A simple step users can take to mitigate this specific risk is to always open web pages with the correct https://… URL. (either by hand or with a bookmark).
I believe that when protocol is unspecified, Chrome (and most modern browsers?) will always attempt https first, which is also a means to avoid http➡️https foolery.
There’s also the separate DNS hijacking risk, which can be mitigated with browser based DNS over TLS.
1 Like
If a user is going to a correct URI, and their DNS and PKI trust store have not been compromised, then their HTTPS should be secure against MITM attacks no matter which wifi connection they go through.
Of course the user might choose to click through a certificate warning, but then that is on them. 
Also, Chrome has gotten much less tolerant of certificate errors too, so that is progress.
1 Like
Besides using HTTPS, you also want to be sure you have file sharing turned off when on a public network.
1 Like
What happened to Cory?
This topic was automatically closed after 5 days. New replies are no longer allowed.
