[PLUG-TALK] Unsecured Wi-Fi

Tomas Kuchta tomas.kuchta.lists at gmail.com
Wed Aug 14 22:45:17 PDT 2019


This is popular article, very widely advertised and promoted for at least a
week.

Anyway, there is security and there is privacy. They somewhat overlap, but
they are different things.

I would argue, that all public networks are insecure by definition. That
includes what is know as the internet. Your traffic and DNS is guaranteed
to be intercepted by the ISP at minimum these days. If the traffic is
encrypted, it's signature is being analyzed with similar success rate to
what you would expect from Shazam.

That does not necessarily mean that the intercepting side can see the
details of your passwords and bank transactions, unless you accept their
certificate. That being said, they absolutely can tell what bank you are
using and can tell if you pay bills or just browse their site. The same
goes for on-line shopping, etc.

Here is an example about how trustworthy networks can be. I am currently in
a hotel, connecting through their Comcast business connection. The WiFi is
protected by a password and WPA encryption. Every day, couple of times, I
am being offered to accept a https certificate for various web sites,
including my own, issued by the ISP. They also block DNS over https and
VPNs. The same is true if I connect through a visitor hotspot at work. If I
make a mistake and accept their certificate, even once, it is game over
from there on - they would absolutely decrypt and observe the traffic.

So, I would say - password less open WiFi hotspot is no different to an
ISP, hotel or work. I consider classic DNS, and sloppiness about
certificates probably the weakest links in normal, everyday security and
privacy. Together with using work issued computer or phone for anything
personal.

Just my 2c,
-T

On Wed, Aug 14, 2019, 16:01 Russell Senior <russell at personaltelco.net>
wrote:

> >>>>> "Rich" == Rich Shepard <rshepard at appl-ecosys.com> writes:
>
> Rich> On Wed, 14 Aug 2019, wes wrote:
> >> IMO, the bigger problem is people who are unaware of the risks
> >> associated with "secure" wireless connections. The level of
> >> protection added with the most commonly used methods of encryption
> >> are paltry, at best. This leads people to have a false sense of
> >> security when connecting through them, thus causing the actual risk
> >> to be much higher, rather than lower.
>
> Rich> Interesting points, Wes.
>
> Rich> Perhaps it makes no difference whether one's identity and
> Rich> financial information is stolen via a man-in-the-middle over open
> Rich> wi-fi or from the financial instutions' web sites. Think
> Rich> CapitalOne, Equifax, First National Title Insurance. The concept
> Rich> of privacy is no longer.
>
> Anything remotely sensitive is encrypted with https these days. This was
> the case for banking and e-commerce from the very early days. None of
> the breaches you mention had anything to do with public wifi.
>
> If someone was reporting on privacy today, they would do better to talk
> about DNS and/or Tor. You pay a price in efficiency with Tor, but
> sometimes it might be worth it. There have been some developments on the
> DNS front recently.
>
>
> --
> Russell Senior, President
> russell at personaltelco.net
> _______________________________________________
> PLUG-talk mailing list
> PLUG-talk at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pdxlinux.org/pipermail/plug-talk/attachments/20190815/17f504dd/attachment.html>


More information about the PLUG-talk mailing list