Using Airport and Hotel Wi-Fi Is Much Safer Than It Used To Be

As you travel this holiday season, bouncing from airport to airplane to hotel, you'll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it. Wired: This advice comes with plenty of qualifiers. If you're planning to commit crimes online at the Holiday Inn Express, or to visit websites that you'd rather people not know you frequented, you need to take precautionary steps that we'll get to in a minute. Likewise, if you're a high-value target of a sophisticated nation state, stay off of public Wi-Fi at all costs. But for the rest of us? You're probably OK. That's not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel." In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off. All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.

Thankfully no one can MITM TLS

Glad we have that covered - just canâ(TM)t happen according to Sopos.

I recommend the Chinese wifi

[WillAffleckUW]

It comes with laptop maintenance, even if you don't ask for it.

Re:I recommend the Chinese wifi

still safer than american maintenance that comes with forensics

Re:The best use of airport wifi:

We're all happy for you.

Strange.

I always thought the intention of free public wifi was to enable crime and create plausible deniability.

Missing details

[sanf780]

How should I connect to motherless for my daily dose of bestiality?

Thanks Internet Man

So I can use my credit card on public wifi again? Yay! I feel so free now that some stranger has said I shouldn't worry anymore!

Thanks for looking out for me internet man!

blank screen

[AndyKron]

Awesome. Wired is a blank screen when I click on it.

Re:blank screen

Are you using hotel wi-fi?

Anything important has been encrypted for years.

For anything important (let's say anything involving money, and even Facebook), https has been the norm for 8, maybe as many as 10 years. Before that, it wasn't terribly common, and wifi leaked everywhere. Sites like Slashdot didn't encrypt, or encrypted only credentials, so you could get clever tricks like ssl strip... but so what? Let the mast0|r H@k0|~ steal your slashdot credentials... so what?

2 years ago there were a lot of not so important websites that you could snarf information from. Let's say newspapers, or advertising sites. Are you really concerned about that? Oh no someone knows what article I read on NYT, or knows the movie i looked up on IMDB!

The problem with security people is they don't understand priorities, and real risks. They think EVERYTHING needs to be secure, and aren't familiar with tradeoffs. Is it better that almost everything uses https now? Of course. But don't over sell it. I'm not really terribly concerned that Wired didn't encrypt my traffic in 2016, and neither is anyone else. My Bank or Financial site however, better be air tight. (And many times it's TERRIBLE)

Still don't trust it

[jittles]

Still don't trust public WiFi no matter how good the security of websites have become. And why should I trust it? There's no reason to. I can either tether to my phone or use the hotel WiFi. Cost to me is about the same. I'll use my phone unless I am in a foreign country and the WiFi is faster than my cellular data. But no matter where I am I always VPN to a "secure network" and use remote desktop to surf the web on a machine on that "trusted network." There's no need to trust someone else's network. Though once it leaves my LAN it ends up in an untrusted network regardless.

Re: Still don't trust it

Hint: the vast majority of the Internet is someone else's network.

Re:Still don't trust it

[Darkk]

Using your own personal VPN connected to your home network or rather "secure network" is a good idea. Why bother with remote desktop to another computer connected via VPN when you can set your VPN client to route ALL traffic to the VPN server?

Re:Still don't trust it

Indeed I use a VPN service at home, in my home office, and when away from home.

Re:Still don't trust it

[jittles]

Using your own personal VPN connected to your home network or rather "secure network" is a good idea. Why bother with remote desktop to another computer connected via VPN when you can set your VPN client to route ALL traffic to the VPN server?

For a variety of reasons. My bank account websites do not allow me to connect with a new web browser without authenticating it. It also keeps the website history and other information off of the laptop in case it gets lost or stolen (assuming they can bypass disk encryption). Sometimes I just bring an iPad and this lets me use the desktop at home as a full fledged computer for the times when a mobile browser is not ideal. It really just depends on what I am doing and what I have with me.

Re:Still don't trust it

[brunes69]

What you say is true when in-country, but not when travelling. International data at LTE speeds is still expensive.

Queue Some TechnoLuddite

...who says, "my site only has recipes on it! Why do I need HTTPS?"

It's not about you. It was never about you.

Re:Queue Some TechnoLuddite

[fwad]

If you site only has recipes then you don't need HTTPS!

HTTPS does two things
  a) Identify the remote site
  b) Encrypt the traffic

If you are browsing recipes you do not need your traffic encrypted
If you are browsing recipes then you need to be paranoid to require that a third party believes the remote site is who they say they are.

Re: Queue Some TechnoLuddite

*cue

Re:Queue Some TechnoLuddite

[manu0601]

HTTPS does two things

You actually forgot a third valuable thing: content integrity. HTTPS makes sure a man in the middle cannot push a malware inside your recipe pages.

And that is not a James Bond scenario. I have seen a Windows malware running on a PC and infecting the HTTP stream that passes within its reach.

Re:Queue Some TechnoLuddite

[swillden]

HTTPS does three things
a) Identify the remote site
b) Encrypt the traffic
c) Ensure the integrity of the traffic

FTFY. And the item you forgot is just as important as (a), and generally more important than (b).

Re:Queue Some TechnoLuddite

HTTPS does not "identify the remote site" nor does it "authenticate the remote site". It does provide transport security (ie, encryption and integrity) between the two end points communicating (who may or may not be who you think they are).

"Identification" and "Authentication" are not things withing the bailiwick of TLS (TLS stands for Transport Layer Security).

Re:Queue Some TechnoLuddite

[fwad]

HTTPS does indeed authenticate the remote site via a chain a trust. This is why when you enter your banks address you can be confident that you really are talking to your bank and not a scam artist.

Re:Queue Some TechnoLuddite

[fwad]

In my head I was bundling this one up with a but I'll grant you this should be separate.

However this doesn't get away from "it's a cooking recipe site FFS!". The evil plot by ninja hackers to insert too much salt into peoples cooking recipes and thereby kill off the entire western world will be exposed at last.

I know people are going to talk about ads and tracking the cooking websites I go to so they can blackmail me of the chocolate browny recipes that I downloaded but this is just insane paranoia. Then the next group of people will say but how do I know that I'm getting the correct cookie recipe. Well I'm download a random recipe of the web written by someone I don't know from a website I just googled why should I trust this recipe at all HTTPS or not ? At the end of the day .. it's just a cookie recipe.

Re: Queue Some TechnoLuddite

If TLS wouldn't do authentication, MITM would be trivial.

Re: Queue Some TechnoLuddite

Which, sadly, it is.

Re: Queue Some TechnoLuddite

*cue

Maybe he wanted the TechnoLuddite to stand in line ...

Who cares?

[nospam007]

People who care switch on their VPN if it's isn't already on by default and the other get spied on by even more people than usual.

A VPN costs about 5$month for usually 5 machines concurrently (PCs, cellphones, tablets...)

Re:Who cares?

How can you trust your VPN?

Re:Who cares?

Last time I checked (~5 months ago), _NONE_ of the current vpn providers protect you from local attacks. By that I mean they don't do even basic things like setup firewall rules blocking all but your gateway. Fact that you're connecting to a vpn at all can be enough to flag you.

This article is really rather bizare.. Honeypot attempt or trolling?

Re:Who cares?

[will_die]

The only problem with that is all those apps such as facebook, email, etc have already connected so they have sent your info, before you can get the VPN implemented.
THe device connecting to the wifi would need to block all other traffic until the VPN is connected and there are very few things that do that.

I disagree

[OneHundredAndTen]

It is very easy to set up a hotspot with a convincing name, that people will connect to. Do anything unencrypted in such a connection at your own peril.

Surf with the security services

[AHuxley]

American and British Spy Agencies Targeted in-flight Mobile Phone Use (Dec 7 2016) https://theintercept.com/2016/... .
Southwinds, Thieving Magpie and Homing Pigeon
Canada had the wifi part covered.

No End-to-End encryption == Not secure

Who issues your trusted domain's HTTPS certificate? HTTPS is epic fail.

https://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html

Re:No End-to-End encryption == Not secure

Basically, we have a gazillion trusted CAs and we trust certificates signed by all of these guys. If any of these trusted CAs are ISPs or government, you are very well vulnerable.

Pass

[nehumanuscrede]

If I use a public WiFi, the very first thing I do is start a VPN connection up. ( My own server at home )

If the WiFi disallows it, I disconnect.

Easy.

Re:Pass

[KiloByte]

If the WiFi disallows it, I disconnect.

You may want to try iodine (tunnelling over DNS). Handles bogus WiFi pretty well.

Re:Pass

IoAC is better performing. See RFC-1149. Smoke signals also have higher bandwidth.

Re:Pass

[i.r.id10t]

Last time I was at a conference center, the DNS request is what blocked your address and forced you to go off to the captive portal. Those of us who had IPs memorized (or a hosts file entry) could connect and SSH/VPN in direct, and once connected get DNS over the VPN/SSH tunnel.

This of course made the PHBs jealous in the planning meetings (we were setting up to host a large educational conference) so this lowly geek who was wondering why he was even being sent to these meetings suggested "hey, we're about to write this place a check for how many hundreds of thousands of dollars and they want us to pay $20 each for WiFi while we plan this?" Amazing what a provost and college president can do for connections at conference centers... didn't know they had it in 'em.

Re:Pass

More like they were in on it but bailed the minute any link to them could even remotely be established. Welcome to corruption.

Hilton got fined for intentionally jamming wireless so people had to pay their bs extortion fees for network access. Yet hotels still do it.

It sure is!

[SuperKendall]

Of course in my case it's because I tether via phone instead of using airport or hotel WiFi.

this is click bait

Msmash, by your comments and the fact that your passing this as safe, if I get hacked this season, are you willing to take the liability?

And if not for me, anyone else?

The advent of...

[Trogre]

So HTTPS is a new thing now?

Seriously, 2000, you can stop now.

pwn2own

"A lot of the former risks, the reasons we used to warn people, those things are gone now,"

What the fuck is this idiot smoking? Did he check week old news about pwn2own exploiting phones via captive portal page? HTTPS my ass.

I was following until this

"so-called man-in-the-middle efforts that tricked you into entering your passwords"

What...?
What the...?
No. Just, no.

serious? Liability and who's going to assume it?

can you litterly see the crap as it falls from your mouth?

msMash, you are doing this community a disservice now..

you are promoting methods that are severely compromised.

Your conveyance of this info is flawed to a HUGE degree.
Your lacking in the context of your own articles, seems to know no bounds..
The fact that your willing to promote an activity by people in your community that is fundamentally flawed exposes your lacking of understanding of the situation and how to promote a leadership role to resolve it, not to mention the liability carried by said comments.. /. are you willing to take responsibility and or liability for the crap that falls outta her mouth??
Really is she that worth it?

I am also reminded of a Sketch or Skit from the OLD saturdaynight live Crew Dan Akaroid and Jayne Curtain.
Point/Counterpoint on the News segment in the middle of the show. I wont sink to the level and go through the description, but is is on youtube.
Perhaps those whom decide to check it out for themselves could possibly draw the parallels, connect the Dots, and come to their own INFORMED conclusion..

Airport Hotel Wi-Fi much safer than it used to be?

[najajomo]

No it hasn't, if your “computer” can still be compromised by opening an email or clicking on a weblink.

Re: Anything important has been encrypted for year

This just makes me wish there were more ways to get premium WiFi access. I waited on hold so long I went over my plan and the hold music stopped and I was prompted to get another plan. So now I have no plan and I pay roaming fees whenever I make a call. But then I saw a new all access plan from Verizon that comes with the iPhone SXY with the new AI smart logic so I am in line right now. The only problem is I have to pay these kids to go get me food across the street at the cart vendor.
Someday I will take my new phone to a Chinese factory and I will learn to make a case for it an extra special case with little soarkles and stripes. But now I am roaming again so I must stop posting

I never trusted ISPs more than hotels

Who wanted to mitm DNS, inject ads, and throttle random protocols? Hint; not the people who live and die by actual reviews of the quality of their service.

It was never a problem

[gweihir]

That is, given appropriate safety measures, like using secure shell or a VPN tunnel. You cannot and never could trust the network.

This is how security SHOULD be implemented

[Tony+Isaac]

Done correctly, it should not be necessary to trust intermediate third parties, in order to have a secure connection. Who knows who is carrying your packets between here and Romania! Who even knows if your packets are going through Romania, on their way to Texas! This is the nature of the internet.

Make it possible to establish a secure connection between two parties, and it doesn't matter whether you are using Joe Shmo's cell phone hotspot with an SSID of Denver International WiFi.

Leaky

[Bert64]

A lot of corporate laptops leak information when connected to other networks, they try to connect to various internal resources and in doing so disclose either the ip addresses or the dns names.

Except at Work where https decryption is prolific

Except at work of course where they use Bluecoat, Redcloak and Cylance to decrypt https with impunity. Workers rights zero as usual

Re: The best use of airport wifi:

|[]|
|[]|
|[]|
|[]| flashing in middle of frame

Not exactly

[JoePete]

I think the report misses the point. It's a bit like saying because more people are getting the flu shot these days, we don't need to wash our hands as much. The opportunity for attack over a public network has only increased. Sure HTTPS has reduced a subset, but it is far from an absolute cure-all. The folks most likely to trust a public access point are also the people most likely to ignore a certificate error for example. WPA2-PSK was designed to be used in a trusted environment (i.e. a home network). It was not designed where strangers would share the same the network - as it is done in every coffee shop, conference, etc. Off the bat, the moment you are on a shared network, you expose your device to scanning and attack. More you cannot know whether you have connected to a real access point or an attacker's laptop - unless you are talking certain WPA2-Enterprise options, there is no mutual authentication. Even when seeming to use HTTPS, there can be plenty of non-HTTPS packets/data that will leak. Further HTTPS is not like a VPN encrypting all network traffic. It just handles a specific browser-to-server subset. Yes, on one hand things are better, but on the other, WiFi is so much more prevalent today - we have WiFi enabled diapers for cripes sake - that the overall vulnerability of the average wireless user has only increased.

A problem

I used to travel 9 months out of the year and stayed in motels continuously. I remember many times when first connecting to motel wifi system, a message would popup saying that I needed to install some software to use it. I was always suspicious of that and never did. Just after canceling the requirement request, I would be connected to the wifi system anyway. This fake software install requirement ended up being a worm that had been installed on many motel wifi computers.