Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Airport and Hotel Wi-Fi Is Much Safer Than It Used To Be (wired.com)

Posted by msmash on from the for-what-it-is-worth dept.

As you travel this holiday season, bouncing from airport to airplane to hotel, you'll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it. Wired: This advice comes with plenty of qualifiers. If you're planning to commit crimes online at the Holiday Inn Express, or to visit websites that you'd rather people not know you frequented, you need to take precautionary steps that we'll get to in a minute. Likewise, if you're a high-value target of a sophisticated nation state, stay off of public Wi-Fi at all costs. But for the rest of us? You're probably OK. That's not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel." In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off. All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.

26 of 60 comments (clear)

  1. I recommend the Chinese wifi by WillAffleckUW · · Score: 2

    It comes with laptop maintenance, even if you don't ask for it.

    --
    -- Tigger warning: This post may contain tiggers! --
  2. Missing details by sanf780 · · Score: 1

    How should I connect to motherless for my daily dose of bestiality?

  3. blank screen by AndyKron · · Score: 1

    Awesome. Wired is a blank screen when I click on it.

  4. Still don't trust it by jittles · · Score: 2

    Still don't trust public WiFi no matter how good the security of websites have become. And why should I trust it? There's no reason to. I can either tether to my phone or use the hotel WiFi. Cost to me is about the same. I'll use my phone unless I am in a foreign country and the WiFi is faster than my cellular data. But no matter where I am I always VPN to a "secure network" and use remote desktop to surf the web on a machine on that "trusted network." There's no need to trust someone else's network. Though once it leaves my LAN it ends up in an untrusted network regardless.

    1. Re:Still don't trust it by Darkk · · Score: 1

      Using your own personal VPN connected to your home network or rather "secure network" is a good idea. Why bother with remote desktop to another computer connected via VPN when you can set your VPN client to route ALL traffic to the VPN server?

    2. Re:Still don't trust it by jittles · · Score: 1

      Using your own personal VPN connected to your home network or rather "secure network" is a good idea. Why bother with remote desktop to another computer connected via VPN when you can set your VPN client to route ALL traffic to the VPN server?

      For a variety of reasons. My bank account websites do not allow me to connect with a new web browser without authenticating it. It also keeps the website history and other information off of the laptop in case it gets lost or stolen (assuming they can bypass disk encryption). Sometimes I just bring an iPad and this lets me use the desktop at home as a full fledged computer for the times when a mobile browser is not ideal. It really just depends on what I am doing and what I have with me.

    3. Re:Still don't trust it by brunes69 · · Score: 1

      What you say is true when in-country, but not when travelling. International data at LTE speeds is still expensive.

  5. Who cares? by nospam007 · · Score: 1

    People who care switch on their VPN if it's isn't already on by default and the other get spied on by even more people than usual.

    A VPN costs about 5$month for usually 5 machines concurrently (PCs, cellphones, tablets...)

    1. Re:Who cares? by will_die · · Score: 1

      The only problem with that is all those apps such as facebook, email, etc have already connected so they have sent your info, before you can get the VPN implemented.
      THe device connecting to the wifi would need to block all other traffic until the VPN is connected and there are very few things that do that.

  6. I disagree by OneHundredAndTen · · Score: 1

    It is very easy to set up a hotspot with a convincing name, that people will connect to. Do anything unencrypted in such a connection at your own peril.

  7. Surf with the security services by AHuxley · · Score: 1

    American and British Spy Agencies Targeted in-flight Mobile Phone Use (Dec 7 2016) https://theintercept.com/2016/... .
    Southwinds, Thieving Magpie and Homing Pigeon
    Canada had the wifi part covered.

    --
    Domestic spying is now "Benign Information Gathering"
  8. Re:Queue Some TechnoLuddite by fwad · · Score: 1

    If you site only has recipes then you don't need HTTPS!

    HTTPS does two things
      a) Identify the remote site
      b) Encrypt the traffic

    If you are browsing recipes you do not need your traffic encrypted
    If you are browsing recipes then you need to be paranoid to require that a third party believes the remote site is who they say they are.

    --
    -- Kernel Panic: Error reading /dev/caffeine
  9. Pass by nehumanuscrede · · Score: 1

    If I use a public WiFi, the very first thing I do is start a VPN connection up. ( My own server at home )

    If the WiFi disallows it, I disconnect.

    Easy.

    1. Re:Pass by KiloByte · · Score: 1

      If the WiFi disallows it, I disconnect.

      You may want to try iodine (tunnelling over DNS). Handles bogus WiFi pretty well.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Pass by i.r.id10t · · Score: 2

      Last time I was at a conference center, the DNS request is what blocked your address and forced you to go off to the captive portal. Those of us who had IPs memorized (or a hosts file entry) could connect and SSH/VPN in direct, and once connected get DNS over the VPN/SSH tunnel.

      This of course made the PHBs jealous in the planning meetings (we were setting up to host a large educational conference) so this lowly geek who was wondering why he was even being sent to these meetings suggested "hey, we're about to write this place a check for how many hundreds of thousands of dollars and they want us to pay $20 each for WiFi while we plan this?" Amazing what a provost and college president can do for connections at conference centers... didn't know they had it in 'em.

      --
      Don't blame me, I voted for Kodos
  10. It sure is! by SuperKendall · · Score: 1

    Of course in my case it's because I tether via phone instead of using airport or hotel WiFi.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  11. The advent of... by Trogre · · Score: 1

    So HTTPS is a new thing now?

    Seriously, 2000, you can stop now.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  12. Re:Queue Some TechnoLuddite by manu0601 · · Score: 4, Informative

    HTTPS does two things

    You actually forgot a third valuable thing: content integrity. HTTPS makes sure a man in the middle cannot push a malware inside your recipe pages.

    And that is not a James Bond scenario. I have seen a Windows malware running on a PC and infecting the HTTP stream that passes within its reach.

  13. Airport Hotel Wi-Fi much safer than it used to be? by najajomo · · Score: 1

    No it hasn't, if your “computer” can still be compromised by opening an email or clicking on a weblink.

  14. Re:Queue Some TechnoLuddite by swillden · · Score: 1

    HTTPS does three things
    a) Identify the remote site
    b) Encrypt the traffic
    c) Ensure the integrity of the traffic

    FTFY. And the item you forgot is just as important as (a), and generally more important than (b).

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  15. It was never a problem by gweihir · · Score: 1

    That is, given appropriate safety measures, like using secure shell or a VPN tunnel. You cannot and never could trust the network.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. This is how security SHOULD be implemented by Tony+Isaac · · Score: 2

    Done correctly, it should not be necessary to trust intermediate third parties, in order to have a secure connection. Who knows who is carrying your packets between here and Romania! Who even knows if your packets are going through Romania, on their way to Texas! This is the nature of the internet.

    Make it possible to establish a secure connection between two parties, and it doesn't matter whether you are using Joe Shmo's cell phone hotspot with an SSID of Denver International WiFi.

  17. Leaky by Bert64 · · Score: 1

    A lot of corporate laptops leak information when connected to other networks, they try to connect to various internal resources and in doing so disclose either the ip addresses or the dns names.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  18. Re:Queue Some TechnoLuddite by fwad · · Score: 1

    HTTPS does indeed authenticate the remote site via a chain a trust. This is why when you enter your banks address you can be confident that you really are talking to your bank and not a scam artist.

    --
    -- Kernel Panic: Error reading /dev/caffeine
  19. Re:Queue Some TechnoLuddite by fwad · · Score: 1

    In my head I was bundling this one up with a but I'll grant you this should be separate.

    However this doesn't get away from "it's a cooking recipe site FFS!". The evil plot by ninja hackers to insert too much salt into peoples cooking recipes and thereby kill off the entire western world will be exposed at last.

    I know people are going to talk about ads and tracking the cooking websites I go to so they can blackmail me of the chocolate browny recipes that I downloaded but this is just insane paranoia. Then the next group of people will say but how do I know that I'm getting the correct cookie recipe. Well I'm download a random recipe of the web written by someone I don't know from a website I just googled why should I trust this recipe at all HTTPS or not ? At the end of the day .. it's just a cookie recipe.

    --
    -- Kernel Panic: Error reading /dev/caffeine
  20. Not exactly by JoePete · · Score: 1

    I think the report misses the point. It's a bit like saying because more people are getting the flu shot these days, we don't need to wash our hands as much. The opportunity for attack over a public network has only increased. Sure HTTPS has reduced a subset, but it is far from an absolute cure-all. The folks most likely to trust a public access point are also the people most likely to ignore a certificate error for example. WPA2-PSK was designed to be used in a trusted environment (i.e. a home network). It was not designed where strangers would share the same the network - as it is done in every coffee shop, conference, etc. Off the bat, the moment you are on a shared network, you expose your device to scanning and attack. More you cannot know whether you have connected to a real access point or an attacker's laptop - unless you are talking certain WPA2-Enterprise options, there is no mutual authentication. Even when seeming to use HTTPS, there can be plenty of non-HTTPS packets/data that will leak. Further HTTPS is not like a VPN encrypting all network traffic. It just handles a specific browser-to-server subset. Yes, on one hand things are better, but on the other, WiFi is so much more prevalent today - we have WiFi enabled diapers for cripes sake - that the overall vulnerability of the average wireless user has only increased.