Slashdot Mirror
Using Airport and Hotel Wi-Fi Is Much Safer Than It Used To Be (wired.com)
As you travel this holiday season, bouncing from airport to airplane to hotel, you'll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it. Wired: This advice comes with plenty of qualifiers. If you're planning to commit crimes online at the Holiday Inn Express, or to visit websites that you'd rather people not know you frequented, you need to take precautionary steps that we'll get to in a minute. Likewise, if you're a high-value target of a sophisticated nation state, stay off of public Wi-Fi at all costs. But for the rest of us? You're probably OK. That's not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.
"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel." In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off. All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.
"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel." In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off. All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.
It comes with laptop maintenance, even if you don't ask for it.
-- Tigger warning: This post may contain tiggers! --
Still don't trust public WiFi no matter how good the security of websites have become. And why should I trust it? There's no reason to. I can either tether to my phone or use the hotel WiFi. Cost to me is about the same. I'll use my phone unless I am in a foreign country and the WiFi is faster than my cellular data. But no matter where I am I always VPN to a "secure network" and use remote desktop to surf the web on a machine on that "trusted network." There's no need to trust someone else's network. Though once it leaves my LAN it ends up in an untrusted network regardless.
HTTPS does two things
You actually forgot a third valuable thing: content integrity. HTTPS makes sure a man in the middle cannot push a malware inside your recipe pages.
And that is not a James Bond scenario. I have seen a Windows malware running on a PC and infecting the HTTP stream that passes within its reach.
Done correctly, it should not be necessary to trust intermediate third parties, in order to have a secure connection. Who knows who is carrying your packets between here and Romania! Who even knows if your packets are going through Romania, on their way to Texas! This is the nature of the internet.
Make it possible to establish a secure connection between two parties, and it doesn't matter whether you are using Joe Shmo's cell phone hotspot with an SSID of Denver International WiFi.
Last time I was at a conference center, the DNS request is what blocked your address and forced you to go off to the captive portal. Those of us who had IPs memorized (or a hosts file entry) could connect and SSH/VPN in direct, and once connected get DNS over the VPN/SSH tunnel.
This of course made the PHBs jealous in the planning meetings (we were setting up to host a large educational conference) so this lowly geek who was wondering why he was even being sent to these meetings suggested "hey, we're about to write this place a check for how many hundreds of thousands of dollars and they want us to pay $20 each for WiFi while we plan this?" Amazing what a provost and college president can do for connections at conference centers... didn't know they had it in 'em.
Don't blame me, I voted for Kodos