HTTPS Means You Should No Longer Be Afraid of Public Wi-Fi

Discussion in 'privacy technology' started by guest, Feb 2, 2020.

  1. guest

    guest Guest

    HTTPS Means You Should No Longer Be Afraid of Public Wi-Fi
    EFF explains why you can safely use public Wi-Fi
    February 1, 2020
    https://news.softpedia.com/news/htt...longer-be-afraid-of-public-wi-fi-529052.shtml
    EFF: Why Public Wi-Fi is a Lot Safer Than You Think
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,144
    Location:
    Member state of European Union
    I also think that. Updated OS + inbound firewall + authenticated&encrypted DNS service + HTTPS on the webpage and it should be fine for a lot of stuff.
     
  3. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    I would never use public Wifi with just HTTPS....
    VPN or SSH tunnel is a must to make sure you are safe.

    Why? Because many sites still (even with things like free Let's Encrypt certificates) don't HTTPS their whole sites
    but only parts of them, worse some idiotic sites used to start connection to login pages in pure HTTP(!) and then
    switch to HTTPS (yeah, im looking at you yahoo...)

    Also, there has been well known HTTPS downgrade attack from 2009 that has been only recently been fixed by HTST....
    which still is not used by everyone....

    curl -s -I https://www.google.com | grep Strict-Transport-Security

    Gives you nothing!

    curl -s -I https://www.gmail.com | grep Strict-Transport-Security

    Gives you also nothing!

    Only by adding -L switch (follow redirection to the real target: https://www.google.com/gmail)

    curl -L -s -I https://www.gmail.com | grep Strict-Transport-Security
    Strict-Transport-Security: max-age=31536000; includeSubDomains

    At least facebook is okay....

    curl -s -I https://www.facebook.com | grep Strict-Transport-Security
    Strict-Transport-Security: max-age=15552000; preload

    Besides downgrade attacks, failures to use HTTPS everywhere there is also the very real possibility of MiTM attack
    by changing the certificates on the fly by modified Wifi-Router.

    Especially in dictator countries, in public airports, this is more than likely that the goverment have bunch of valid SSL certificates registered either directly to them or throught some shell-corporation. And your browser won't cry Wolf because often those dynamically on-the-fly changed certificates are trusted by the damn browser.

    It's really not any different what your anti-virus possibly is doing right now to inspect HTTPS connection but on larger scale of course ...

    For example, real NSA cert from one of my old posts...
    https://www.orwell1984.today/nsa_real_ssl_cert.png

    And this is how Avast changed it on-the-fly and browser was totally okay with it
    https://www.orwell1984.today/nsa_avast_spoofed_ssl_cert.png

    So for the love of god, don't trust only HTTPS when using public Wi-Fi....
     
    Last edited: Feb 2, 2020
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,144
    Location:
    Member state of European Union
    I don't see it that often nowadays. I think that intermediately-advanced users figured it out which sites from the pool of sites they use and log in do that dangerous thing. Actually I was using Yahoo e-mail account, but I always used Thunderbird (IMAP over TLS) on public Wifi networks, never Yahoo webmail.

    Firefox won't downgrade if you typed in* full URL including https prefix. It is important to include that https prefix to prevent MitM. Firefox is (or at least was) superior to Chrome in that regard.
    *By typed in I mean also copy&paste from password manager or using a bookmark.
     
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747

    https://news.netcraft.com/archives/...rvers-vulnerable-to-trivial-mitm-attacks.html

    EDIT: Few people type the protocol part.... Heck! Even I don't type it anymore and I have been using net since 1995....

    Point is:

    1) No one really explicitly type https

    2) Almost always, the HTTPS site first connection is unencrypted HTTP (usually by HTTP -> HTTPS redirection).
    And even if it isn't, the first connection is not using HSTS, only the connections after that...(*if* the site has configured HSTS ...)

    3) 2016 95% HTTPS site (according to that netcraft article) were not using HSTS .....
    and it's been standard since 2012 so adoption has been really sloooooooow....
     
    Last edited: Feb 2, 2020
  6. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,144
    Location:
    Member state of European Union
    I wouldn't use my computer or smartphone nowhere near the border to log into anything important with or without VPN. It is advised to not use PC there at all, but checking weather or public transport to the hotel on freshly installed copy of OS is acceptable.

    Exactly what I said.

    I must admit I behave slightly differently online when using public Wifi networks, but I used them without VPN even for things like logging into my bank webpage. I know my bank webpage, I know bank have done good securing that web page. I always copy&paste URL to Firefox from password manager, after connecting check for sign of lock and check who issued their extended validation certificate. Not to mention bank uses 2FA.
     
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    None of those really matter if network owner can decrypt the SSL, inspect and modify the HTTP stream.Your extended validated green lock certificates can be manipulated, the DNS connections that you device makes can be manipulated easily within public Wifi (heck, it's their network after all that you are connecting and doing ARP spoofing is trivial...).

    The only thing protecting you is that 2FA.
    And VPN or SSH ;)
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,144
    Location:
    Member state of European Union
    Well, I type https on important websites such as my bank account.

    If you type domain without protocol part then yes, browser uses both unsecure http and secure https, but again I type protocol part on important sites. As I said by typing I also mean copy&pasting from password manager or using bookmark.


    Ev certificates may be manipulated on public Wifi as easily as on private Wifi or ethernet network in my home. I have file (which I memorized) with issuers of certificates for some sites important for me. Not every certificate manipulation would hide from my attention.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.