pineapple has entered the chat
You can’t even depend on enterprise looking devices because networking hard and they’ve never heard of client isolation.
You could do a lots of stuff to mitigate risk but man unless I know who configured the thing I’d avoid it.
You might be at a McDonald’s and just see a mom and her kids and think well it’s probably fine but you don’t realize the guy 3 blocks away with a Pringles cantenna pointed at you creating his story for the next dark diaries podcast episode.
Https and other encrypted protocols are a decent measure but will by no means guarantee your security in an untrusted network by themselves since an attacker can still steal metadata among other things if you use their malicious wifi and you also have to be careful the wifi connection does not try to guide you to the wrong/spoofed websites (scams etc.)
The safer method would be to VPN to your home FW ie Cisco Anyconnect, RDP to your home machine and use that to do banking etc.
reminiscent snatch panicky tender sparkle seed rinse cow chubby cooing
This post was mass deleted and anonymized with Redact
Public wifi might not have isolation on, so all the clients can talk to each other. Plenty of other things you can do to computers while you’re on the same network.
Do not use public Wi-Fi for sensitive information. If you must use a good VPN. I run an offensive security team and we pull stuff from Wi-Fi all the time. Most standards will encrypt every packet with the PSK pretty much, so anyone that has access to the network has the deception key. They won’t be able to break other protocol encryptions such as https, ssh or VPN easily but it still isn’t safe.
I treat ANY wifi not owned by me or my company as hostile
Security Engineer here - No network is inherently “safe” or “secure”. Anybody is capable of sniffing packets in plaintext on any unsecured wifi network and you should always assume someone is watching. You simply connect to it and you trust it inherently or you do not based on policies you’re aware of or not. If you didn’t configure it, definitely do not fully trust it. Everything you do on any network is logged somewhere (router logs, DNS logs, etc). If you DID configure it, and you know what you’re doing, it is more “safe”, arguably. If you’re sketched out by any form of connectivity, use a VPN for added security and privacy. If you are unable to use a VPN, do not connect to it, and definitely do not attempt to access sensitive information like bank accounts or work resources on that network. No wifi security = everything you do is unencrypted = I can literally see the data on the wire in plain english and you should assume someone else can as well.
its possible. unlikely, especially on a secure wifi network, but still possible for a patient attacker.
Depends on how proficient you’re with security and network. Giving blanket statement won’t do anyone any good.
Feel like this is an obvious question, but what are your thoughts on services like xfinity hotspots? Seems way too easy to mimic, but I’m surprised Comcast would open itself up to such a huge liability without something in place (other than legal disclaimers)
Inherently no. So if you’re doing dumb shit or if you’re doing important shit don’t so it on public wifi. There are countermeasures. But generally just don’t.
I mean…anyone can broadcast an open signal and people will connect because “Oh we are here and they have wifi!”
Use a full tunnel VPN to encrypt (and hopefully protect) your traffic. It’s like a condom for your tech, offers protection but there’s no guarantee
When you say “public wifi” do you mean the one from the cafe you’re in or the one from the chap at the next table to you with the SSID as the cafe you’re in?
Generally safe but there are some threats (more likely if you are a juicy target rather than random Bob visiting starbucks with family)
- accessing apps not using hsts
- lack of host isolation
- poisoned dns records for creds phishing. And you would not necessarily get browser warning here if the attacker prepared it in advance (registering domain similar to microsoft/fb or whatever, hosting it as a login screen and pointing dns records there)
- advanced tls attacks like lucky13 on cbc ciphers with tls 1.2 (or lower), these ciphere are extremelly common everywhere (complex attack, requires a LOT of data to be captured by attacker in order to obtain plaintext)
- if u tend to ignore browser warnings then of course simple arp poisoning might end up as big issue.
Assume you are being datamined, specially if it’s a large corp providing the wifi. If you can’t tether to your phone then vpn.
Have to use a VPN, they can still decrypt your SSL
Connecting to any untrusted network has the potential to be unsafe. TLS and VPNs aren’t panaceas to all the issues of connecting to an untrusted network despite what a lot of commenters are saying. Do you trust the DNS servers being assigned by DHCP? With that said it’s unlikely that you are going to get hacked by connecting to a public Wi-Fi in most situations.