Public VPN Security. I agree and I don't.....

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Status
Not open for further replies.
Lob

Lob

What could possibly go wrong?
Nov 7, 2020
162
45
The latest SN (Episode #891 | 04 Oct 2022) has a mention of some assessment of what a "public" Wifi network could present as a risk to someone using it.

Given the prevalence of TLS connectivity, I do agree that a random, boring nobody like you or me is unlikely to be at risk of some attacker observing our mundane lives on the Internet. TLS is everyone's friend. Besides that, 99.8% of people don't care - especially if they are roaming and free networks are their friends.

I think the poisoned Wifi as you might see at Defcon or Black Hat are the interesting scenarios; it's the provisioning of a Wifi network somewhere for free where you might get people using it to your advantage would be something to think about. It could be that an attacker elsewhere in the world compromises some public Wifi, poisons DNS and bring their own EvilProxy to hook credentials to use is something to consider a real-world scenario.

I don't use a VPN when I am abroad but then again, I don't go banking. I think that's my Crown Jewel and to be protected. Would you log into your bank on some random Wifi?
 
C

Clev

Member
Sep 30, 2020
7
0
ARP poisoning is still a thing. TLS is fine as long as the response to a certificate error isn't "yeah, yeah, whatever, just continue."
 
M

Mervyn Haynes

Swerv
Sep 17, 2020
207
59
65
London UK
Clev said:
ARP poisoning is still a thing. TLS is fine as long as the response to a certificate error isn't "yeah, yeah, whatever, just continue."
Click to expand...
Yeah right. Surly if you have a HTTPS connection to your bank you would be OK wouldn't you? I used to tell my wife, if you long on to online banking, and the process is not exactly the same as at home (ie asking to excepting a new cert) do not continue. This was back in the day when HTTPS was not so widely used.
 
P

PHolder

Well-known member
Sep 16, 2020
1,027
2
456
Ontario, Canada
If more and more public WiFi hotspots would use WPA3, even with a well published password, then the risks should continue to go down. I presume, if you buy the proper equipment for this (and not just re-purpose a consumer router) then it will put everyone on their own mini network all by themselves.

The issue is that the devices (mobile phones mostly) need to be made smarter and have the option to not automagically connect to an SSID just because it looks like it was one it saw before. It should be memorizing the hotspot MAC too to make sure they SSID and the MAC properly correlate. I don't think it is easy to get both pieces of info unless the attacker is following you to your home, and if that is happening, you've got bigger problems to worry about.
 
Status
Not open for further replies.

Similar threads

rfrazier
  • Locked
SN #790, Misc., Why People Don't Update, Upgrade, and Patch
Replies
18
Views
1K
Security Now Podcast
AlanD
A
S
  • Locked
Current and Future Router Support for IoT Devices and Security
Replies
1
Views
589
Security Now Podcast
blaq
blaq
Cozmo
  • Locked
I have to admit...
Replies
0
Views
506
Security Now Podcast
Cozmo
Cozmo
Lob
  • Locked
The old "SMS is dead, don't use it" thread
Replies
14
Views
2K
Security Now Podcast
danlock
danlock
D
  • Locked
I loved the B17 UI analogy.
Replies
0
Views
216
Security Now Podcast
Duckpaddle
D
Top Bottom