I’ve been facing this issue for some time because I always have to connect to public WiFi in hotels, Starbucks and airports to open some confidential apps as bank accounts, password manager, etc. and I was wondering here what do other nomads do to protect themselves in this scenario?
Tailscale VPN back to home. https://thewirednomad.com/vpn.html
I have a VPN router at a family member home, so I get a residential IP address. I use a VPS as my backup VPN.
I use KeepassXC for my password manager.
I don’t like trusting someone else with my data security.
That’s actually a safer and better idea. I am definitely using this at some point, thank you.
VPN and use all the security features like 2FA.
Cybersecurity guy here: You’re fine. It’s not a big deal, the danger is vastly overhyped to sell VPN services.
What if I setup a fake wifi and steal people pw?
HTTPS, and that wouldn’t be a ‘fake wifi’ that’d just be a wifi AP that you own.
What you really need to be careful of: that your computer isn’t accessible via Finder (Mac) or Explorer (Windows) file shares. This is where someone could browse your computer’s files, grab personal docs and even grab cookies from your browser for hijacking your (banking) sessions.
Exactly
^this
Unless you are using WiFi that uses captive portal with a forward proxy( re-minting https certs). This would be doing full packet inspection ( clear text ) of your traffic, probably not happening but just be careful or just use you cell hotspot and avoid public WiFi all together.
Did a YouTube VPN ad write this?
Stop giving people bad advice. SSL/TLS MITM should not be a part of the average person’s threat model. It also has nothing at all to do with a captive portal.
Describe an average persons “threat model”, in addition what mitigations would you recommend for the “average” person who might bank abroad or login to a corporate intranet?
There is nothing that needs to be done. No one is getting any information out of you by visiting your bank account on public Wi-Fi assuming your bank uses https, which is does. It’s not possible. You can’t sniff https traffic which is why chrome yells at you and doesn’t even let you visit some unsecured pages (like if there certificate is invalid). Frankly, the NSA could sniff your https traffic and they couldn’t do anything with it. It’s completely laughable.
I don’t know why you’d put “threat model” in scare quotes, but I’m going to engage in good faith with this question.
The average person’s threat model should probably be focused on low effort, high volume attacks. I’d suggest that the top technical risk, for most people, almost to the exclusion of all others, is account compromise for spam/scam purposes due to either phishing or credential stuffing (typically from a third party breach). Next up is probably being scammed from others’ compromised accounts and being tricked into sending people money or gift cards or buying into their crypto currency scams. After that, there’s really such diminishing returns that I think in 2023 the one main security tool that the average user should be considering is a password manager.
Now, maybe someone’s threat model includes something like “I’m working for a US company from South America and will be fired if they find out I’m outside the country.” That’s a legit personal threat, and a legit reason to consider using a personal VPN. Similarly, “corporate intranet requires me to use a corporate VPN to access it” isn’t really a threat so much as a security control on the company’s part, but nonetheless would obviously be a really good reason to use a corporate VPN. Wifi security doesn’t really have any impact on those one way or the other, though.
But anyway, I guess we’re talking specifically about the risks of using public wifi. Okay. Let’s model the threats.
There’s the potential for others on the network and the network operator to read your unencrypted traffic. These days, most sites are using HTTPS, so this is going to be limited to any sites that you access using plain HTTP, and potentially also your DNS queries. It’s unlikely that any sensitive site is still using plain HTTP, but if you do know that you regularly exchange sensitive data with a site that doesn’t support HTTPS then that could be a legitimate risk.
Your DNS queries could leak the names of sites you’re visiting. So if you’re cheating on your wife and are paranoid that people on your network may be able to see that someone is going to ashleymadison or something, okay, that’s a risk. Or maybe you’re in a place where it could be a physical danger for someone in the same coffee shop as you to realize that, say, an employee of a multinational defense contractor is in the same room as them. Or maybe you’re going to queer news sites in a country where that’s either illegal or dangerously unaccepted. But unless you assess that you’re subject to those kinds of specific threats, there’s really not much risk there.
Now, maybe someone can do some MITM and execute some kind of HTTPS to HTTP downgrade like sslstrip to sniff your sensitive traffic. This used to be much more of a real threat before the ubiquity of HTTPS and the proliferation of HSTS. Ideally we’d see more HSTS adoption and quicker rollout of HTTPS everywhere features on browsers, but these kinds of attacks are already very limited in their effectiveness. Additionally, UI updates to modern browsers now treat connections to HTTP sites as a warning, and at least Chrome now performs automatic HTTPS upgrades when available (though a MITM attacker could likely at least partially work around that). The risk here still isn’t zero, but it’s an attack with a low likelihood of working well in 2023. It’s also not widespread, and the way that most users navigate the web today isn’t really compatible with this attack either. It is true that the best preventive control to mitigate this risk is probably using a VPN, but the risk is small and mitigated by existing server side controls in most cases. It’s just not a likely attack for the average person to encounter, or to have sufficient impact on them for it to matter.
Finally, what if the attacker or malicious network operator has the ability to sign certificates for the sites you visit that your browser will treat as valid. In that case, there’s basically two possibilities. They could have installed their certificate on your computer, in which case a precondition of the attack is that they can change the configuration of your computer, which is pretty much game over anyway. Or, they have access to the private key for a signing certificate from a widely trusted CA that hasn’t wound up in their CRL yet, or a similarly catastrophic security incident. This would be big tech news and would pose a huge threat to secure communication, potentially Internet wide, and trigger a rapid urgent response from the CA and from all major browser and OS vendors once disclosed. They’re not burning that on you at the coffee shop.
So, anyway, that’s a lot of text, but this is basically how I’d analyze the risks of open wifi networks offhand, though I’m sure others have done so better and more thoroughly. Regardless, I (and most other security professionals) view a personal VPN for security purposes as unnecessary at best and snake oil scam at worst for people with a typical threat profile.
As to your second question, I think I covered corporate intranet services already. I’m not clear on what specific risks we’d be talking about mitigating for someone who banks abroad aside from those potentially associated with pretending to be in a location you’re not, but that risk has entirely to do with physically being in that location, not with being on open wifi.
There are legitimate situations where personal VPNs could be necessary (region spoofing being a big one for lots of people in this sub), but the risks for average people on open wireless networks are almost entirely mitigated by HTTPS and related features on the web today. Also, at the risk of repeating myself, the single most important security technology most people can adopt is a password manager, so people with a typical risk profile should almost certainly allocate their time and money to a PW manager before even thinking about using it on a personal VPN.
It’s fine. Save your data. You don’t need to be this paranoid. HTTPS takes care of 99% of what people do on their computers in public spaces.
People are fussing about the wrong things, when they should be fussing about other things.
There have been basically zero reported cases of people’s bank accounts being stolen because they used the internet at starbucks.
There are millions from people falling victim to social engineering scams, and OSINT inference attacks.
Content writing here. I’m guilty of overhyping the danger to sell VPN services. I always kinda assumed it was overblown but never really knew for sure or to what extent. Thanks for the confirmation.
I’m guilty of overhyping the danger to sell VPN services
What I dislike the most is the “Your ISP can see everywhere you go and everything you do! protect yourself with our VPN!”
But they forget the whole “And then WE can see everywhere you go and everything you do!”
Also cyber security engineer - those threats are so overstated it’s hilarious. No one is hacking you at a Starbucks. HTTPS is more than sufficient for everything. Just practice basic cybersecurity like checking the URL before you type your password in. If you are going to get scammed on the internet, there’s a 99% chance it starts with an email or a text message (and it’ll be your own fault), not a hacker on Starbucks wifi.
That said, I do have a WireGuard VPN I built in a raspberry pi. It cost Line $30 total and will last for a decade. There’s no need at all for any VPN service like the ones they advertise in YouTube. They only make money by paying YouTubers to scare you into thinking your porn habits will be disclosed. That is not a reasonable fear, that’s not how internet security breaches work.
All the traffic between your phone and your, let’s say, bank app is encrypted anyway. It doesn’t matter. Only would matter if you were going to HTTP not HTTPS websites.
VPN is just shifting the question “Do I trust the person who operates the WiFi” to “Do I trust the person who operates the VPN”. Therefore, it is mostly bullshit.
And even then, most traffic is encrypted now anyways. So using a VPN is more like using two condoms.
Avast scans the wifi for security issues.
Só operate your own vpn. Got it
You can always buy a local data sim if you are worried.
I run my own dns resolver and vpn some of my browser traffic using openvpn with a socks backend
I’m also curious about this question as I’ve had some shit happen to one of my FB Ads account, just after I connected to a public hotel wifi.
Because of this I’ve lost access to the account and with this, months of data from some Pixels.
Can’t speak to mobile device, but for a laptop, recently started using this program so I’m not an expert, but have been impressed so far.
Program is called Portmaster, you will have to Google it up.
It basically shuts down everything and you have to manually open up what you want, but interface is real easy/intuitive. Took me a bit to figure it all out, but once I did loving it now.
Stumbled across it on a YouTuber that I like that does cyber security and he did a video on it. This will essentially lock down your laptop from anyone doing anything.
HTTPS. Unless AI can crack it, seems OK.
That’s the neat part, I don’t
I live in Asia and use a paid vpn to access streaming and other services that are geoblocked
If you’re using websites with https (which you always are), there’s nothing to protect from. It’s secure over open networks.
Surfsharj