Privacy on Public WiFi
Michael Butash
michael at butash.net
Mon Jun 10 10:02:06 MST 2019
I don't see much of an issue with using public wifi so long as you know
whatever you're doing that is important/sensitive is encrypted. I don't
use any public wifi any more than absolutely required, but otherwise almost
every *responsible* website or service uses tls for https traffic today
anyways, or as stated - you use a vpn to ensure no one locally at least is
sniffing your wifi session. If your websites or services aren't using
https, you shouldn't use them, as even a vpn has to egress to regularly
internet somewhere that has a government (or other) black box sniffing it
too.
I agree, it would be nice if there were a better method of getting public
users encrypted, but without some unique key exchange per user, or at very
least a white-list method (remember the wps buttons that generated a weak
numerical pin?) to make strong, or at least random, it'll remain weak at
best, and probably eventually exploitable.
A hardware solution is a non-starter though. Where does a phone or tablet
have a usb slot to get on? Certainly whoever made it wouldn't support
linux, or a foss solution as it doesn't incentivise anyone to produce said
hardware. Hand out yubikeys, but client software and use is still
problematic even with u2f per os for something like wifi use.
If you did hardware, I'd imagine nfc-based for mobiles, make them come up
and swipe a token to get the pass of the day to get on, and it changes
every day. PC's you just rotate a common key to give to customers every
day and print/display for users inside the establishment every day. Even
just use a one-time token generator with a numeric key held by
*someone(s)*. I've seen medical offices handling guest wifi by changing
keys daily for at least any guest ssid and just printing the daily guest
wifi inside reception, which keeps persistent users from access outside the
establishment doing probably nothing good.
This can be done with any enterprise-ish wifi solution that supports
Private-PSK functions, or many-to-one passwords for the same ssid.
Aerohive, Cisco, Juniper/Mist, Aruba, etc all tend to do this, leverage otp
generation via Duo, Google Authenticator, or other "app".
Even once encrypted, do you still trust the internet source though, that
their router isn't infected from running a 10yr old firmware? You
shouldn't, again vpn, or at least ensuring who you're accessing is using
tls, and you trust their cert.
Interestingly enough being in Santa Monica CA on business. their public
library gets swarmed daily with homeless that really love their free public
wifi there (seems even homeless all have cell phones these days), that I
can only imagine the cesspool of devices there that could be
hijacked/man-in-the-middle'd easily on non-encrypted wifi. Even just build
a fake public access ap to mitm, then infect... Being that I'm there doing
work *for* the city, it's something I have mentioned to folks as a problem.
-mb
On Sun, Jun 9, 2019 at 9:13 PM trent shipley <trent.shipley at gmail.com>
wrote:
> A while ago I was at the downtown Scottsdale public library with my
> computer. They had open, public WiFi--which I was NOT going to use. I
> tried to use my mobile phone data, but the reception inside the building
> was Terrible!
>
> It seems like the problem of insecure public WiFi should be surmountable.
>
> How hard would it be do develop technology that puts a key on a $1 or $2
> USB, that you buy (put a deposit on) at the reception desk (or from a
> machine). You also get an FOSS app. The app takes the key on the cheap
> USB and securely logs you into the library's (or Starbucks) public WiFi.
> The library determines how long the key(s) on the USB is (are) good for.
>
> When you're done. You turn the little USB in for your deposit. The
> library wipes the usb clean, puts another key on the usb, and vends it
> again.
>
> 1) Does this exist at "trivial" cost to the WiFi user?
> 2) If not, how feasible is it?
> 3) If it does not exist, and is feasible, who would be interested in this
> as a project with a goal of a demo install at a local library, non-profit
> coffee house, etc. and RFC?
>
> Trent
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20190610/ae831f2c/attachment.html>
More information about the PLUG-discuss
mailing list