An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
WiFi confusion
#35784 08/26/15 11:11 PM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Conflicting notions regarding WiFi security ...
• If one has enabled a firewall and prohibited file sharing, security should be 100%.
• General caution never to conduct sensitive Internet actions (such as financial transactions) when using public WiFi (such as in Internet cafés and libraries).

So, which is it? Or does the question require further definition to arrive at a consistent answer?
It'd be nice to know the specific/exact parameters for securely using public WiFi without having to worry.

Re: WiFi confusion
grelber #35785 08/26/15 11:45 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
These two pieces of advice are actually addressing two different security concerns.

Enabling a firewall and disabling file sharing secures you against intrusion attempts where a person (or, more likely, a worm) on the Internet attempts to gain access to your computer--for example, it infect it with self-replicating malware.

When you connect to WiFi, your information can be intercepted as it travels from your computer to the WiFi router or access point--WiFi is radio, so anyone with a WiFi-equipped computer can "listen in" to what's going on over the air. Connecting to a WiFi access point that requires a password encrypts the information as it is broadcast, meaning they can't see what you're sending and receiving, but if the WiFi access point itself is compromised, that encryption can be defeated. Presumably you have access to your own WiFi router and nobody else can tamper with it, but you can't (necessarily) say the same of a WiFi router in a public place.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: WiFi confusion
tacit #35787 08/27/15 07:23 AM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Merci.

So, given the potential for security compromise, why would anyone use a public WiFi Internet connection at any time? And yet they do, all the time.

I think I'd be way too paranoid to attempt it at all. Consequently it's only a desktop computer for me.

Re: WiFi confusion
grelber #35789 08/27/15 08:06 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
I bought a smartphone because I wanted Google Maps in my hand. Using wi-fi for maps is not too sensitive. But I would never put a banking app on my smartphone, or banking details in any form.

Haven't yet investigated Ashley Madison or Tinder.


iMac (19,1, 3.1 GHz i5, 12.7.4, 40 Gb RAM); MacBook Air (1.8 Ghz, 8 Gb RAM, 10.14.6, 256 Gb SSD) Vodafone router and Devolo Wi-Fi Extender, Canon TS8351 printer/scanner.
Re: WiFi confusion
grelber #35792 08/27/15 12:48 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: grelber
• General caution never to conduct sensitive Internet actions (such as financial transactions) when using public WiFi (such as in Internet cafés and libraries).

So, which is it? Or does the question require further definition to arrive at a consistent answer?
It'd be nice to know the specific/exact parameters for securely using public WiFi without having to worry.


Traffic can ALWAYS be intercepted by someone with access to your internet connection. This includes anyone using the same unsecured wireless access point, as well as the person running ANY (pubic or password secured) access point, since they have access to the physical network the wifi is connected to. There is hardware specifically designed to intercept and collect data from a local area network. Your/their ISP also has the same access. Once it gets up stream a level or two it gets difficult for someone because traffic is only traveling on specific routes and a lot of packets are flying around. It's at that point where the NSA's little closets inside the big ISP and telecom switch centers can still siphon your data, but that's about the only ones.

HTTPS was created to address this problem, and provides end-to-end encryption. I'd hope ALL banks, and now a growing number of other web sites use this. Google is encouraging it by lowering search rankings of sites that don't use HTTPS. (this is rare of google, they don't normally give any hints as to their search ranking) So you should be safe to access your bank as long as its using HTTPS.

HTTPS is a fairly well-thought-out system, and has robust security features to prevent abuse. When you connect to an HTTPS site for the first time, your browser downloads the certificate that will be used to secure the connection. This certificate must be digitally signed by one of the anchors in the system keychain on your computer. (google "chain of trust" for more information on this process) This certificate is then kept on your computer. This is important so that next time you connect to your bank, it doesn't download it again, it uses the one it has. If this changes, you WILL be notified that the certificate has been changed, this is to prevent someone from modifying traffic and swapping certs on you. For this reason, you really need to have connected to your bank before on the device in a secure way, before using a pubic wifi. Technically they might be able to jack into your traffic otherwise.

(others feel free to hop in and correct me if I'm wrong with something, this is a complex topic and while I'm well-educated on the topic, I'm NOT a "security expert")


I work for the Department of Redundancy Department
Re: WiFi confusion
Virtual1 #35794 08/27/15 01:29 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
HTTPS will protect you from other people using the same WiFi access point, but won't protect you from the person who owns the WiFi access point. Some WiFi providers have been caught installing bogus security certificates in their access points and decrypting HTTPS traffic on the fly.

For example, Gogo Inflight does this. They provide WiFi in airplanes. The Gogo access points have fake security certificates for *.google.com and other popular sites, and decrypt HTPS traffic when you connect to those sites--ostensibly in order to block access to heavy data using functions such as embedded movies, but also to facilitate handing information to law enforcement.

Gogo Wi-Fi Is Using Man-in-the-Middle Malware Tactics


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: WiFi confusion
tacit #35796 08/27/15 04:10 PM
Joined: Aug 2009
Likes: 8
Offline

Joined: Aug 2009
Likes: 8
How does using a VPN on an open wifi network factor in to all of this?


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: WiFi confusion
Ira L #35797 08/27/15 04:53 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
VPN adds additional layers of encryption and security — provided all nodes of are using VPN but it does not lend itself well to a broadcast type environment. The Wikipedia article on VPN is a good introduction to the basic concepts.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: WiFi confusion
tacit #35798 08/27/15 06:28 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: tacit
HTTPS will protect you from other people using the same WiFi access point, but won't protect you from the person who owns the WiFi access point. Some WiFi providers have been caught installing bogus security certificates in their access points and decrypting HTTPS traffic on the fly.

For example, Gogo Inflight does this. They provide WiFi in airplanes. The Gogo access points have fake security certificates for *.google.com and other popular sites, and decrypt HTPS traffic when you connect to those sites--ostensibly in order to block access to heavy data using functions such as embedded movies, but also to facilitate handing information to law enforcement.

Gogo Wi-Fi Is Using Man-in-the-Middle Malware Tactics


How can this work for google.com if you already have google's certificate on your computer?

Moreover, how did they get a cert for that domain? Did they hack someone's root certificate, or did they buy it from someone that doesn't care or ?


I work for the Department of Redundancy Department
Re: WiFi confusion
Virtual1 #35879 09/05/15 01:40 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
In Gogo's case, they created their own *.google.com certificate. A self-signed certificate will cause a red "x" to display in a browser's address bar next to the URL, but I reckon the vast majority of Web users don't pay attention to that.

The same thing can be done by anyone with access to a WiFi router's upstream. By providing their own self-signed certificates, they can eavesdrop on any HTTPS connection. Most browsers will indicate some sort of warning, but I bet the majority of users don't understand what that means.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: WiFi confusion
tacit #35881 09/05/15 03:04 PM
Joined: Aug 2009
Likes: 8
Offline

Joined: Aug 2009
Likes: 8
Interesting. Does this read "x" appear in Safari's address bar, which by default, only shows the abbreviated URL (unless you click on the address)?


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: WiFi confusion
Ira L #35920 09/08/15 03:49 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I think I would prefer a gaudy popup to appear instead of a red x. A popup like the one that you get in mail when adding an imap with an untrusted cert. trust it. yes. yes. password please.


I work for the Department of Redundancy Department
Re: WiFi confusion
Virtual1 #35922 09/08/15 04:28 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: Virtual1
I think I would prefer a gaudy popup to appear instead of a red x. A popup like the one that you get in mail when adding an imap with an untrusted cert. trust it. yes. yes. password please.

If not a password, at least an acknowledgement of the risk. (I have a long and complex password that is a royal pain to type in grin )


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: WiFi confusion
joemikeb #35929 09/09/15 11:49 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: joemikeb
Originally Posted By: Virtual1
I think I would prefer a gaudy popup to appear instead of a red x. A popup like the one that you get in mail when adding an imap with an untrusted cert. trust it. yes. yes. password please.

If not a password, at least an acknowledgement of the risk. (I have a long and complex password that is a royal pain to type in grin )

And that is precisely why it should ask for your password! It is adding an entry to your keychain for a permanent security override. It really ought to be asking for an undeniable confirmation and a password to make such a change in the behavior of the security on your computer. People "pencil-whipping" security confirmation dialogues is what's been plaguing windows for years.


I work for the Department of Redundancy Department
Re: WiFi confusion
Virtual1 #35939 09/10/15 02:53 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Internet Explorer (used to) do a gaudy pop-up when something was wrong with a secure connection. Problem is, it can fool people into thinking they're being hacked when they weren't.

The red X might mean any of a number of problems, some of which aren't actually security risks. It could, for instance, mean that a picture is being loaded over HTTP instead of HTTPS, even though the rest of the page is HTTPS. The gaudy popup tended to make a lot of people panic, and apparently when people panic over Internet thingies they call Microsoft for help.

What would be better is a more granular display of the problem. "Hey, this security certificate is invalid!" is a way, way bigger problem than "hey, this picture is not being loaded over a secure channel."

Alas, having more granularity only works if people understand network security, can comprehend the messages, and can react appropriately. That might be asking a lot.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: WiFi confusion
tacit #35943 09/10/15 12:32 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: tacit
Alas, having more granularity only works if people understand network security, can comprehend the messages, and can react appropriately. That might be asking a lot.

Three words to never forget, common sense isn't.


I work for the Department of Redundancy Department
Re: WiFi confusion
grelber #37547 12/02/15 11:49 PM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
OK, back to WiFi security ... if that's not an oxymoron:

The municipality is going to be offering free WiFi for all (presumably non-passworded). It is presumably being offered in first measure to allow for more widespread use of and access to municipal services.

Is there any way of utilizing this service in a secure manner, so that sensitive Internet interactions (eg, email, financial contacts and the like) can be made?
Or is this whole thing a risky proposition which should be avoided?

Tacit's comments above (Post #35785) would seem to indicate that the answer would be a resounding "No!"

Re: WiFi confusion
grelber #37551 12/03/15 01:12 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
If the WiFi access points are secure, then using HTTPS will give you a reasonable shot at security (unless you're using a Dell computer, as it turns out[1]).

If someone compromises one of those WiFi access points, kiss any data security goodbye.

[1] Dell recently shipped a whole series of computers with a trusted security certificate designed to make their tech support connections secure. Unfortunately, they bungled it and also included Dell's private key, meaning anyone who wants can use that private key to sign software or decrypt and encrypt communications and Dell computers will accept the newly-signed or newly-encrypted information without a fuss. This is one of the stupidest security blunders I've seen in a donkey's age.

http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: WiFi confusion
tacit #37554 12/03/15 08:20 AM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: tacit
If the WiFi access points are secure, then using HTTPS will give you a reasonable shot at security ... If someone compromises one of those WiFi access points, kiss any data security goodbye.

How can one determine if such access points are secure?
And how might one ascertain that no one is "listening in" on the municipality's end of things?

I'm also unclear as to what might constitute "access points". Are those the "boxes" stuck to walls, ceilings, poles, etc, all over the place? Or something else?

I don't worry all that much about my Internet access given my hard-wired (telephone line) access to my ISP. I would guess that there are only 2 "access points" involved: my computer and the ISP's server. But even so, if a website (eg, FTM) isn't protected via SSL (https), is there risk involved?

EDIT: I've been in touch with the municipal administrator who advises that the provider (a major player in the telephone/cable/satellite/Internet game — OK, if you must know, Shaw Communications), given that secure WiFi is an important part of their business plan, should be putting considerable effort into security. However, his contact there is away for a while, so closer info on this issue is at least a week away. I await the update with bated breath.

Aside: As much as I try to inform myself about the workings of IT world, I still have little comprehension of the ins and outs, the electronic "nuts and bolts" of same. But I have no desire or intention of going back to school to get a firm grounding in such — although the thought of becoming a hacker does have its charm.
And when I see myriads of smartphone and other users blithely using their devices, mostly unaware of privacy/security dangers, and unable or unwilling to do anything about it (other than to keen after the fact about having been compromised), I can understand why security problems loom large in the electronic world.

Last edited by grelber; 12/03/15 04:24 PM. Reason: Additional info
Re: WiFi confusion
grelber #37563 12/03/15 01:11 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: grelber
How can one determine if such access points are secure?

In reality, wifi access points are about the same security as wired ethernet. The only difference is your data is exposed to more people with wifi than with ethernet. Using big-O notation, adding a fixed multiplier to any value doesn't actually increase the value. because it doesn't scale significantly with the problem. (increasing n to 2n, compared to say, an increase n^2 to n^3) Sorry, bit of a math geek here wink

So end-to-end encryption (https etc) is the most basic solution for data security. Privacy however is a lost cause unless you are using a vpn, since anyone that can see your traffic can tell where you are connecting to, even if they can't read the data. If you're using a vpn but are doing local DNS instead of all-traffic-over-vpn, again users that can see your traffic can see your DNS queries when you need to make them (which is not all the time) and see where you're interested in connecting to.

Lets compare it to something very disconnected, to give you a clearer perspective. Trash. You can learn a lot about someone from what they throw away. A LOT. But 99.9% of us don't secure our garbage. (incinerator) There's a fair percentage that have a shredder they use regularly for sensitive documents, (wild guess, 5%?) but for the most part we just bag it and throw it in the can. That's not all that different from the packets we send flying around on the internet. If someone has a serious interest in what you're doing, they could exploit this. Cops do it all the time, they don't even need a warrant to dig through your trash. (it's considered "abandoned" and isn't covered by any privacy laws once its at your curb for pickup) Lets say you have the option to "secure your garbage cans", so the garbage is under lock and key until it gets picked up by the trash man. Have you really gained much? It does slightly bother me in the back of my mind, that at some point in the future, landfills will be the subject of a lot of controversy. That handful of junk mail you threw in the can upstairs in your den identifies the contents of this week's bag of garbage, and everything in it. 25 years from now recycling companies are going to be digging out landfills for materials, and probably looking for side-business to increase their revenues. It may be plausible for what you throw away today to be a matter of public record or for sale, and that kinda freaks me out.

The reality is that today we don't have a lot of privacy, but as time goes on, things we thought were private won't even be private anymore. That encryption you're using on your vpn, or your browser is using in its https, if the NSA really is saving everything they can fit on city block areas of hard drives, the whole concept of "encryption good enough to be unbreakable for the next 10 years" won't matter anymore, because 10 years from now they can and will be breaking it, and reading your old mail. Go watch Enemy of the State for a sobering look at how powerful it is to be able to rewind time if you record everything so you can look through it later.

So really, worrying about the security of a public wireless access point is about as pointless as worrying about the security of your garbage can as it sits at the end of your driveway.

The only time it matters is when its connecting computers to their own private LAN, where traffic is both trusted and privileged. When I throw something in the can here at the office, the night staff empty it and take it downstairs to get burned.


I work for the Department of Redundancy Department
Re: WiFi confusion
grelber #37860 12/16/15 03:56 PM
Joined: Aug 2009
Likes: 4
grelber Offline OP
OP Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: grelber
I've been in touch with the municipal administrator who advises that the provider (a major player in the telephone/cable/satellite/Internet game — OK, if you must know, Shaw Communications), given that secure WiFi is an important part of their business plan, should be putting considerable effort into security. However, his contact there is away for a while, so closer info on this issue is at least a week away. I await the update with bated breath.

Following is the WiFi provider's "assurance" of security/privacy. From my perspective it reeks of "We're doing pretty much nothing about protecting those who use our service."

Shaw Go WiFi is a public WiFi network offered as a complimentary value-adding service to our Internet customers and municipal guests. It is more robust and offers greater, carrier grade, speeds than most public WiFi but, like them, is still an open network.

We do monitor the network 7x24 for activity that seems inconsistent with typical usage patterns. We do explain our usage polices found in our Terms and Conditions under Section 10. Privacy and Security. For added security, we do not enable P2P (peer to peer) traffic.

We also actively encourage our users to ensure their devices are configured securely and that they practice safe habits when accessing the Internet such as:
• Accessing the Internet using a VPN (virtual private network), which effectively creates a 'private tunnel' that encrypts all of their data as it passes through the network.
• Using https web sites for secure or sensitive data transmissions
• Using their devices' data encryption features to protect their personal data
• Using reputable anti-malware programs, which include regular anti-virus updates, monitor Internet activity, and advise of threats
• Switching off Bluetooth connectivity when it is not in active use


Any thoughts on the matter?


Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.040s Queries: 56 (0.032s) Memory: 0.6928 MB (Peak: 0.8505 MB) Data Comp: Zlib Server Time: 2024-03-28 15:02:07 UTC
Valid HTML 5 and Valid CSS