Join 3,497 readers in helping fund MetaFilter (Hide)


Public Wifi Paranoia
December 23, 2009 10:20 PM   Subscribe

I need a list of things that are safe/not safe to do online in a public wifi environment.

I've recently found myself in a situation where I have a few hours to kill, several times weekly, in a town away from home. So far I've spent most of my free time hanging out in a coffee shop. They offer public wifi and I've been debating about bringing in my laptop, but I've never accessed public wifi before and I'm feeling a little paranoid.

So, talk to me like I'm a kindergartener. What kind of online things are safe (logging into Metafilter, email, etc.)? And what kinds of things are complete no-nos (shopping, checking bank balance, etc.) in this environment?
posted by amyms to Computers & Internet (35 answers total) 36 users marked this as a favorite
 
(shopping, checking bank balance, etc.) in this environment?

I don't see why these would be particularly unsafe as long as you're not accepting obviously bogus certificates, this should all be well-encrypted with SSL. Someone might bring up an exception to this rule but if you're going to be afraid of that, you might as well not bother, because you can be hacked a lot of ways no matter how you access the Internet.
posted by floam at 10:28 PM on December 23, 2009


...but if you're going to be afraid of that, you might as well not bother, because you can be hacked a lot of ways no matter how you access the Internet.

I guess I'm paranoid about the fact that whomever is offering the wifi connection might be able to see what's happening on their network (I don't even know if I'm using the right terminology here). For instance, if the coffee shop is managing the network, can their employees "see" what I'm doing (e.g. can they see me typing in my various passwords, etc.)?
posted by amyms at 10:38 PM on December 23, 2009


They can certainly watch what's going on, they can see every bit you send over the network. But if you're accessing a site over SSL, where you see a https:// in the address bar, you've got an encrypted tunnel between you and the destination sever. All communication between you and the site you're connected to get's encrypted before it leaves your computer and decrypted once it reaches the other end. If the owner was watching what's going down the tubes through his equipment when you're using SSL, he'd only see scrambled gibberish that is mathematically not easy to unscramble.

That's the whole point to SSL and the little secure lock icon you see when you're connected to a secure server.

When I was referring to paranoid of further hacks, I was referring to the fact the coffee shop owner could possibly unscramble things if there was a very sophisticated hack set up to fake the certificate, or with some sort of proxy going on, but if you don't click any "accept" boxes when you get a warning from your browser it's hard for that to happen. It's not really worth worrying about.
posted by floam at 10:46 PM on December 23, 2009 [2 favorites]


Okay, that makes sense, floam, thanks. So, if I'm not on an https URL they could conceivably usurp my login info?
posted by amyms at 10:50 PM on December 23, 2009


And to go further, to explain what I was getting at in the first reply: the things you mentioned as not safe at the top are actually the things that are probably most safe, since they're going to be encrypted. It's just about impossible to find a bank or online store that doesn't use SSL.

The things that are actually less protected are things like your metafilter activity, or IMs, and that sort of thing, when you're not using SSL. But, that's probably not something you're going to worry too much about. Chances are your email is encrypted too, but that would depend on how you're accessing it.
posted by floam at 10:50 PM on December 23, 2009 [1 favorite]


Okay, that makes sense, floam, thanks. So, if I'm not on an https URL they could conceivably usurp my login info?

Yes. But do note that some websites use HTTPS for the login procedure, and not for the rest of things — that's what Metafilter does for example. You may notice that you see https up there when you're logging in, but not right now. They couldn't get your password, but they could watch you read metafilter and make comments.
posted by floam at 10:52 PM on December 23, 2009


amyms wrote:Okay, that makes sense, floam, thanks. So, if I'm not on an https URL they could conceivably usurp my login info?

That's true whether you're at a coffee shop or on your internet at home, too.
posted by maniactown at 10:53 PM on December 23, 2009


Okay. So, basically, they could "see" what I'm doing (if they were sophisticated and cared to do so) but it's generally not in the realm of something I need to worry about?
posted by amyms at 10:55 PM on December 23, 2009


That's true whether you're at a coffee shop or on your internet at home, too.

Yeah, but I think we trust AT&T or somebody just a little bit more than we do Guy That Has A Coffee shop. Plus with wifi the other coffee shop patrons could also be watching the traffic if they are clever enough.
posted by floam at 10:56 PM on December 23, 2009


Okay. So, basically, they could "see" what I'm doing (if they were sophisticated and cared to do so) but it's generally not in the realm of something I need to worry about?

I would probably agree with that, but it's a judgement only you could make, depending on how creepy the coffee shop people are and how sensitive the stuff you're up to is (and what fractions of it are covered by SSL).
posted by floam at 10:58 PM on December 23, 2009


Also it's not just Creepy Coffee Shop guy but anyone in the neighborhood right around there.

The main problem areas I would look at are: (1) POP/SMTP (old fashioned) e-mail, (2) IM, (3) FTP and Telnet, like for website maintenance, and (4) shared hard drives on your laptop you might have forgot about. And it's not just logins that could be compromised... the actual content, if seen by others, might prove embarrassing or present privacy/identity theft issues.

Considering the widespread availability of sniffer programs like Ethereal, I think you are very smart to look for a little caution in your WiFi'ing. A few years ago I left Ethereal running on my laptop for an hour at a professional conference... holy cow, let's just say that kick-started me into being much more cautious on public hot spots.
posted by crapmatic at 11:02 PM on December 23, 2009 [1 favorite]


Okay. So, basically, they could "see" what I'm doing (if they were sophisticated and cared to do so) but it's generally not in the realm of something I need to worry about?


Yep. If you're dealing with sensitive information, make sure the site is using ssl (https). As always, make sure your computer is virus/spyware free. As a general rule, don't install anything special to use an internet connection.

Yeah, but I think we trust AT&T or somebody just a little bit more than we do Guy That Has A Coffee shop. Plus with wifi the other coffee shop patrons could also be watching the traffic if they are clever enough.

True enough, but internet packets are routed all over the place and there's nothing stopping somebody from logging plain-text data that passes through their router. Not something to stress about, but certainly just as possible from home as from a random hotspot.
posted by maniactown at 11:03 PM on December 23, 2009 [1 favorite]


I use public wifi all the time, and I do all the things you mention and more.

From time to time I've heard various people advise others not to do online banking from public wifi. I guess I can see why some people feel it necessary to give this advice, when aimed at a general audience rife with morons who are likely to click on any certificate warning that pops up. (So, general point being: don't be a moron and click through any certificate warnings unthinkingly. Read and understand things before you click and dismiss them. If you suddenly start seeing warnings that you've never seen before ... that's a red flag. Slow down, and if it's your bank, call their help line.) But I don't think it's really correct or justified.

Scaring people away from public wifi is silly. You should be cautious using just about any Internet connection. Even when you're plugged into broadband in your house, you (generally) have no idea where that traffic is going on the way to its destination, and who might be logging it along the way. You have to be smart when you're transmitting any sort of personally-identifying or financial information over the Internet, no matter where you're plugged in.

In general: Those are the things that I think get most people in trouble. (I'm setting aside the truly obvious: never use IE, keep your OS and browser updated, don't download and install anything you're not 100% sure of the provenance of.)

* In general, HTTPS = secure. It is possible, however, for an HTTPS page to contain unencrypted elements, though. (Google does this frequently on some sites, like Google Wave; they encrypt the text content but send some page elements, like images, unencrypted to save effort.) Most browsers will warn about this in some way. If you see this, it becomes a question of whether you trust the site's designers.
posted by Kadin2048 at 11:04 PM on December 23, 2009 [9 favorites]


Yeah, but I think we trust AT&T or somebody just a little bit more than we do Guy That Has A Coffee shop.

...it's a judgement only you could make, depending on how creepy the coffee shop people are and how sensitive the stuff you're up to is (and what fractions of it are covered by SSL).

Hmm, well, leaving aside the whole AT&T/NSA/spying on innocent people controversy, the woman who owns the coffee shop doesn't even know how to make a vanilla latte properly so I'm not so worried about her, but she has a couple of teen/college employees who seem like they'd know how to tap into patrons' business if they wanted to. But, I gather from the answers here that as long as I'm just doing my normal surfing (and making sure that login screens on are https URLS) I'm pretty much okay. *fingers crossed*
posted by amyms at 11:09 PM on December 23, 2009


It's really a pain in the ass to play the man-in-the-middle attack necessary to spoof the encryption on https sites. Doable, but a pain in the ass. And not really viable on more than about three or four models of consumer-grade (coffee shop-grade) wifi routers.

And if you've been to those encrypted sites before on that computer, your browser will tell you that the cert has changed if somebody's making that attack.

Let me put it this way: I'm a libertarian, conspiracy-suspicious programmer. And I don't modify my browsing habits one whit on public (privately-provided) wifi. Municipal wifi, however, I censor myself on.
posted by Netzapper at 11:34 PM on December 23, 2009


One thing to keep in mind, if you use Gmail, you can access everything over HTTPS, not just the logon.

just go to "https://www.gmail.com" rather then "http://www.gmail.com" and gmail will stay in https mode the whole time.

You can also adjust encryption by a setting under settings/general/"Browser connection" and configure it to always or never use https, so you don't have to remember to type in https every time or use a different bookmark.
posted by delmoi at 11:42 PM on December 23, 2009 [1 favorite]


When you go to a SSL site, make sure that https:// is visible in the address bar even if you're navigating there through a bank site.

For example, DON'T type 'bank.com' into your address bar then click on 'secure login'. Type in the entire https://bank.com, or keep the https:// URL as a bookmark.

The reason for this is sslstrip, which will transparently change the https to http in the non-secure page you're served. It'll even replace out the favicon with a padlock - sure, it's in the wrong place, but that doesn't help if you're not paying attention.
posted by xiw at 11:46 PM on December 23, 2009


And if you've been to those encrypted sites before on that computer, your browser will tell you that the cert has changed if somebody's making that attack.

Not true, you don't have to have any previous contact with the site in order for your browser to warn you that the imposter certificate either doesn't match the site's address or isn't signed by a trusted CA. SSL's trust management would be useless if it did not have this capability.

The only way to pull off a SSL MITM attack and not have the browser warn the user is to surreptitiously install your own CA into the user's browser's list of trusted certificate authorities, and then sign the imposter cert with that CA.
posted by Rhomboid at 12:57 AM on December 24, 2009


I used to think you were right, Rhomboid. But actually, SSL has been broken in such a way that a seamless MITM attack can be made if previous contact hasn't been made with the website. It still requires a sophisticated attacker running your traffic through a non-consumer router.

OP, you might want to read that whole thread. But also keep in mind, you could also get carjacked. Risk, and managing it, is part of living.
posted by Netzapper at 1:13 AM on December 24, 2009


There are some very well expressed answers to the original question already here.

To answer a question that wasn't asked but that might catch a less savvy reader: everything above applies to using your own computer. If you sit at a publicly accessible computer in a coffee shop, you should assume that every single key you press is being recorded by someone for nefarious purposes. Put another way, someone else's computer is completely untrustworthy.
posted by fydfyd at 1:23 AM on December 24, 2009


I think it's incorrect to say that SSL has been broken. It would be more correct to say that a weakness of MD5 was exploited. If browsers were to simply stop recognizing certs signed with the MD5 hash, then the vulnerability no longer exists. Developers of Chrome and Firefox ran the numbers shortly after news of the MD5 cert vulnerability became public and they estimated that the affected users of such a change would be a small minority, so I expect that they will make that change before too long if not already.
posted by Rhomboid at 1:48 AM on December 24, 2009 [1 favorite]


(Not to mention that it takes only a few seconds to bring up the certificate properties in the browser and verify that it's not a MD5 cert. Although admittedly this cannot be expected from the type of user that would ignore an invalid certificate warning, it is nonetheless easy to verify if you want to be paranoid.)
posted by Rhomboid at 1:52 AM on December 24, 2009


It is absolutely incorrect to say that SSL has been broken. The MD5 vulnerability was in a small number of certs issued by a small number of vendors and is no longer relevant.

Source: The new MD5/SSL exploit is NOT the end of civilization as we know it
posted by zain at 1:57 AM on December 24, 2009 [3 favorites]


The main problem areas I would look at are: (1) POP/SMTP (old fashioned) e-mail

Webmail can be sent via ssl; my host has this setup, so not only my login, but every mail I read via the web interface, is ssl encrypted.
posted by orthogonality at 4:34 AM on December 24, 2009


If I'm using a vpn, is that safe?
posted by semacd at 5:44 AM on December 24, 2009


FWIW, I'd also be concerned about your local security. If you've set up password-free file sharing on your laptop, then anyone on the local coffeeshop's network can look into that directory and grab a copy of whatever they find. This isn't a terribly common issue, but sometimes folks set it up this way to make it easier to share info between their laptop and home desktop machines- if you did, simply turn it off before wandering onto a public LAN.
posted by jenkinsEar at 6:00 AM on December 24, 2009 [1 favorite]


You should only ever access your e-mail over a secure link, even if you don't think there is anything there that needs security. Remember that many web sites will allow you to change your password by sending the new one to you over e-mail, so an attacker can easily create some security-requiring goodies in your inbox without you knowing about it.
posted by grouse at 6:46 AM on December 24, 2009


you should assume that every single key you press is being recorded by someone for nefarious purposes

Yes, recorded. But we're talking millions of keystrokes passing through any given server -- is anybody actually going to the trouble to analyze this data? Is it even possible for random Bad Guy to translate a stream of keystrokes into useful information?
posted by Rash at 7:17 AM on December 24, 2009


semacd: It depends on the type of VPN and how it's configured. Most VPNs offer encryption on top of tunneling. Some only do tunneling. Additionally, your computer can be configured to send all of your traffic over the VPN, or only traffic destined for the network on the other side of the VPN.

So you've got four options:
1. Encrypted with all traffic routed = Safe
2. Encrypted with only some traffic routed = Safe for accessing resources on the other end of the VPN, not safe for general browsing
3. Not encrypted with all traffic routed = Unsafe
4. Not encrypted with some traffic routed = Usafe
posted by odinsdream at 7:30 AM on December 24, 2009


Yes, recorded. But we're talking millions of keystrokes passing through any given server -- is anybody actually going to the trouble to analyze this data? Is it even possible for random Bad Guy to translate a stream of keystrokes into useful information?

Yes. Absolutely. The next time you visit a coffeeshop bring Wireshark with you on your laptop. Load it up, scan for a little while, and pick a certain IP address that looks like it's doing a lot of traffic. Stop your capture, then restart the capture with a filter for only that IP address.

Look through the live capture and pick out a website that looks familiar to you, like Facebook or MySpace. Highlight one of these lines and then go to the menu for Reconstruct Conversation. It might be named something different in the new versions.

A window will pop up containing a properly reconstructed record of the entire conversation between that particular laptop in the coffeeshop and the remote website.

This is particularly fun with instant-messaging networks.
posted by odinsdream at 7:34 AM on December 24, 2009 [1 favorite]


There are some Personal VPN products that you may find useful.

Pay attention to https:// and the padlock icon.

Read up on certificates. If someone tries a man-in-the-middle attack, your browser will complain, but you have to recognize what it's trying to tell you. Don't use IE; it's still not secure enough. For sites where you must use IE, update it to 7 or later. Keep MS/Windows, Firefox, Java, Flash, etc., updated. Disable Filesharing, and don't make your laptop a wireless access point. Disable Windows Messenger. Severely limit the things that can run at boot. Read Bruce Schneier on security - interesting and practical.

Run anti-virus software, update it regularly, don't download random stuff, etc. Enable the Windows firewall.

Be cautious about who's paying attention to you. Passwords get hacked by people looking over shoulders. And get a laptop lock to fit the lock port. Lock it to the table or something unwieldy. You might get up to grab a napkin, and a thief will have your laptop in 10 seconds. Laptops locks are flimsy and crappy, but may buy you 30 seconds. A thief has to be prepared with a cutter for the cable, and most laptops get stolen because it's so incredibly easy.

The most important security rule is: Back Up Your Data.
posted by theora55 at 8:37 AM on December 24, 2009 [2 favorites]


You can get something like SwissVPN, which uses standards-compliant VPN that does not require any additional software, for $5/month if you are paranoid.
posted by thewalrus at 10:39 AM on December 24, 2009


Do you have a computer at home in addition to your laptop?

Install LogMeIn (http://logmein.com) on both machines, connect from your laptop while you're out, and do all the work on your home computer. Strong encryption, and nothing visible on the laptop end of the network.

(many other products do this as well, GoToMyPc, etc. You can even roll your own if you're technical enough).
posted by blue_beetle at 10:51 AM on December 24, 2009


Actually, there's a small reason to not trust public WiFi that I've not yet seen mentioned. When you connect to public wifi, you computer is given a set of information, including (but not limited to):
* an IP address
* a gateway IP to direct internet traffic to
* a DNS IP to direct DNS queries to

When you type bank.com into your browser, your computer first looks up bank.com in the DNS database. The DNS database you use is by default the one assigned by the wifi router. A fairly evil person could set up a public wifi hotspot and offer you a corrupt DNS database that directs bank.com traffic to their servers instead. There's also some tactics to defeat SSL when you control DNS, I'm not up to date on how that's been addressed. One way off the top of my head to mitigate this is to use a trustworthy DNS server like openDNS instead of whatever the wifi network offers. Another might be the widespread adoption of DNSSEC.

As far as I know, there are two general theories about wifi held by security experts. The first says that most security online is crap, and while banks and whatnot are required to be secure and have standards and audits to meet, these standards are always playing catch up to newer attacks, so one shouldn't trust such things to public wifi. They also point out that you're only as secure as your email access, given the massive dependence on email password recovery and account management. Banks only send you messages stating you have a message and don't allow online password management, but online retailers may not be as careful with your money.

The other theory says this overstates the actual risk of being snooped. If you're a start up executive for Twitter, maybe your gmail account is an attack vector. But from a rational economic action standpoint, you only need to be more secure than the target next to you. They point out that it takes a lot more effort to install an evil DNS spoofing router than to just snoop traffic, and that it's easier to detect than a silent listener.
posted by pwnguin at 11:32 AM on December 28, 2009


A fairly evil person could set up a public wifi hotspot and offer you a corrupt DNS database that directs bank.com traffic to their servers instead.

This is true. You can provide some protection against this by manually specifying a DNS server — Google Public DNS would be my recommendation — and forgoing use of whatever DNS server gets supplied by DHCP.

It's still possible for an attacker to intercept DNS requests bound for external servers and spoof them with their own, but this is a bit more complex than just setting up a resolver with a bad database and telling the access point to hand out that server's IP as the preferred DNS for the hotspot.

Not a perfect solution by a long shot (the real solution will come when secure DNS is implemented), but it will cut down on amateur honeypotting.
posted by Kadin2048 at 2:03 PM on December 28, 2009


« Older How would you make the most of...   |  Recommend me a headset for a f... Newer »
This thread is closed to new comments.