Another reason to distrust open WiFi
Foreword
I connected to a wireless open network in a very busy part of Tallinn just moments ago. Something unexpected happened that made me once again thank Tux I’m slightly paranoid.
- Image by miniyo73 via Flickr
As you undoubtedly should know, wireless networks – especially open and weak (WEP encrypted) ones are dangerous. Dangerous in a sense that everything you send over a network is as visible as if you were giving a lecture. Think it over.
No-one (except maybe Google) cares that you search for restaurant reviews. But what about sensitive information like sent passwords or any other kind of data I have access to, such as…
I was taught the basic skills on how to intercept digital data that’s traveling between networks on the first semester of the freshmen year. In fact, any kiddie could pull it off. Because of that knowledge, I tend to avoid logging in to anything unencrypted during my stay outside the pseudo-safety of my home network.
- Login information (Facebook, mail, blog, travel, ANY kind of site)
- IM message sessions
- Vulnerable services running on the machine (file server)
Some More Background
As you might (not!) know, Facebook only just recently added a very important security feature (of course, you have to opt in for it – funny, usually one has to opt out of new ‘features’). Enabling secure(r) browsing means that the communication channel between your computer and the Facebook server is unreadable to the dude sitting behind the next table.
I’m sure you have connected to a free WiFi hotspot and seen the default welcome page that seems impassable unless you click on the “Yes, I take full responsibility for my actions while in your network” button. That's all warm and fuzzy, but it's also possible to configure the welcome page like so that it redirects you to a website of the owner’s choosing after you click on the button. That’s usually the companies website.
So what the hell happened?
With that background comes the main point of the post. The network I connected to had decided that the redirect page (after I click “Agree, let me use your WiFi”) should be their Facebook page. Okay, all well and good.
Except…
Remember that the connection to Facebook is not encrypted by default? And since I was already logged in from earlier, the data would have moved openly across several network hops, for everyone with motive to see, capture and/or modify.
Even if I weren’t already logged in, extensions like LastPass do that automatically. As if the initial request weren’t enough, there are loads of hidden background queries to and from the Facebook server – the chat window, friends online, notifications… all moving over the unsecured HTTP, wireless.
Not scared? You should be. Identity theft could sound like an obscure idea, but think of what you’d do if you had a day to live and no responsibility for your actions. You’d probably rob a bank or something.
Wrap
Weren't it a beautiful world of rainbows and butterflies if everyone knew at least a little about the threats in (open) networks? If you must check in with your digital social life, opt in/enable the goddamn encryption. It’s a one-shot deal, doesn’t cost you anything and is a hell of a lot better than explaining to Tim that you are not “It’s complicated” with his wife.
Also, a note to the unnamed coffee shop – please don’t pull stunts like that – throw the visitor to the wolves… or at least give a five second warning or something!
P.S I’d like to know more about what Facebook actually does when the user is idle – what type of queries move between the server and the client. Please leave a comment below if you know something about it.
e-Riik, bs-WiFi
- Image via Wikipedia
Istusin Rakvere Bussijaamas ja tahtsin internetti pääseda. Siinkohal pean Tele2-te kiitma: ~4€ eest pakutakse piiramatu mahuga (aeglast) internetti läbi nutitelefoni. Ubuntul pole seadme äratundmise ja seadistamisega mingit probleemi ning Internett on arvutis olemas alati (st. kui levi on).
Bussijaamas leviv Wifi oli aga eriline. Vaatasin kasutamistingimusi ja -juhendit ja oli ikka jama küll, pool tundi ootamine ei olnud seda vaeva väärt.
Jah, ei saa lasta igasugustel pättidel, kaabakatel ja reidikatel takistamatult WiFi-tada, aga võrk võiks siiski olla kergemini ligipääsetav.
Allpool on "leping", mis mind võrgust välja saatis.
Eesti Maaomavalitsuste Liidu avalik WiFi leviala.
avaliku WiFi leviala kasutusleping.
Eesti maaomavalitsuste Liidu avaliku WiFi kasutajatel ei ole lubatud:
Saata e-mailiga massipostitusena reklaami ja muud EV seadusega vastuolus olevat materjali.
Hankida omale illegaalsel teel juurdepääsu andmetele ja arvutitele.
Sisestada teisi isikuid laimavaid kommentaare internetiportaalidesse.
Kasutadades P2P failivahetustarkvara või ftp-d laadida oma arvutisse või internetti autoriõigusega kaitstud tarkvara, filme ja muusikat.Tehniline info:
Teie ID kaardiga audentitud internetisessioon aegub 60 min pärast.
Väljasaadetav e-mail on suunatud mail.neti.ee serverisse.
Veebibrauseri tarkvaral tuleb lubada avada hüpikaknad
Probleemide korral tuleb avalehele saamiseks välja lülitada IPv6 protokoll
Kuidas paremini teha? Registreerimislehel teavitada kasutajat, et ta on avalikus võrgus (viidata inimkeeles kirjutatud artiklitele turvalisusest avatud WiFi-s), öelda talle lühidalt, millest hoiduda, teavitada, et tegevus logitakse ning lubada võrku kasutama peale "OK" nupu vajutust. That's it.
About The Author
Ando “David” Roots is a college student and a software developer from Kunda, Estonia. Living, working and studying in Tallinn, he hopes to get his bachelor degree from the Estonian Information Technology College on IT Systems Development. 