I connected to a wireless open network in a very busy part of Tallinn just moments ago. Something unexpected happened that made me once again thank Tux I’m slightly paranoid.
As you should know, wireless networks - especially open and weak (WEP encrypted) ones are dangerous. Dangerous in a sense that everything you send over a network is as visible as if you were giving a lecture. Think it over.
No-one (except maybe Google) cares that you search for restaurant reviews. But what about sensitive information like sent passwords or any other kind of data I have access to, such as…
I was taught the basic skills on how to intercept digital data that’s traveling between networks on the first semester of the freshmen year. In fact, any kiddie could pull it off. Because of that knowledge, I tend to avoid logging in to anything unencrypted during my stay outside the pseudo-safety of my home network.
- Login information (Facebook, mail, blog, travel, ANY kind of site)
- Instant messaging sessions
- Vulnerable services running on the machine (file server)
Some More Background
As you might (not!) know, Facebook only just recently added a very important security feature (of course, you have to opt in for it - funny, usually one has to opt out of new ‘features’). Enabling secure(r) browsing means that the communication channel between your computer and the Facebook server is unreadable to the dude sitting behind the next table.
I’m sure you have connected to a free WiFi hotspot and seen the default welcome page that seems impassable unless you click on the “Yes, I take full responsibility for my actions while in your network” button. That's all warm and fuzzy, but it's also possible to configure the welcome page like so that it redirects you to a website of the owner’s choosing after you click on the button. That’s usually the companies website.
So what the hell happened?
With that background comes the main point of the post. The network I connected to had decided that the redirect page (after I click “Agree, let me use your WiFi”) should be their Facebook page. Okay, all well and good.
Remember that the connection to Facebook is not encrypted by default? And since I was already logged in from earlier, the data would have moved openly across several network hops, for everyone with motive to see, capture and/or modify.
Even if I weren’t already logged in, extensions like LastPass do that automatically. As if the initial request weren’t enough, there are loads of hidden background queries to and from the Facebook server - the chat window, friends online, notifications… all moving over the unsecured HTTP, wireless.
Not scared? You should be. Identity theft could sound like an obscure idea, but think of what you’d do if you had a day to live and no responsibility for your actions. You’d probably rob a bank or something.
Weren't it a beautiful world of rainbows and butterflies if everyone knew at least a little about the threats in (open) networks? If you must check in with your digital social life, opt in/enable the goddamn encryption. It’s a one-shot deal, doesn’t cost you anything and is a hell of a lot better than explaining to Tim that you are not “It’s complicated” with his wife.
Also, a note to the unnamed coffee shop - please don’t pull stunts like that - throw the visitor to the wolves… or at least give a five second warning or something!
P.S I’d like to know more about what Facebook actually does when the user is idle - what type of queries move between the server and the client. Please leave a comment below if you know something about it.