> No, they are not. They will never be. They might be secure, but not completely...
You are right in that nothing is ever "completely" secure.
But we take risks ALL THE TIME. In a primitive sense, risk assessment can be thought of as a product...
risk = severity_of_outcome x probability_of_occurence
Just how risky is it to get on a public wifi? What could happen? What does happen? Are there "safe" things you can do on a public wifi? Are we talking about giving up treasure to casual script-kiddies? Or is it only nation-state-actors that we need to worry about, or maybe jealous-obsessive hacker boyfriends? What can happen if I just leave wifi enabled on my phone? What can happen if I connect and do nothing? What are the exploits?
A lot of these things are unclear-- even for "experts" on HN.
In the absence of actual credible stories about the bad things that happen on public wifi, people will DISMISS the risk. Some may choose a more paranoid approach and never use public wifi, but I think that's just about as unreasonable as the opposite.
Indeed, there are risks involved, but I'd argue that connecting to public Wifi is a pretty common existing habit already. There are good ways to stay protected though whilst doing this e.g. using a VPN.
Much of that discussion is crap. They're wasting effort bikeshedding about local network sniffing. You have to assume that anything of value sent over the internet might be sniffed or at least could be sniffed by a well placed attacker. The last hop connection between your PC and the AP is hardly the only point at which your data is vulnerable. To assume otherwise is foolhardy.
That's why I said that the only additional risks I can see of an public Wifi is local attacks directly against your machine such as someone port scanning your laptop to look for vulnerable service or open fileshares, etc.
I guess I don't so much disagree with the idea of being careful on an unsecure public wifi, as I am concerned that so many people seem to think they only have to concerned about the unsecured wifi, not all the other hops on their connection. You know what I mean?
There is not a pedophile lurking for open wifi on every block, as popular hype would have you believe.
Did I say there was? You wildly missed my point.
The point is not that it's common, but that it can happen at all. Someone may use a public connection to download illegal material and that, in today's touchy security environment, could easily lead to the cops hauling your computers away. Simple as that. No paranoia here. This is reality.
With a locked down private network, this unlikely event is made way more unlikely. Still, if your business wants to run that risk then, well, you're a "risk taker" by my definition.
To claim these risks are so grave that people running unsecured wifi must be idiots is comparable to saying that people who leave their personal cars parked on city streets are also idiots, since those cars be stolen and used in violent crimes.
A ridiculous comparison. If someone steals one of your company's van and does a drive by, the cops are hardly going to bust in and take out all your computers as evidence.
People assert the counterexample, too, but in reality it's hard to find real cases where anything bad happened as a result of running an open wifi network.
> Leakers shouldn’t use their work computers and should use public wifi, “like a Starbucks or at a hotel or anywhere where the Internet is open for public use.”
Lately there seem to be very few completely open wifi points. Most of them at least require some click through for agreeing to terms. Is there any risk involved here?
One side of public wifi that might be dangerous is malicious access points. A while ago there was an attack vector related I think to DHCP, which allowed a malicious AP to run commands in you computer.
A security researcher friend of mine used that and a Pineapple device inside a small and saw a lot of exploitable devices connect.
Caveat: I haven't read the article linked in the GP, yet. (I will.) But the comments here immediately elicit this thought:
How many users have a laptop that they are connecting to one or another undefined (to them) form of "public" wifi? (And/or to someone else's internal network that may be compromised.)
You're over-simplifying a bit. Public WiFi is a bit more risky, though, because the barrier to entry for sniffing last-mile infrastructure is so low that anyone can do it.
At my home and office you have to contend with WPA2-Enterprise (it's easy to set up at home, so I did). You'd need to get hard-wired access to my home, and pull some ARP trickery to sniff my last-mile infrastructure. We have 802.1x on the Ethernet ports at the office, so no dice there.
You're right, to a point. And the effective response is to make sure you're always protected as well as you can, instead of going into a "shields up!" situation only when your perceived risk is higher.
Yeah this article is only covering a specific attack vector, to claim that public Wifi is nearly risk free because of HTTPS is a very dangerous statement to make. The risk of public wifi was far from just having your traffic spied on.
Beware, also, of public WiFis. Even the ones that are not open. Beware, actually, of connecting to any network where you don't know all of the devices you can communicate with directly. Ancient attacks such as ARP or DNS spoofing still work, by and large. It's surprising how few people are actually aware of them.
reply