Is Public WiFi Dangerous?

Your intuition is correct. The exception is that DNS will, by-default, be sent to the default router DNS servers, which might monitor/track what you do (most ISPs run DNS that do this too), and unencrypted HTTP. Unencrypted HTTP is more and more rare as time goes on.

Most of the "shame on public WiFi" comes from VPN companies, which are just trying to fearmonger into a sale. Sure, DNS over HTTPs isn't as widespread as it should be. Sure, some websites aren't encrypted, still. But that doesn't mean that routing all of your insecure traffic to a VPN provider so they can handle it instead is going to increase your security. It just moves the threat model from "your public WiFi network and people on it" to the VPN provider.

If you really want to be safe, you could run your own VPN with algo (https://github.com/trailofbits/algo) or manually setup WireGuard and route traffic e.g., back to your home ISP, instead. That's probably my best suggestion, rather than using any of the cliche VPN providers that advertise everywhere.

It's not a "yes/no" answer. If you're visiting http:// sites, if your OS doesn't use DoH/DoT, if you have unpatched vulnerabilities exploitable by same-subnet attackers, then maybe it's dangerous.

The question is, is it dangerous enough to:

- Use a VPN? Yes, if the VPN is free, trustworthy, and not blocked by the wifi.

- Not use the Wifi, and instead pay for data/roaming? Nah.

- Tell lay users that "avoiding public wifi" is one of the top things they should do to stay secure online? Hell no. User attention is expensive, and wifi is relatively safe.

"I don't use public wifi without a VPN" is the new "I never click links in email." It's something semi-technical users say to show off how much less pleasant their online experience is for no particularly good reason. ;)

I would avoid it on domain connected devices. Active directory will by default attempt to connect to arbitrary smb servers (via netbios, dns, or http pitm). Once connected it will happily throw your password hash, rehashed as netntlmv2, dictionary attacks and now entropy brute forces are possible, after which they can be leveraged for varying types of badness.

PITM is remediated somewhat by HSTS which forms sort of a trust (google hsts mean https links to other resources cannot be tls downgraded, even if they don’t have a hsts directive themselves).

Any lack of secure cookie flag can leak cookies over unencrypted http, wherever hsts is not applied on a site itself (even if you’re on hsts, an attacker could theoretically request to a http resource via any unencrypted page loading, by injecting an img resource to the victim domain).

I doubt there’s any low scale attacks of the last two, but wouldn’t be surprised if nation states firewalls did this. The first attack vector is very real.

If you're sure you don't trust any dodgy certificates, sure you aren't vulnerable to any kind of downgrade attacks, sure you don't use any less-than-good sites, sure you're using DNS over https 100% of the time, sure you never use any unencrypted and/or unauthenticated protocols (like plain SMTP for instance), and sure you don't have any ports open then... yeah, I guess it's mitigated.

My personal preference would be to just use a VPN when on any untrusted network. At least then you only have to worry about the security of one "site," more or less. And of course your own open ports.

In the old days (WEP era), there was a coffee shop in [mumble] where a bunch of execs from several competing companies would hang out.

Everyone would be careful to protect their screens from snooping, but a lot of folks would connect to POP mail servers without concern.

Wireshark was hard to run on anything but Linux in those days, and WiFi on Linux could be hard to get stable except on certain hardware, but it could be done.

Today, I don't imagine Wireshark would show you much of interest on a WPA2 WiFi network.

One side of public wifi that might be dangerous is malicious access points. A while ago there was an attack vector related I think to DHCP, which allowed a malicious AP to run commands in you computer.

A security researcher friend of mine used that and a Pineapple device inside a small and saw a lot of exploitable devices connect.

The short answer is no, despite what the VPN sponsor of your favorite YT videos might say. This is actually a good question to ask if you want to assess how up-to-date someone's infosec knowledge is. In a few sentences, you can tell if they're just regurgitating the classic scary myths about public WiFis or have a more nuanced take* that boils down to 'no' (bonus points if they go on a tangent about how cool WiFi deauth attacks are).

* Unlike this comment.

“Safety” depends on your threat model.

Unencrypted (password-less) WIFI traffic is trivial to sniff. Decide how much you care about the unencrypted portions of your traffic: SNI headers, HTTP, DNS, flow logs of which IPs you are connecting to, etc.

As people correctly note that a lot of this VPN fearmongering, I think folks are also undercutting that it's also probably a lot of ISP fearmongering; who definitely had quite a bit to lose as internet adoption increased. I remember early on ISP's were trying to go with a more cable-esque model; as in you would have to pay more per device connected to the internet.

It's always been my belief that the fundamental driver of "strong wifi passwords" has been ISPs; after all, as Netflix knows, people like sharing :)

The only thing different in this regard today vs a decade ago is that more websites are HTTPS-only and more browsers and OSes support DNS over HTTPS. However both of these are still very far from 100%.

Not every internet protocol is encrypted by default. HTTP is still widely used. Your email client may be using unencrypted POP/IMAP. Heck random applications on your computer could be opening raw tcp sockets without you even knowing it.

Using public networks without additional precautions thinking "everything is secure these days" is a recipe for disaster.

It's still potentially dangerous.

You're right that progress has been made on most of the attack vectors, but as you point out, DNS lookups are still often done in plaintext. CT and pinning help, but not every site does it yet. Not all protocols are TLS yet, and of those that are, some are vulnerable to downgrade attacks (including SMTP).

It's definitely safer than it was, but there are still enough potential pitfalls that I'd avoid it for anything important - or at least use a tunnel. Besides, 4g is usually better anyway.

Just use a VPN. There are many attack vectors without even touching software exploits. On windows for example wpad will get all your traffic hijacked. On any OS there are non-browser processes that make unencrypted network connections as well. Even if you only allow https and check every single cert, the sites you visit (domain/host) are exposed via SNI on TLS which is a privacy risk.

Even if you use a VPN, there have been attacks like this one[1] that allow attackers to hijack VPN connections and inject whatever data they want. Doesn't matter if you're using OpenVPN, Wireguard or something else, for that exploit.

[1] https://news.ycombinator.com/item?id=21712280

There’s also the risk of more advanced attacks that exploit the WiFi chipsets themselves, which are a real problem when they muck with the driver (which usually have DMA access to the os) and trick the os into overwriting kernel memory.

That said, this is more a problem of connecting to untrusted WiFi than unencrypted WiFi.

Do not use anything on public WiFi unless the security patches are current.

Android [can] have better defenses than a Windows laptop:

- Android has MAC randomization.

- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.

- Bromite has an option to always check for https - enable it.

- Tor Browser is a bit easier to get on Android.

- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.

- For me, I would wipe the stock OS off the device and run Lineage de-Googled.

Yes it still is, or at least may be depending on your threat model.

CertPinning and CT will go a long way, but do you know that all your software components (not only your webbrowser) use these effectively?

What is about credential snagging with tools like responder? Maybe your client will freely send a set of credentials down the line because of corporate shenanigans.

Depending on the protocol used it might be trivial for a MITM to prevent a secure connection altogether and transparently downgrade your connection to a less secure method (ie Filtering STARTTLS).

If you type a bank password without checking that it's an encrypted connection you might be in trouble. Pretty sure strict transport would stop that though.

The main reason seems to just be that some people care about the fact they can see what servers you connect to and what your MAC is, and that people don't always check whether things are encrypted, combined with the historical fact that there used to be plenty of important things that weren't encrypted. Now there's only a few.

>If you really want to be safe, you could run your own VPN

Then you are placing your trust in your VPS provider (unless you are running the VPN on your home network, and then you are trusting your ISP).

At the end of the day you have to trust someone right? (ignoring the can of worms that is TOR). I know my ISP is untrustworthy and salivating over my data. I am unable to easily translate the privacy policies of a VPS provider, but VPN providers are at least explicitly claiming that they don't sell your data.

Public Wifi is significantly less dangerous than swimming in the ocean. There are risks, but if you are informed about the dangers, they are completely manageable.

I could count on one hand the number of real black hats actually sitting in random cafes around the world waiting to attack unsuspecting college students writing term papers. It's an unwarranted fear inspired by security people and the media. If you want to hack people, phishing and botnets are so much easier.

It's a lot safer than it used to be for the reasons you described but there is still a lot of software that doesn't use that mitigating technology.

There are some attacks on the browser like trying to strip the ssl in a way that the browser will not complain or trying to catch an unencrypted something or another.

But you also have other things like mitming software updates for other applications, OS misconfigurations.

I'd say overall less dangerous but still somewhat dangerous.

Various vulnerabilities in your wifi driver. Some of these may require you only be in range; others may be exploitable only if associated with the network.

If one did need to worry about trusting public wi-fi, one would also need to worry about trusting one's cell service provider or home / business ISP. And you can use a VPN for an additional layer of security over all this, but then you need to trust the VPN.

But I think you're largely correct. If I'm on wi-fi that I trust less than my VPN provider of choice, I use the VPN. And then I move on and live my life.

I operate a few public networks and I would like to think they are reasonably secure. I have dhcp-guard, client isolation, and a palo alto with risk filtering. That said, I do not use any public WiFi. There's a 'what-if' factor, but also my personal LTE alotment is sufficient that I just don't care to jump through whatever annoying hoops a business might require to connect.

if you don't trust at all the place too much people like parks o trains, use warp is free and works (cloudlflare), if not don't use vpn they are a lot more likely to being hack that your local wifi and moste of them are a single company who lack any respect for the user, most tockeneisation use https meaning they are encrypted

Kind of a related question, but my current jobs requires that VPN is always even though we work in a zero trust environment (ie we are not accessing some company intranet that requires a VPN). Is there any point to this? Maybe it makes sense on a public network but if I'm at home it seems like needless hit to internet speed.

I would say it greatly depends on the the wifi, starbucks wifi and your local provider wifi setup greatly differs. Nowadays, scanning the network in starbucks won't show your neighbours, unlike the local coffee shop. Starbucks and the like use some commercial grade stuff to provide wifi.

source : I go in coffee shops and scan the networks.

It's much safer than it used to be imo, but that's due to internet security and not changes in the WiFi stack.

How does a VPN protect from security vulnerabilities if the router/hotspot itself is compromised or untrustworthy?

One thing I wonder about: I have Xfinity internet at home. I set my phone up to auto login to the wifi hotspots Xfinity runs on their routers. How does my phone know an access point with an SSID of Xfinitywifi is trusted before sending it my wifi password?

Is it possible to have a valid certificate for, say, capіtalone.com? The only thing you could rely on is your browser not automatically entering the saved passwords.

Funnily enough, I checked and the domain is available, so I guess such an attack is harder than I thought :D

even with Dns Over Https or Dns Over Tls you are still leaking the name of the server you are connecting to (example.com, sub.example.com) via SNI, an extensions of TLS used by servers to decide which certificate to serve (one of the best examples is cloudflare). Encrypted Client Hello tries to solve this by encrypting the client hello (the first packet sent by the client in the TLS handshake) (its predecessor is ESNI, it encrypted only the SNI extensions but it was vulnerable to a couple of theoretical attacks) but it doesn't really have decent support (you can enable it on firefox but it's behind an about:config flag and it requires support on the server side too).

Public wifi can be provided as a way to track your identity and tie it to your mobile device, email, or other identifiers. For example: https://adentro.com/

No.

Cyber crims are financially motivated and today there are far easier/lower risk options for hackers. Just look at the people who lose 6 figure crypto balances to automated twitter scams or fake crypto celeb live-stream stream replays.

The attack surface is large, so even if you've mitigated all the known vectors, there may be more you didn't know about.

I wouldn't blame you for just accepting the risk, situationally I might do the same, but it _is_ a risk.

I totally never use it. I don't trust it.

i've learned to be frugal with my plan.

Going to a coffeeshop to work is also not my thing. And I would not jeopardize the company data by risking it on a public network.

social engineering is the attack vector, as always.

a person presented with "THIS IS INSECURE!!!!1 TURN BACK NOW" when going to mybank.com will just press "Continue" because they can't be bothered, but also because that error is a red-enough herring (self-signed certificates, legitimately expired certificates, people using older OSs with stale CA bundles) for people to ignore.

yes, VPNs obviate this concern, but also many people don't use VPNs.

If you're an average joe, no need to worry. If you're a VIP or PEP then you should worry that you'll be targeted, and public WiFi is an easy middle man.

Lookup Wifi Pineapple.

WiFi is dangerous in general, particularly the 2.4GHz microwave version, and we live in a sea of it.

It turns out that non-ionizing radiation can actually affect cells and DNA.

Question is impossible to answer because you haven't stated a threat model.