GOP delegates suckered into connecting to insecure Wi-Fi hotspots A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland, US, underlines how risky it can be to connect to public Wi-Fi without protection from a VPN. The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 …
This is a vendor produced survey - so surely a little more of the scepticism the Register is famous for?
Last time I looked Gmail, Amazon, Sykpe, What'sApp all used HPPS and/or were Encrypted protocols.
So what is actually the problem?
And why do I need a VPN? Other than a vendor is trying to flog me one?
Avast obviously weren't being malicious.
However.
Let's say I can convince you to connect to a WiFi access point (AP) I control.
Chances are you use the DHCP server in my AP to get an IP address *and DNS server address*.
So I configure my AP to point you at a DNS server I also control.
When you type www.facebook.com in the browser, I can deliver a DNS result that points you at a web server I also control, that provides a facebook lookalike login page.
You don't look close enough to notice that this particular connection to Facebook isn't redirected to HTTPS, you log in, I get your facebook password.
You can replace "facebook" for "most other secure websites", unless you've visited them before, and they use HTTP Strict Transport Security, and your browser supports it (Facebook actually do send HSTS headers, but many other secure sites, e.g. online banks, don't.
And actually, I don't need to control the DNS server, that just makes it easier. Since I can see and intercept all your traffic to my AP, I can look out for any initial non-HTTPS request and spoof a response, for example.
This also works with secure access points, if there is a common password I can get hold of (e.g. WPA2-PSK). If there's a hotel or pub that has a known WiFi password they provide to customers (maybe they stick it up behind the front desk/bar), for example, I could easily set up an AP using the same SSID and password and chances are at least some of the time (e.g. if your device has a stronger signal from my AP than from the hotel's) you will end up connecting to my network.
Google "Man in the middle attack" and "Proxy Server"
When I'm at work my work Proxy Server is kind enough to remind me that it will be spoofing my connection to gmail so it can have a look at all the content before it gets sent as https to google. It also spoofs the stuff that's coming back i.e. it pretends to be me and then passes on the content to me. It does this because work doesn't want me downloading any attachments, well not at least until they have been virus checked, once they are checked (takes a few milliseconds) and cleared they are passed them on to me. This is all done transparently except for the initial page from the proxy server reminding me that it's going to be reading all the content. I work for a nice company, they just do this for virus checking, they aren't really interested in my personal emails and they don't keep a record of my login details, but they do warn me that they can see all of this stuff because I'm going through their Wireless access in the office and onto the internet.
Man in the middle attacks do the same thing except you don't get a nice warning screen and they aren't looking to virus scan any attachments for you they are after all the content including of course your google username and password.
I suspect that your company will have installed into your browser a special company-only root certificate, to enable you to get an HTTPS connection to the proxy server. Because otherwise your browser will complain that it is not certified by Google.
But if you're at the Republican Convention on an iPhone (i.e. browser supports HSTS) then I think it would refuse to connect to a proxy for GMail (or other sites with HSTS).
Upvote for this. How is a fake WiFi AP any more dangerous than other public forms of Internet?
Most people have their apps and browsers remember logins, and that isn't fooled by a fake encrypted site. Downgrading to HTTP would disable automatic login and likely present an insecure form warning. Mobile apps and firmware are digitally signed to prevent tampering.
The one exception is sites not using HTTPS for login. No respected site would do that, right Reg?
Must be just one or two lonely types or someone doing "research". Rumor has it the party conventions are rather notorious for their randiness. A bit yelling, shouting, music to get people hyped up and they hit the night spots as soon as evening's events are over. Then their main event for being there starts...
Paris.. well because....
Until the guys with the most stock sell said "nice company" to Attila the takeover artist, and one way to pay off the resultant huge debt load is to sell all the skimmed info (employees and customers) on the open market. Or the company goes bankrupt and the trustee does the same.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
