Wi-Fine(wifine.gitlab.io)
wifine.gitlab.io
Wi-Fine
https://wifine.gitlab.io/
56 comments
I worked in IT support as an undergrad ten years ago and am now going to grad school and using eduroam. It is such a night-and-day difference; I'm so incredibly pleased that there was enough international and inter-institutional cooperation to make it work.
I especially like it when I open up my laptop at a new coffee shop and discover it's already connected to eduroam—in the city I live in (Edinburgh) there are enough university buildings scattered around that a surprising percentage of the city center is covered. The National Library also uses eduroam.
I especially like it when I open up my laptop at a new coffee shop and discover it's already connected to eduroam—in the city I live in (Edinburgh) there are enough university buildings scattered around that a surprising percentage of the city center is covered. The National Library also uses eduroam.
Same deal in my city. Very cool!
... it also raises questions about what would be so hard to just distribute WiFi access to all citizens.
... it also raises questions about what would be so hard to just distribute WiFi access to all citizens.
Small correction: with WPA2, a passive observer can decrypt the traffic between a device and the access point if they know the password and capture the initial connection of that device. Wireshark has built-in support for this.
> The institution where you're a guest knows your identity (often email address),
The identity in the outer EAP does not have to be your real identity, just the realm (@domain.dom) must be correct so the radius proxying can be routed appropriately. E.g., [email protected] in the outer EAP will work fine for the user, [email protected].
The identity in the outer EAP does not have to be your real identity, just the realm (@domain.dom) must be correct so the radius proxying can be routed appropriately. E.g., [email protected] in the outer EAP will work fine for the user, [email protected].
Funny, when teaching networking we would be able to visit each others local webservers across multiple campuses and subnets (!) on EduRoam. Fun times.
Even for wpa3 if it is public wifi you should use a VPN and restrict LAN traffic because of other hostile clients on the WLAN.
I always don’t understand the name, looks like someone made a type when was writing “eurodam”. Because it’s a EU thing, and could a dam to break to silence/Incommunicability, so with EDUROAM and not EURODAM?!
I’m going crazy every time. I use a lot this network.
I’m going crazy every time. I use a lot this network.
Education + Roaming [0]
=
Edu + roam
=
Eduroam
[0] https://en.m.wikipedia.org/wiki/Roaming
[0] https://en.m.wikipedia.org/wiki/Roaming
Oh… thank you! I have never thought about this. So it makes sense!
Hi! Author of that website here.
Can some mod or the OP that submitted this post change the title to "Wi-Fine: it is fine to use public Wi-Fi"? The current one is not very descriptive.
Also, let me know if any of you have comments to me specifically.
Can some mod or the OP that submitted this post change the title to "Wi-Fine: it is fine to use public Wi-Fi"? The current one is not very descriptive.
Also, let me know if any of you have comments to me specifically.
unfortunately, the submission is past a deadline (not so sure) for title change. perhaps @dang can help ?
Email [email protected], they usually respond really quickly.
Getting owned wise - maybe. Privacy wise - no.
Not all web traffic is HTTPS, way too much of it still isn't. Not everything is HTTP(S) even, some nastiness comes from other protocols. DNS is still rarely encrypted. NTP basically* isn't encrypted. And all those combined allow a lot of privacy-invasive profiling to be done. Without WPA3 public, it's also passive and you have no clue.
Not all web traffic is HTTPS, way too much of it still isn't. Not everything is HTTP(S) even, some nastiness comes from other protocols. DNS is still rarely encrypted. NTP basically* isn't encrypted. And all those combined allow a lot of privacy-invasive profiling to be done. Without WPA3 public, it's also passive and you have no clue.
Its still fairly easy to spoof APs. 802.11w aims to prevent this but support is spotty. And a spoofed AP means now the attacker has access to things that would normally gated behind NAT.
Although with use of social engineering, you can set up a gateway page that says something like "Log in to Facebook for free wifi", bypassing the need for any exploits.
Although with use of social engineering, you can set up a gateway page that says something like "Log in to Facebook for free wifi", bypassing the need for any exploits.
> Its still fairly easy to spoof APs. 802.11w aims to prevent this but support is spotty.
Even with 802.11w it's easy to impersonate APs, 802.11w doesn't protect against evil twins. I find it a massive pity that we can't freeload off of web PKI to authenticate AP's.
Even with 802.11w it's easy to impersonate APs, 802.11w doesn't protect against evil twins. I find it a massive pity that we can't freeload off of web PKI to authenticate AP's.
Oh wow this shit again. @joepie91 you are very wrong about VPNs and this is the sort of mess that gist thread leads to if you ever see this.
Has OP never heard of responder? Things other than browsers are actively making and accepting network requests all the time. Plenty of sites by default have port 80 open and redirect to 443 (can be intercepted).
Please do not spread harmful information. Never (ever) use an open wifi without a VPN.
Edit: My favorite APT that abuses this: https://www.kaspersky.com/resource-center/threats/darkhotel-...
Oh, and if you have corporate VPN make sure there is no split tunneling. And even with a good VPN, make sure to set explicit restrictive host firewall rules. As in no traffic allowed to the public wifi interface subnet aside from captive portal and dhcp (e.g.:wpad)
Has OP never heard of responder? Things other than browsers are actively making and accepting network requests all the time. Plenty of sites by default have port 80 open and redirect to 443 (can be intercepted).
Please do not spread harmful information. Never (ever) use an open wifi without a VPN.
Edit: My favorite APT that abuses this: https://www.kaspersky.com/resource-center/threats/darkhotel-...
Oh, and if you have corporate VPN make sure there is no split tunneling. And even with a good VPN, make sure to set explicit restrictive host firewall rules. As in no traffic allowed to the public wifi interface subnet aside from captive portal and dhcp (e.g.:wpad)
Honestly, browsers are not the worst offenders here or the worst mistake.
MUAs are. There's no MUA-STS, the user interaction required to accept an insecure connection is often too trivial, the authentication methods allow easy credential theft and prolonged reuse.
MUAs are. There's no MUA-STS, the user interaction required to accept an insecure connection is often too trivial, the authentication methods allow easy credential theft and prolonged reuse.
I was trying to explain this to someone recently and basically described the same.
However, there’s still a privacy risk on a public wifi, correct? As in your neighbor can see the DNS requests (as those are generally unencrypted).
If you use a VPN, cool, but now your “free VPN” gets to see that.
The only other issues I could think of were ARP poisoning / spoofing and maybe local phishing redirects
However, there’s still a privacy risk on a public wifi, correct? As in your neighbor can see the DNS requests (as those are generally unencrypted).
If you use a VPN, cool, but now your “free VPN” gets to see that.
The only other issues I could think of were ARP poisoning / spoofing and maybe local phishing redirects
A fair amount (DNS, etc) is still in the clear, yes.
I still see a good amount of clear text web traffic when I do packet captures in airports and the like.
Usually image or media files, but the odd time I see some badly conceived automatic update process pulling an exe or msi over plaintext HTTP.
I still see a good amount of clear text web traffic when I do packet captures in airports and the like.
Usually image or media files, but the odd time I see some badly conceived automatic update process pulling an exe or msi over plaintext HTTP.
> I still see a good amount of clear text web traffic when I do packet captures in airports and the like.
Of all the places I'd avoid packet sniffing, that's high on the list.
Of all the places I'd avoid packet sniffing, that's high on the list.
Its where you find the best variety of packets! Far superior to cafes.
Why?
Because irrespective of the legality of packet sniffing on a network you don't own, airport police have no chill.
They also don’t have the competence to actually figure out that you’re packet sniffing. How would they know?
I think debian does package updates over HTTP in the clear. It's not necessarily a problem if the package is signed and the signature is verified.
But you don't have privacy. If you didn't want anybody to know that you've got clown-fetish-program version 1.6.4 installed, then Debian's package upgrade code fetching clown-fetish-program version 1.6.4.1 update is a disappointing give away.
In the real world is it embarrassing to have Emacs installed? Or KDE? Or even Tux Racer ? Probably not. But all things being equal we'd rather the program just kept this to itself right?
In the real world is it embarrassing to have Emacs installed? Or KDE? Or even Tux Racer ? Probably not. But all things being equal we'd rather the program just kept this to itself right?
It could also reveal information about your system that could be used for exploiting. E.g. you have a package installed that can be used for privilege escalation once compromised.
Not to mention the additional possibility of exploiting apt itself vs. having to exploit the TLS stack (which goes trough a lot more scrutiny).
Not to mention the additional possibility of exploiting apt itself vs. having to exploit the TLS stack (which goes trough a lot more scrutiny).
Would something like NextDNS help?
NextDNS offers DoH (DNS over HTTP) so yes, your DNS look ups are encrypted. But of course if an app developer clicked past all the "This is a terrible idea, just stop it" and added that code to download your porn over a plaintext HTTP 1.0 connection from their server this-is-literally-porn.example then NextDNS doesn't magically prevent that when you run their crappy porn app.
Firefox has built-in support for DNS over HTTPS using NextDNS or Cloudflare
There are multiple reputable non free VPNs, why are you jumping to the conclusion that all VPN users are on a free one?
DoH encrypts dns requests over the local network.
HSTS helps with local phishing redirects, as the browser ought not load a 3xx request over http for sites with HSTS enabled.
HSTS helps with local phishing redirects, as the browser ought not load a 3xx request over http for sites with HSTS enabled.
Set your browser to HTTPS only mode (a setting in all modern browsers) and you'll be Mostly Safe (TM). Also enable DoH (using your own server, if you don't trust public ones) and you'll be Even More Safe (TM).
Yes, you're exposing yourself to some random people on the network who may try to attack your laptop or phone, but as long as you enable your firewall you're Probably Fine (TM).
I'd avoid using public WiFi if you're a government agent or working with highly sensitive data just in case. In all other cases (i.e. 99% of people using their laptop in public) it's perfectly safe if you just don't disable your device's security mechanisms.
Yes, you're exposing yourself to some random people on the network who may try to attack your laptop or phone, but as long as you enable your firewall you're Probably Fine (TM).
I'd avoid using public WiFi if you're a government agent or working with highly sensitive data just in case. In all other cases (i.e. 99% of people using their laptop in public) it's perfectly safe if you just don't disable your device's security mechanisms.
HSTS is surprisingly NOT widely deployed, never mind HSTS Preload. Google, Amazon, eBay, BofA or Chase have neither. Facebook, to its credit, does, then again with Facebook your threat model is what’ inside the perimeter.
https://blog.majid.info/hsts-preload/
https://blog.majid.info/hsts-preload/
I'm no security expert, but this discussion leaves a large part of the threat model implicit before discussing countermeasures: what is the asset that needs protecting, who is the threat actor, what is the threat vector, what would be the likelihood and the damage. Not spelling this out leads to a lot of "yeah, but what about XYZ" discussions.
As of July 2022, only 55% of sites have secure SSL implementations (configuration errors and renegotiation vulnerabilities seem to drive the 45% who are insecure). - SSL Pulse, Qualys SSL Labs - a monthly scan of security issues in SSL implementations across the top 150k Alexa sites (https://www.ssllabs.com/ssl-pulse/). Methodology (https://github.com/ssllabs/research/wiki/SSL-Server-Rating-G...).
Disclaimer: I'm exploring an open source, community VPN called OpenRelay here: https://github.com/triumphantomato/openrelay
Disclaimer: I'm exploring an open source, community VPN called OpenRelay here: https://github.com/triumphantomato/openrelay
To me public Wi-Fi is pretty much a honeypot. Most people I know don't rely on it, especially with widespread 4G and mobile phones, so the only people using it are shady figures for whom open and public Wi-Fi is just another step in their OpSec.
I figure if you connect to an open Wi-fi and then to a VPN endpoint, you're put on some government list.
I figure if you connect to an open Wi-fi and then to a VPN endpoint, you're put on some government list.
At places like Starbucks I wonder what all they do behind the scenes to make sure the network is secure. Like if I go into a mom and pop coffee shop and ask for the WiFi password, that's one thing. But with starbucks all having a standardized wifi infra in their stores, I wonder what sorts of things are happening behind the scenes to make sure everything stays secure. If consumers are worried about WiFi at these places, I bet Starbucks IT obsesses over it.
Many people do rely on it, they don't probably even know what a password does vs an open network.
If people around you tend to have a profile like HN users yes they of course know what they're dealing with.
Bur for the rest of the non-techie 99% of the world, public Wi-Fi is perfectly fine.
If people around you tend to have a profile like HN users yes they of course know what they're dealing with.
Bur for the rest of the non-techie 99% of the world, public Wi-Fi is perfectly fine.
Perfectly fine for what? I live in Europe, everybody has Internet at home, and if they're out, they have 4G on their phone.
When would one need the coffee shop wifi, especially non-techies that go there just to have a coffee, not to work? Honest question.
When would one need the coffee shop wifi, especially non-techies that go there just to have a coffee, not to work? Honest question.
The vast vast majority of Europeans don’t have unlimited data plans with unlimited tethering. Not sure why you would think they do.
Reception can be pretty spotty in many areas as well, so even if you do have unlimited data and tethering, you might benefit from a public wifi.
Everyone who goes to a coffee shop with their work laptop is probably connecting to a VPN over open WiFi.
The DNS point is dangerous because you can simulate to be a “legit website” also with SSL, and instead it could be a Man in the Middle attack.
And also with closed Wi-Fi could be dangerous.
I use always my home WireGuard tunnel when I’m with with an unknown Wi-Fi access.
The point is not the Wi-Fi, but what to do with it. If you want to browse Instagram on a public Wi-Fi there’re issues but I wouldn’t buy plane tickets on a public Wi-Fi or browse my online banking account (without a trusted VPN).
And also with closed Wi-Fi could be dangerous.
I use always my home WireGuard tunnel when I’m with with an unknown Wi-Fi access.
The point is not the Wi-Fi, but what to do with it. If you want to browse Instagram on a public Wi-Fi there’re issues but I wouldn’t buy plane tickets on a public Wi-Fi or browse my online banking account (without a trusted VPN).
Love this quote:
> When times change, the wisdom from that past era tends to stay around for a longer while.
> When times change, the wisdom from that past era tends to stay around for a longer while.
This something that annoys me to no end about VPN ads. I listen to alot of podcasts so I can't go a day without hearing an ad for ExpressVPN. The ad read always includes a bit about "hackers being able to see your data on an open network".
And while technically true, I could technically run an old http only site and you might happen to be on the same network as a hacker using the decades old Firesheep, so yeah technically that could happen, but it's just so disingenuous when they come out and hammer that point home.
Anyways rant over.
And while technically true, I could technically run an old http only site and you might happen to be on the same network as a hacker using the decades old Firesheep, so yeah technically that could happen, but it's just so disingenuous when they come out and hammer that point home.
Anyways rant over.
"Additional, HSTS (with preloading) is quite widely deployed (especially at big cloud services), which makes plain text downgrade attacks hard to deploy."
looooooooooooool
Turns out, that was a lie
looooooooooooool
Turns out, that was a lie
Is it? I just checked https://hstspreload.org/, and it seems that twitter.com, facebook.com, outlook.com, cloudflare.com and gmail.com are all preloaded.
Or do you mean that downgrade attacks are still easy to deploy? Under what circumstances?
Or do you mean that downgrade attacks are still easy to deploy? Under what circumstances?
With a reverse proxy. You can reverse proxy any HSTS website, and feed it to any client over plain http
A client with the HSTS preload list will not connect to facebook.com over plan HTTP. That's the whole point.
This is terrible advise.
In WPA and WPA2 the password means network use is encrypted, which means a completely passive adversary can't just snoop the network so long as there's a password.
But in WPA3 even without a password everything is encrypted anyway, your station says "Hey, I'm joining this network here's a number" and the AP says "Welcome aboard, here's a different number" and now you've got encrypted networking. Obviously with no password the AP could be an imposter, but passive snooping is impossible.
On the other hand, if you're dead set on identifying users, there's no substitute for the Enterprise WiFi behaviour all the way from WPA onwards where users have a username and password, doing this locally for your home WiFi is very annoying, but at scale it's convenient yet able to be responsible. The entire world's academic community have a single such network EduROAM, if you're an MIT student and you happen to be in the library of a Polish university, your WiFi just works, or if you're a Cambridge professor giving a talk at the University of Sydney in Australia, same deal. The institution where you're a guest knows your identity (often email address), but doesn't see your credentials (password in most cases), it's trusting your home institution to validate that identity.