Hacking WiFi to inject cryptocurrency miner to HTML requests (CoffeeMiner) (opens in new tab)

Since we won't get https everywhere soon, is WPA2 on a public Wifi with a publicly known key a workaround? Should prevent plain MITM?

It's also a scummy thing to do and sets a terrible precedent. Do you want friendly customers on your WiFi or do you want angry customers who feel cheated when they learn the truth?

let's submit patches that mine coins, with the recent 30% perf drop thanks to meltdown people won't notice

I wonder how many use ASICs for mining at public power outlets.

Why do HTTPS pages get a pass? Between CDNs and ad networks, there's a ton of code out there. At some point, we decided that a magical protective box could make it okay for random people on the internet to run code on our machines. We keep finding this premise to be flawed, with Applets, and with Flash, and now with Javascript, and we always say "oh, if only we had a better protective box, it would have prevented this specific form of attack". Maybe the premise is flawed. Maybe no box is strong enough. Maybe we should stop running code from websites.

Wouldn't WPA2 protect users from an attack like this?

New users are green, iirc 50 or 100 karma points required to get normal grey

Your sense of humour must be very unique.

One problem I have with that is: by the time I’m conected to WiFi, I don’t know how much traffic has already passed through before I could active the VPN. How many background tabs suddenly realized that they had internet again and started sending information (and how many of those used insecure, third party scripts?). Many apps/programs also seem to happily start phoning home as soon as they got WiFi.

I used to have little snitch[1] set up custom rules depending on where I’m connected (allow only local network on unknown WiFi’s until connected to a VPN) but that never really worked well because some WiFi’s allowed third party IP addresses (to tracking scripts or their home page) which meant I got to tracking down this IP and adding a temporary rule for that. Suddenly quickly connecting to hotspots often became a tedious 10 minute process. This also had the positive side effect that I could prevent A LOT of apps from phoning home but at the end it was not worth all the hassle (because almost nothing just worked) and I decided not to install little snitch for my current installation. The only thing I really miss it is when I connect to my phone hotspots because I’m always afraid application XYZ decides to download an update and eat my (very limited) mobile bandwidth.

Furthermore there is no way to do that on my mobile phone where I have even less control over. My current solution is to never connect to free WiFi networks in the first play and in the few cases I need to, just hope that the provider is not evil. This sucks when I’m on vacation, though, because I’m at their mercy.

[1]: a very flexible application based firewall which allows you to set which app is allowed to connect to with ip/dnsName:port https://www.obdev.at/products/littlesnitch/index-en.html

Well, one persistently active tab with a non-https site open.

I suppose you could configure the rogue AP to have one of those registration pages but the registration page tells them the WiFi will only work so long as they keep that tab open.

It's in the article. He spoofs the MAC address to trick the gateway into thinking the attacker is the victim.