Is public WiFi as dangerous as people claim? (opens in new tab)

(zitadel.com)

15 pointsmffap3y ago4 comments

4 comments

4 comments · 1 top-level

jc_8113y ago· 3 in thread

->Picture this scenario as an example: You are sitting in the airport waiting room, patiently waiting for the boarding you begin. While scrolling through Zalando, you find a pair of sneakers that catch your attention and are ready to make a purchase. You sign in and fill out the delivery and payment information as usual. However, little do you know that a hacker has secretly positioned themselves between you and the online store, sneakily taking notes of the data only Zalando was meant to receive. Simply as that, not only has the man-in-the-middle learned about your login credentials, but also your address and credit card information.

Wouldn't a connection being served over SSL mitigate this scenario? I can't imagine any online store not being served over SSL in 2022

jstarfish3y ago

> I can't imagine any online store not being served over SSL in 2022

It happens. Someone's computer-proficient nephew gets asked to create a shop frontend for a family/hobby business, so they drop WooCommerce on a shared host and go live. What's SSL?

There are also the failures to redirect 80->443 or disable non-HTTPS access, so tools like SSLStrip can still pay off.

ffo3y ago

This is so true in practice ;-)

Also a problem I encountered in the wild, is that a potential attacker tries to trick a user into installing a malicious CA Public key as requirement to be allowed past the captive portal.

Unfortunately mitigating this is hard(er) and only mTLS could solve that issue.

mffapOP3y ago

Unfortunately, very valid point. Love the example btw :)

Browsers have been getting better at warning users. Which is actually a great help, I think. But no guarantee at all, especially for less tech-savvy users.

j / k navigate · click thread line to collapse

4 comments

4 comments · 1 top-level

jc_8113y ago· 3 in thread

->Picture this scenario as an example: You are sitting in the airport waiting room, patiently waiting for the boarding you begin. While scrolling through Zalando, you find a pair of sneakers that catch your attention and are ready to make a purchase. You sign in and fill out the delivery and payment information as usual. However, little do you know that a hacker has secretly positioned themselves between you and the online store, sneakily taking notes of the data only Zalando was meant to receive. Simply as that, not only has the man-in-the-middle learned about your login credentials, but also your address and credit card information.

Wouldn't a connection being served over SSL mitigate this scenario? I can't imagine any online store not being served over SSL in 2022

jstarfish3y ago

> I can't imagine any online store not being served over SSL in 2022

It happens. Someone's computer-proficient nephew gets asked to create a shop frontend for a family/hobby business, so they drop WooCommerce on a shared host and go live. What's SSL?

There are also the failures to redirect 80->443 or disable non-HTTPS access, so tools like SSLStrip can still pay off.

ffo3y ago

This is so true in practice ;-)

Also a problem I encountered in the wild, is that a potential attacker tries to trick a user into installing a malicious CA Public key as requirement to be allowed past the captive portal.

Unfortunately mitigating this is hard(er) and only mTLS could solve that issue.

mffapOP3y ago

Unfortunately, very valid point. Love the example btw :)

Browsers have been getting better at warning users. Which is actually a great help, I think. But no guarantee at all, especially for less tech-savvy users.

j / k navigate · click thread line to collapse