
82% of People Say They Connect to Any Free WiFi That’s Available in Public - sharkweek
https://decisiondata.org/news/report-82-of-people-say-they-connect-to-any-free-wifi-thats-available-in-a-public-place/
======
caymanjim
I'm one of those 82%. The risk is vastly overblown. If you use apps (for e.g.
banking), they're already communicating over encrypted connections, and
they're not going to accept unknown certificates. They're completely secure.
The Google Play Store and the Apple App Store are completely secure. Your
browser is going to warn you about certificates that don't match expectations.
You have to go out of your way to fall victim to any MITM attack. The risk
from a hostile WiFi is pretty close to zero unless you're the kind of person
who blindly clicks on links in email you get, and people like that are unsafe
in any environment.

~~~
eli
You typo an address in your URL bar and an attacker can serve you a fake login
page of your intended destination complete with valid SSL cert.

~~~
taqcp
Regular users should not be using the URL bar, they should type whatever they
want in the search bar.

~~~
Endy
I disagree strongly here. We should be encouraging users to take
responsibility and agency for their actions. As admins and tech-aware people
in our circles, we should be constantly encouraging better habits like typing
URIs manually, decreasing the use of search engines for non-search purposes,
and trying to spread literacy.

Besides, it's not like we should ever trust a search engine as an authority on
anything but the results that bring the host company more money.

~~~
joshuamorton
Why is typing a URI manually better?

It's undoubtedly less secure and it's upside is...what exactly?

~~~
Endy
Personal responsibility is the main benefit; teaching people to look twice at
what they do on the Internet. And frankly speaking, if manual user entry is
less secure than software that the user does not own from metal to UI, then we
need to upgrade the users, not the Web. Demanding a manual entry means that
the user is taking deliberate action, not following whatever some piece of
software is telling them to be correct.

~~~
joshuamorton
Personal responsibility, in and of itself, is not usually considered to be a
benefit. It is considered a thing one has to undertake to achieve a benefit.

You seem to be suggesting that if I intend to visit mywebsite.com, that typing
"myw", seeing "mywebsite.com", and hitting enter is somehow less deliberate
than typing "mywebsit.com" and going to a site that was not my intent.

Given that only the first one of these things reflects my intent, describing
the second as deliberate and the first as not-deliberate requires some odd
twisting of definitions.

Your fear, it seems to be, is that tools we use might influence how we act.
This is nothing new. Stories started to rhyme less when we figured out how to
write things instead of memorizing them. That was still probably undoubtedly
an improvement. So can you perhaps clarify what specific influences that our
tools have might be bad? For example, my browser suggesting "mywatertower.com"
instead of "mywebsite.com" because the first paid for a higher position.

That seems a reasonable end state to fear, but I have no reason to believe
we're heading that direction. Do you? Is inconveniencing (literally) billions
of people and forcing them to take less secure paths to do what they want
worth avoiding a possibility that certainly doesn't seem imminent?

~~~
Endy
To me, it's definitely worth it to "inconvenience" people and demand conscious
behavior. With the largest browser vendor being the largest advertising agency
and the largest search engine, encouraging anyone to have anything beyond the
barest minimum to do with them goes against everything I believe in. Search
engines should not be able to intercede in direct Web activity; they should be
used for content discovery and nothing else. You should not be able to type
three letters and get a full URL unless you personally wrote a macro to do
that.

Then again, when users stopped having to specify protocol for every server,
that was probably the beginning of the end of deliberate browsing. My fear is
really that people take the Web and the Internet as a whole for granted; and I
want to see procedures put in place to demand that all users be aware of their
actions, what data they share with servers, and all of what's being downloaded
to their computer.

I don't like having to remind people that there is no "Cloud", only someone
else's computer. And you're saying you trust that other person's machine and
security more than your own by storing critical data there. Or pointing out
what having one CDN for so much of the Web did last month.

~~~
joshuamorton
> You should not be able to type three letters and get a full URL unless you
> personally wrote a macro to do that.

Should you be unable to drive unless you can, IDK, build an automatic
transmission? This point of view reduces, as far as I can tell, to the idea
that good user interfaces should only be extended to those privileged with
enough expertise to build them themselves.

This requires a level of literacy that most users will never be able to meet,
by virtue of most people not having time to learn a programming language since
they have other responsibilities.

It's also not clear why you aren't extending this backwards: why is it okay to
use a browser I didn't write myself (or at least compile from source)? What
about my OS? Do you really expect every user to have full knowledge of their
entire system? That puts severe limits on the potential tooling we can use,
and goes counter to one of the core ideas of software engineering:
abstraction.

> And you're saying you trust that other person's machine and security more
> than your own by storing critical data there.

Yes, I trust security teams and engineers whose job is security and
reliability more so than I trust myself, in much the same way that I'd trust a
surgeon to do surgery better than myself. I realize that there's
certification/training differences that may be relevant, but in general, the
same ideas apply.

------
bsamuels
Any security professional who says there's a large _security_ risk when using
free wifi has completely lost their marbles.

App stores require apps use https nowadays, and nobody is MITMing https, full
stop.

If you want to talk about risks of using public wifi, then privacy should be
the topic. DNS queries are not encrypted. Imagine how valuable it would be for
a chain like Starbucks to know what websites their customers are looking at
while in the store? I don't know if they do that, but it's multiple orders of
magnitude more likely than a free wifi access point posing a security risk to
end users.

~~~
_jal
> and nobody is MITMing https

Any security professional asserting this doesn't know whereof they speak.
There are entire product categories of MITM devices ("TLS inspection") for
sale. Another poster mentions nation states doing this openly.

Buy aside from many corporations and some nations states, nobody is doing
this, full stop.

~~~
tsimionescu
Corporate TLS Inspection products rely on each user (or the system
administrators) installing the MITM certificate on all corporate systems.
Unless users are also installing 'public' root certificates, this is a non-
issue. And if users _are_ installing bad root certificates, then a fully
closed wifi network will not be very good protection either way.

Now, nation states, which may be able to obtain valid PKI certificates for
MITM purposes, are a whole other level of adversary. Still, again, anyone who
can do that will probably not be deterred by you using a WPA-PSK2 protected
Wi-Fi AP.

So, overall, I don't see what kind of increased security risk you would be
exposing yourself to by using public wifi networks.

~~~
_jal
OP said "full stop". You don't make a categorical claim like that with a large
asterisk when talking about things like this.

"Nobody can open this lock, full stop." "...well, except for nation states,
and people who can touch it."

~~~
vetinari
The point is, that the user has to do explicit action to allow TLS MITM. You
cannot MITM until the user allows that, or uses a device that was already
configured to allow that.

------
felipeerias
Why does not having a WiFi password mean that the information must travel
unencrypted?

And why is a password enough to encrypt that information, even if said
password is written in large letters on a wall for everybody to see?

I'm sure that there are a good technical reasons, but at the same time it
seems like there should be a better way to have convenient and safe WiFi
networks in public spaces.

~~~
beatgammit
I think the answer is that public WiFi hotspots don't have any way of
verifying that they are who they say they are, whereas TLS works because you
have a trusted third party (the CA) that verifies the keypair.

So, if a WiFi hotspot used something like TLS, the data would be encrypted,
but you have to way to verify that you're not going through a malicious third
party's hotspot on the way to the public WiFi.

~~~
jackewiehose
Ok, but to quote my GP:

> And why is a password enough to encrypt that information, even if said
> password is written in large letters on a wall for everybody to see?

------
Ayesh
The best security is the one you don't have to educate people about. Today's
HTTPS implementations such as HSTS/Preload, DoT/DoH, etc can thwart most of
the dumb attacks easily. In mobile apps, you can even pin a particular
certificate and it's pretty much safe from.someone with the network access.

I work on security, and I connect to open wifi networks all the time when I
travel. I trust myself to not install random root certs and not ignorant to go
past https warnings.

For my own apps, I have HSTS preloaded, proper CSP headers, and don't TLS <
1.2.

------
ronjouch
Networking newbie question: why are "locked-by-password" and "secure"
conflated with WiFi?

Is there a technical reason for not having access points that are
secure/encrypted _and_ open?

HTTPS is able to do protocol negotiation in the open, then provide a secure
channel. Why is there no such thing at the WiFi link layer?!

I found some discussion at
[https://security.stackexchange.com/questions/35867/why-
isnt-...](https://security.stackexchange.com/questions/35867/why-isnt-open-
wifi-encrypted) and [https://security.stackexchange.com/questions/149422/why-
isnt...](https://security.stackexchange.com/questions/149422/why-isnt-a-
standard-for-encrypted-but-open-wifi-developed) , with wildly varying answers.

------
duxup
Random HP printers, Wi-Fi with weird names ... no.

Places of business ... Yeah I guess I do that, and really, I've no idea if
that is actually that business's wi-fi.

Granted I run a VPN at nearly all times anyway.

~~~
agumonkey
Anybody ever abused wireless printers direct wireless modes ?

------
ConfusedDog
Because the alternative is no wifi. Give me a more secure option, I'd take
that. Otherwise, I'm gonna trust TLS does it's job. I know there could be a
"heartbleed" zero-day out there, but beats no internet at all.

------
el_benhameen
I think the point that some of the naysayers here are missing is that while
SSL and a VPN aren't _perfect_ security, they're more than enough for Joe
NineToFive. They eliminate the vector of a random person running a honeypot
network trying to scoop up low-hanging banking credentials. If you have a
knowledgable, perhaps state-level adversary trying to get you in particular,
then yes, connecting to random hotspots is probably not a great idea, but you
either already knew that or were compromised long ago.

------
dmortin
Does it actually matter if you use SSL for connections?

~~~
saagarjha
Ideally, no. If you install their CA certificate, though, all bets are off.

~~~
blendergeek
I don't think 82% of people regularly install CA certificates from random
WiFi.

~~~
ygjb
I am inclined to believe alot would, since it's easy to, and many users don't
understand the implication of doing so. It's simply the button in the way of
getting wifi. It's not that users are dumb, it's that the industry has made
this a painful footgun that is easy to trigger.

------
winter_blue
If you use a VPN, it's absolutely safe.

The solution is _to raise more public awareness_ of VPNs, and their benefits.

Also, automating the setup of self-hosted VPNs (like OpenVPN) on a home
machine (like a Raspberry Pi plugged into the router) would go a long way. I
personally prefer not to use third-party VPN providers, as I don't really know
whether I can trust them.

~~~
jrockway
A VPN just pushes link-layer security off to someone else. Now instead of
trusting your coffee shop, you're trusting your VPN vendor. Why a VPN vendor
deserves any more trust than your coffee shop is beyond me.

Trusting the link layer is an unnecessary band-aid. It doesn't need to be
trusted, and you should always operate with the assumption that it's not
trusted. Only trust end-to-end encryption and authentication.

~~~
ygjb
I agree with the first line - with the proviso that there are (IMO)
trustworthy third parties that have vetted some VPNs (for example, Mozilla's
partnership). I also agree that E2E could resolve a number of issues, but I
don't think it's practical or useful advice.

Your second line steps toward security absolutism, since it just pushes out
the trust boundary one step further and requires even more technical expertise
to be actionable, especially in contrast to using a VPN provider.

The advice to only trust E2E encryption is only useful if you trust both the
E2E service provider and the implementation, especially where the service
provider owns the only compatible implementations, and the implementation is
closed source.

The recent observations that FB could, either willfully, or under coercion,
completely undermine their E2E implementation illustrates that, in general,
solutions that are user friendly, readily accessible, and operating at scale,
are subject to manipulation for economic, law enforcement, or political
reasons.

~~~
jrockway
If you can't trust the other end of the E2E implementation, there is nothing a
VPN can do to get you closer to trusting them. Of course Facebook has all the
requests you sent to them. You sent them! Using a VPN doesn't prevent Facebook
from misusing the data they collect on you.

Perhaps using a VPN prevents them from logging your IP address. But they still
have your username that you logged in with, your phone's device ID, your
session cookies (which were created when you were at home on WiFi), your
browser's signature, etc. Again, using a VPN isn't going to stop any of that.

The likely outcome of using a VPN is that Facebook's analytics will know
exactly who you are, but their global rate limiter will cut off your access
because your IP address is now shared with a thousand other people, some of
whom are using a VPN to spam them.

------
eyeball
How much protection do you gain by using a vpn like PIA, nord, etc. with a
“kill switch” option turned on ?

------
dep_b
I find public WiFi without password unhygienic just like the average pub
toilet or an internet café Windows XP computer. I might get away fine using
them but I always feel a bit dirty afterwards.

Paid for an unlimited 4G plan just to not have to use public WiFi anymore
anywhere.

------
rolph
i used to run a little gig where the free wifi was the gateway, and the access
points were a threesome of 802.11 extenders jacked up with an amplifier and
labled as per wifi provider. basically MITM ing the starbucks feed and
evesdropping out of prurient curiosity. it was easy and got boring after a
while so i stopped. never went beyond snooping, but i could have screwed a lot
of people if i was an evil guy.

------
edf13
I’ve a new one... let’s ask how many people think the green/ssl bar means it’s
safe to enter your credit card details into the site?

SSL != trust

~~~
brokenmachine
How many people even know about the bar/lock at all? Most people don't have
any idea how it all works.

------
devoply
use cloudflare's free vpn, problem solved.

~~~
rstupek
Isn't the wait list quite long now for it? I'm still at >200k on the wait list
with little movement

~~~
tomschlick
They haven't opened it up yet because of some changes with the iOS networking
side of things. Last update was they were finishing that up over the past/next
few weeks.

