
Why public WiFi is dangerous - niuzeta
https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6
======
mynewwork
"We do the same for Facebook: Slotboom is able to intercept the login name and
password I entered with relative ease."

Is Facebook not using encryption for login? That would surprise me. Or is the
author either blatantly lying or intentionally being deceptive (ie, he clicked
passed an invalid certificate warning or similar).

~~~
sp332
If you type in facebook.com, your browser will use HTTP by default. The login
page will redirect you to HTTPS, but it's too late, you're MITM'd. The
attacker makes the HTTPS connection instead, and serves the page to you over
HTTP. You put your username and password in and send it back to the attacker
in plain text. The attacker sends the data to Facebook via HTTPS, decrypts the
response, and sends it to you via HTTP. It's called sslstrip.
[http://www.idcloak.com/learning-center/faceniff-SSL-Strip-
fa...](http://www.idcloak.com/learning-center/faceniff-SSL-Strip-facebook-and-
twitter-account-hacked-easily/a560.html)

~~~
hrasyid
Don't browsers typically verify the identity of a HTTPS page and warn you if
something is not right?

~~~
sp332
Right, but in this case your browser never sees the page over HTTPS. The
attacker makes the secure connection, and feeds you data over an insecure
connection that they can see.

    
    
      You <-(HTTP)-> Attacker <-(HTTPS)-> Facbook

------
Evolved
Is this the device?

[https://wifipineapple.com](https://wifipineapple.com)

