Do not use anything on public WiFi unless the security patches are current.
Android [can] have better defenses than a Windows laptop:
- Android has MAC randomization.
- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.
- Bromite has an option to always check for https - enable it.
- Tor Browser is a bit easier to get on Android.
- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.
- For me, I would wipe the stock OS off the device and run Lineage de-Googled.
Using Tor is much worse than using public wifi, because instead of handing all your unencrypted traffic over to McDonalds + whoever's within 100 feet of you, you're handing it over to someone sketchy enough to run a Tor exit node.
>Do not use anything on public WiFi unless the security patches are current.
That's good advice for going online in general but nothing about public wifi makes this particularly more dangerous.
>Android [can] have better defenses than a Windows laptop:
>- Android has MAC randomization.
Windows has that too [1]
>- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.
You are conflating Chromium and Chrome but all Chromium based browser have this under security settings [2]
>- Bromite has an option to always check for https - enable it.
Again this is all Chromium browsers under security settings [2]
>- Tor Browser is a bit easier to get on Android.
Huh? [3]
>- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.
You aren't using SMTP directly from a consumer ISP connection anyways. If the ISP doesn't drop the traffic, the server you are connecting to will probably reject the message as spam.
>- For me, I would wipe the stock OS off the device and run Lineage de-Googled.
Sure that's great if you are privacy conscious but has no bearing on whether public wifi is safe. If anything, one could argue you are slightly less safe since Google tends to be very aggressive about signing and certificate pinning so you could be more more likely to notice if someone is doing an MITM.
> That's good advice for going online in general but nothing about public wifi makes this particularly more dangerous.
A busy public WiFi controlled by a hostile party is more likely to engage in port scans and other intrusive probes, so yes, this advice holds extra weight.
Similar issues apply to Tor guard nodes, which would be slightly more dangerous.
...did not know about Microsoft MAC randomization, thanks.
>You are conflating Chromium and Chrome but all Chromium based browser have this under security settings
Brave browser does not implement this URL after a cursory examination. It will be interesting to see if the OpenBSD chromium package offers it.
Tor is in Play and F-Droid. I doubt it is in the Windows store, but I could be wrong.
>You aren't using SMTP directly from a consumer ISP connection anyways. If the ISP doesn't drop the traffic, the server you are connecting to will probably reject the message as spam.
The parent post mentioned SMTP. If the recipient is local and valid, the remote MTA will likely accept for delivery.
>If anything, one could argue you are slightly less safe since Google tends to be very aggressive about signing and certificate pinning
Google has also unquestionably had a caustic and corrosive impact upon privacy in a myriad of realms. They can and do receive subpoenas constantly, and the only way out of their databases is wiping all of their closed-source components from your devices.
>A busy public WiFi controlled by a hostile party is more likely to engage in port scans and other intrusive probes, so yes, this advice holds extra weight.
I mean if you define the party as hostile then yeah but that also all applies to a non-public network controlled by a hostile party but [Citation Needed] that this is something that people are likely to encounter in the wild. If were at all common it would be pretty noticeable because you'd notice any certificate shenanigans and it wouldn't take that long for a technical person to come along and notice any port scanning. That's before considering that OS's typically have a more aggressive firewall posture on public networks to begin with not making them particularly juicy targets.
>Brave browser does not implement this URL after a cursory examination.
Brave has to be a snowflake but it's just a restyling of the same settings page: brave://settings/security
>Google has also unquestionably had a caustic and corrosive impact upon privacy in a myriad of realms. They can and do receive subpoenas constantly, and the only way out of their databases is wiping all of their closed-source components from your devices.
Security != Privacy and those are frequently completely at odds. It's hard to argue that public wifi is anything but a privacy nightmare but from a purely technical security perspective, I must just shrug at public wifi now.
Hostile guard and exit nodes are free to probe the origin and destination hosts, and this activity is unified on public WiFi. In Tor, they are separate issues on entry to and exit from the network. The issue is the same, and care should be taken. A hostile router will allow exactly this behavior, in both directions.
Your Brave URL does not work on my android device, nor is it listed in brave://about and is running v1.36.116.
OpenBSD does have a chrome://settings/security page, but makes no mention of DNS-over-HTTPS, and is currently at 93.0.4577.82 after a "pkg_add -u". I might check the Ubuntu snap later.
If you are compromised by a privacy issue, you are no less compromised than you are by a security issue. Your metadata in Google's systems is an attack surface that, for many people, would not outweigh the security benefits that their aggressive scanning awards.
Android [can] have better defenses than a Windows laptop:
- Android has MAC randomization.
- The Bromite fork of Chrome has DNS-over-HTTPS options in settings (I think Chrome requires a command line option to configure DoH, but I don't use Chrome so I'm not sure). ISPs hate DoH. Be aware that non-browser apps will use regular DNS. Some public WiFi blocks DoH (I'm configured for OpenDNS), so be ready to fall back to another browser using regular DNS.
- Bromite has an option to always check for https - enable it.
- Tor Browser is a bit easier to get on Android.
- SMTP has an opportunistic TLS exchange that can be thwarted, so I wouldn't use it.
- For me, I would wipe the stock OS off the device and run Lineage de-Googled.