Vanja Svajcer, Carole Theriault and I have made another special “splinter” episode of the “Smashing Security” podcast – tackling the tricky problem of public Wi-Fi hotspots.
Oh, and this episode is a tiny bit rude. So maybe young ears shouldn’t listen.
Smashing Security: 'Using public Wi-Fi'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Show notes:
- VPN comparison chart
- The dangers of public Wi-Fi – and crazy things people do to use it
- Free open WiFi suspected in Facebook hack of Missouri state representatives
- Finally! Yahoo Mail to turn on SSL by default in 2014
- 150+ best Wi-Fi names for your router
Hope you enjoy the show, and tell us what you think! You can follow the Smashing Security team on Bluesky.
The absence of HSTS, HPKP and DNSSEC means that on public WiFi you can't be certain that the site is delivering you genuine or secure content… SSL/TLS does not guarantee security where the site is operated by a rogue actor. Similarly connecting over WPA(2) doesn't guarantee authenticity of a site nor does it mean that other people on the open network (i.e. password freely available) cannot intercept your traffic.
Even a normal VPN can be compromised by early interception of the traffic. There are technical ways using PKI to ensure integrity of the connection but most VPNs do not implement this.
Obviously non of what I've said should detract people from seeking WPA(2) protected networks and only transmitting data to sites over SSL but I'd strongly recommend that NOBODY use public WiFi for the reasons I've already given. So:
* Use 4G (or 3G) in preference to public WiFi
* Use your VPN over 4G/3G for optimal security
* Don't connect to public WiFi – it's insecure, potentially dangerous, slow and intrusive
@Graham, you talked about mobile app insecurity but you didn't touch upon a very positive development by Apple – TL;DR: it was due to become a requirement for all iOS and OS X apps in its store to use App Transport Security by December 31st 2016
They've now extended the deadline past 31/12/16 but this is the way things are going:
https://developer.apple.com/news/?id=12212016b