Can you trust public wifi?

This has been something that has bothered me for a while. It is always recommended that you should not trust public wifi - but I think this is a farce given the advancements we’ve made in modern browsers and HTTPS.

Do we still need to worry?

A man in the middle attack or spoofed DNS or poisoned DNS on a public WiFi with the right coding can make fake sites appear legitimate. Inserting credentials can store them in a local DB and pass them on to the right website. Your session looks legitimate to the end user. This has been done before. It also depends on the security of the sites that you go to, downgrade of TLS to SSL is a real thing. How Hackers Spoof DNS Requests With DNS Cache Poisoning
Don't Use Public Wi-Fi Without DNS Filtering
VPN is not a full proof solution, however and I’d suggest having good EDR, and a reliable DNS provider.

On a side note I rarely use public wifi, I usually tether my phone, with VPN to my home router. At that rate I know where the traffic is going at all times and to an extent how reliable the DNS is.

I’d agree with you to a degree that HTTPS is much more wide spread these days that limits some of the attacks.
As @brad_voris has said, there are still a number of attacks that a malicious public wifi access point can do to intercept / downgrade security.

VPN’s are a good thing to use, but only if you can trust the provider. If the VPN provider is malicious, they can carry out the attacks that a malicious access point could. My suggestion would be to role your own VPN server using something like pivpn (https://www.pivpn.io/) on a digital ocean droplet.

1 Like

Thanks for your response! I’d argue that most modern browsers protect you against these attacks - but I can’t verify that. Give me a few weeks to get settled into my new house and I’ll prove it to you in my lab. Blog post incoming!

1 Like

How many people have old phones, tablets or older laptops they travel with? The age old issue of people not updating or upgrading will always be a problem.

This is especially prevalent with Android devices.

Look forward to reading your blog post!

Great conversation. Love the thoughts and input.

A few actionable thoughts:

  1. DNS Poisoning - Statically configure a DNS provider (8.8.8.8/8.8.4.4. for Google perhaps or my choice of 1.1.1.1)
  2. Use a VPN you trust or better yet, as @CMD_Josh noted, build your own. Personally, I have both. You can create an OpenVPN on Digiteal Ocean and run it for cheap. You can even spin a new one up quickly if you will be traveling soon.
  3. Use a Host-Based Firewall - sounds silly and cliche, but ask yourself, do you have a different Host Firewall profile for Home than you do for Public wifi? I have done research with a Cyber Lab and I can tell you even many IT and Cyber professionals miss this. It is so simple: create a profile to Block Inbound All and use it when on Public wifi.

Note: depending on VPN client configuration, it is possible that others can communicate with your host on the same network even if you are using a VPN.

  1. To protect those who don’t know to use a host-based firewall, enable Layer 2 LAN Isolation on your access points. Unless you are gaming at an internet cafe, there is little reason to allow Layer 2 LAN Isolation (also known as Wifi Client Isolation or Access Isolation) and in the majority of use cases with Public Wifi, it is best practice to disable Layer 2 LAN Isolation. If your company has public wifi, consider checking if you have this isolation enabled, if not ask if there is a need for Wifi Clients to communicate to each other or if it is just an Internet access medium.
1 Like

Very good points @christian_taillon, especially on the different firewall profiles! Alot of people don’t take this in to consideration.

I’ve done something similar to this. I have a wireguard VPN tunnel paired with Pi Hole. I have it on anytime i leave the home network. It works wonders.

I would add my 2 cents: to specific individuals that need to be highly secured, I suggest to use a portable FW/VPN box between the public WiFi and the owned devices (phones, computers).

1 Like