Wi-Fi hotspots and I don’t get along. It’s not that I’m not appreciative of the free service – I am. But, I’m far from convinced that free Wi-Fi hotspots are appropriate for most Internet users. Hotspots are a hacker’s dream come true.
Free hotspots, in many instances, are unsecured – a semi-skilled hacker, using a selection of readily available tools (often available as a free download on the Internet), can easily penetrate such a network.
Here’s the first example of what I mean:
Earlier this year, while visiting my local Library, I logged on to it’s hotspot only to have my Browser warn me of a possible fraudulent certificate – symptomatic of a “man-in-the-middle” attack. Typically, a man-in-the-middle attack is designed to eavesdrop on the traffic between a user and a website.
Since most users are unaware of the importance of certificates, it’s fair to assume that a typical user, on seeing this warning, would simply click “ignore”. In this case, that had to be so – when I approached the Library’s chief Tech, shockingly, he had no idea what I was talking about. Certificate? Huh? Which led me to believe, that no other user had brought this issue to the Tech department’s attention.
In other words, possibly thousands of users were unaware of the very real risk to their privacy and confidential data, as they happily surfed the Internet from this location.
Given, that one purpose of a certificate is to confirm that the web site being visited is indeed what the user thinks it is – effectively, whether the site can be trusted or not – I continue to be surprised at the typical user’s scant knowledge in this area.
Here’s a challenge for you – query your self described “tech savvy” friends on the current certificates installed in their Browser. Wait for the surprises – or, maybe not.
Pictured below, as an example, are the Certificate installed in my current version of Firefox.
Authorities – These are the Root Certificates that Firefox trusts.
Servers – These are the certificates that have been installed manually from a website.
The second example:
At an Art class I joined earlier this year, I happened to notice a questionable type of person sitting (on the ground) outside the building (freezing his butt off, since it was Winter), surfing on his Laptop. I knew there were no open Wi-Fi networks within range, so it was apparent that this fellow was surfing through the Art Institute’s password protected Wi-Fi.
On speaking with Institute staff, it became clear that this was a common occurrence with this fellow. The long and the short of it is (it would take an entire article to tell this tale), a series of Wi-Fi hacking tools were being used to “play” with the owner’s site. Since few of the students used the Wi-Fi hotspot, no damage had been done. But, it easily could have.
If you do use Wi-Fi Hotspots, here are some recommendations for safer surfing:
Assume your Wi-Fi connection is open to penetration.
Be certain that your security applications are up to date.
Don’t enter sensitive financial data. Online banking while connect to a hotspot is, to put it mildly – crazy.
To be sure that you don’t leave a trail of “breadcrumbs” – history, cookies, passwords – set your Browser to private browsing mode.
Log out of each logged-in site you visit – particularly, web based email sites; Facebook, Twitter, and the like.
Pay particular attention to one of the craziest default setups ever – “Remember my password”. It’s imperative that you uncheck this.
If you’re comfortable with anonymous surfing then, consider installing a VPN application. One such application worth considering is Hotspot Shield – reviewed here, a number of times.
Finally, you should consider avoiding Wi-Fi Hotspots entirely. An alternative is creating a “personal hotspot” if your smartphone is capable. Check your phone manufacturers web site for information on how to do this.
Would you wander through a neighborhood that you were unfamiliar with? One which might possibly be full of predators? Well of course you wouldn’t.
Bill Mullins' Weblog - Tech Thoughts 