Is Communal Free Wi-Fi Secure?

km1500

you don't need a vpn

[Deleted User]

Newcad said:

(I have to laugh when I see pubs, cafes, etc. with their wifi name and password posted on the wall for customers to use, security wise they might as well just change the wifi name to the same as the pub/cafe and set it not to need a password, easier for the customers too).

The reason they generally do it is to prevent freeloaders on their Wi-Fi i.e. non-customers not security considerations.

I've been in cafés where they actually printed off logins and others where they simply changed the password daily. 

onomatopoeia99

km1500 said:

as I have mentioned on these forms before when it comes to using public Wi-Fi like for example at Starbucks the risk is not whether you need to enter a password or not as most websites use https and everything is encrypted anyway

the risk is that you look at the Wi-Fi networks available and connect to 'Starbucks Free Wi-Fi' not knowing that that is not the real Starbucks wi-fi but some guy in the corner with a PC and a hot spot pretending to be Starbucks and you are connecting to him not Starbucks. If that's happens all bets are off

He's still going to struggle to issue a valid certificate for the website of a clearing bank that the https client will accept though, without somehow first compromising the device and getting his own root CA accepted by it.

Doshwaster

There are some cases where a VPN is required but most of the time the VPN companies are taking advantage of people's paranoia.  The risks of using a legitimate website with https are extremely low. 

Good video explaining this: https://www.youtube.com/watch?v=WVDQEoe6ZWY

Newcad

[Deleted User] said:

Newcad said:

(I have to laugh when I see pubs, cafes, etc. with their wifi name and password posted on the wall for customers to use, security wise they might as well just change the wifi name to the same as the pub/cafe and set it not to need a password, easier for the customers too).

The reason they generally do it is to prevent freeloaders on their Wi-Fi i.e. non-customers not security considerations.

I've been in cafés where they actually printed off logins and others where they simply changed the password daily. 

Again what's the problem?

It doesn't cost them any more for their unlimited broadband whether non-customers are using the wifi or not.
They'd have to be sat nearby somewhere, probably outside, to even connect to it.

PS. My last flat was next door to a pub and I used their (passworded, posted on the wall) wifi while I was living there, except for during covid when they were closed so I tethered through my phone instead.
They were fine with that even though I didn't drink in there, it wasn't costing them anything extra but it saved me plenty..

Doshwaster

Newcad said:

[Deleted User] said:

Newcad said:

(I have to laugh when I see pubs, cafes, etc. with their wifi name and password posted on the wall for customers to use, security wise they might as well just change the wifi name to the same as the pub/cafe and set it not to need a password, easier for the customers too).

The reason they generally do it is to prevent freeloaders on their Wi-Fi i.e. non-customers not security considerations.

I've been in cafés where they actually printed off logins and others where they simply changed the password daily. 

Again what's the problem?

It doesn't cost them any more for their unlimited broadband whether non-customers are using the wifi or not.
They'd have to be sat nearby somewhere, probably outside, to even connect to it.

PS. My last flat was next door to a pub and I used their (passworded, posted on the wall) wifi while I was living there, except for during covid when they were closed so I tethered through my phone instead.
They were fine with that even though I didn't drink in there, it wasn't costing them anything extra but it saved me plenty..

A bit of web browsing probably wouldn't bother them but I can't see them being happy if you were hogging their bandwidth with heavy usage or if they got raided by the police for something dodgy you had done using their connection. 

Username03725

Newcad said:

[Deleted User] said:

Newcad said:

(I have to laugh when I see pubs, cafes, etc. with their wifi name and password posted on the wall for customers to use, security wise they might as well just change the wifi name to the same as the pub/cafe and set it not to need a password, easier for the customers too).

The reason they generally do it is to prevent freeloaders on their Wi-Fi i.e. non-customers not security considerations.

I've been in cafés where they actually printed off logins and others where they simply changed the password daily. 

Again what's the problem?

It doesn't cost them any more for their unlimited broadband whether non-customers are using the wifi or not.
They'd have to be sat nearby somewhere, probably outside, to even connect to it.

PS. My last flat was next door to a pub and I used their (passworded, posted on the wall) wifi while I was living there, except for during covid when they were closed so I tethered through my phone instead.
They were fine with that even though I didn't drink in there, it wasn't costing them anything extra but it saved me plenty..

It’s more to entice customers in, who are then more likely to spend money in there. Until 100% of passers-by are openly freeloaders it’s beneficial to a business to offer free wifi where you need to go to serving counter to see the password. They don’t stick it on the outside of the building for a reason. 

km1500

onomatopoeia99 said:

km1500 said:

as I have mentioned on these forms before when it comes to using public Wi-Fi like for example at Starbucks the risk is not whether you need to enter a password or not as most websites use https and everything is encrypted anyway

the risk is that you look at the Wi-Fi networks available and connect to 'Starbucks Free Wi-Fi' not knowing that that is not the real Starbucks wi-fi but some guy in the corner with a PC and a hot spot pretending to be Starbucks and you are connecting to him not Starbucks. If that's happens all bets are off

He's still going to struggle to issue a valid certificate for the website of a clearing bank that the https client will accept though, without somehow first compromising the device and getting his own root CA accepted by it.

what they normally do is see what the customer is trying to connect to for example their Gmail account or whatever and then put up a false Gmail account login page and watch the person type in their username and password. I agree there is the 2fa problem to get around if that has been implemented.

or they just run in intercept mode passing everything on but watching

pjread

RealGem said:

Thanks I already bought NordVPN as it was cheaper than ExpressVPN in case I were to continue it after a month. But will a VPN still protect me from a copycat hacker who names a connection similar to the one others locally are using?

Thanks 

Yeah a VPN tunnels between you and the VPN endpoint, so even if they do capture something at the router it should* be encrypted.  Of course, you then have to trust the VPN provider...

(*strictly speaking you can have an unencrypted VPN but that has no privacy use and I doubt there's a consumer service that offers this)

400ixl

Yes, NordVPN will create an encrypted tunnel within any wifi connection. It will stop most man in the middle type attacks where they are attempted at the local wifi end.