252
cross-posted from: https://slrpnk.net/post/25779751
The intative promises to be privacy-friendly with no tracking. Stating:
Your privacy is important. The WiFi4EU app ensures a private online experience with no tracking or data collection. Simply connect and enjoy free public Wi-Fi without concerns.
Source: https://digital-strategy.ec.europa.eu/en/policies/wifi4eu-citizens
Will be interesting to see how this spans and plays out in reality. Looks promising too, did a quick scan of their builtin permissions and trackers and looks good too. (Scanning tool is called Exodus)
oh dude, they promised to be privacy friendly! maybe I'm just too american to believe in promises.
You don't have to trust them any more than you trust your local Starbucks WiFi. We're at the point where your traffic should no longer be vulnerable just because you're on the wrong WiFi network.
I feel like the OP you're responding to. Explain how I should be comfortable? The idea creeps me out, but I admit I haven't delved into security for a few years.
HTTPS is used on virtually every site out there these days. That is used to encrypt your traffic from the get go. So specifics of the traffic/request won't be obvious/known. The EU could be big enough to force manufacturers to inject their certificates into devices... could be a man in the middle attack. But you can always just remove certs you don't trust from your devices.
DNS by default is often plaintext. You can setup your device to use DoH or other encrypted versions of DNS.
That leaves just the raw connection analysis... eg, that your device is sending traffic to some known IP... many site share hosts so that can be hard to determine though often not really... Proxy or VPN services can make it impossible to do this type of analysis... but then those services will be able to tell.
Ultimately being able to say that "Shalafi sent some packets to an IP that google owns and received a bunch back" could be email... could be youtube... could be any number of things... at some point it become educated guess at best. And what specifically happened (ex: Watched a video about tying shoes) is simply unknown. It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources... which usually means more than one party is already working together against you. At that point you've got bigger issues usually.
this is such an oversimplification. maybe it's hard to distinguish between google services, but if you play some online game, chat over whatsapp or signal, or have a voip call, that's an entirely different story. these can probably be told apart by DNS requests or active connections, and in the case of communications, messaging and voice calling is obvious to tell apart because of the difference in the volume of data. when having a voip call, through a service that supports peer to peer calls (most do, and it's default on), an observer may even be able to deduct something about who you are speaking with, like what general area they live at.
then what if you have apps that try to establish connections to services at home. like smb or nfs, https services. your smb/nfs client may leak your credentials, I think even linux does not encrypt smb communication unless you request it in a mount option, and with HTTPS you leak your internal domain names because of TLS SNI.
Forgive me for not covering 100% of this advanced topic in my 3 paragraphs on Lemmy... Nuance gets long, and most people have attention spans of a squirrel.
Already covered as
Where specifics can't be divined... but other details might.
Addressed already with
Actually this is quite unlikely. ASNs are not as structured as you think. It takes an external database that specifically tracks DHCP'd ISP addresses. Case in point, when I moved to my new house... Google maps though I was a good 60 miles away from where I was... it was after repeated access to google maps and other service for about a month before maps started getting accurate with where I'm accessing their service from.
And that point is covered with
If you purposefully steer your car off the road... of course you're going to crash. If you're going to expose non-encrypted things onto the internet...
I would suspect the untrusted wifi to NOT be the leading thing you'd want to care about in this situation. But even then... I would start making reasonable assumptions such as you're likely on a DHCP connection without static addressing... your site and resources will rotate IPs every once in a while. Makes tracking you even harder.
Encrypted SNI (ESNI) / Encrypted Client Hello (ECH) exists... Cloudflare for example supports ECH, and they transit a LOT of data.
But once again... would be outside of the scope of discussion here. Yes... an ISP can make an educated guess of where you're likely to be going... and maybe even make a reasonable guess of what you could doing... But certainly not the details of it.
And this all ignores the fact that a random coffee shop isn't going to do full packet inspection to get this data to begin with. It's not worth it for them. They gain very little from collecting meta data without some bigger company backing them to do so... Which falls under
Edit: Typo that changed meaning. Fixed.
You don't HAVE to be comfortable. But if you use any sort of public WiFi, this is no riskier than any of those networks. They can grab some metadata unless you use a VPN, but likely less than what your ISP already has on you anyway. Basically, there's no reason this should be putting up any major red flags. We're past the days when a malicious access point could MitM most connections due to lack of encryption.
My traffic is not vulnerable, but my device might be.
When you connect to public WiFi, you also share it with others, and maybe someone on that network wants to test out their new hacker skills ?
Maybe not as much of a problem for phones, but that juicy developer laptop running unauthenticated MongoDB with a dump of the production database.. yup, that now “mine”.
Ideally all those services should be listening on 127.0.0.1 / ::1, but everybody makes mistakes. Maybe the service comes preconfigured to listen on 0.0.0.0.
Just keep your firewall set to public network and you will most likely be fine.
Anything can be hacked, even on your private home network.
Again, people make mistakes, so they may think the firewall is on, but that one time 3 weeks ago when they were debugging something and they turned off the firewall for it, yeah, we never got around to enabling it again.
Also, my home network is a lot more secure by default than shared public WiFi. At home I have decent control over who and what connects. Sure, people could in theory crack my WiFi password, but the risk of that is low compared to sitting on public WiFi.
Nothing we can do to prevent that, unless we want to turn all laptops into walled gardens. PEBKAC is not the fault of the WiFi network.
I mean, we could switch to Linux distros (so that you can fine-tune DNS and VPN settings without corporate BS), but the intricacies that introduces to connecting to the WiFi safely are not casual in scope. Most people are better off buying a lightly-used Mac (or not, it's been a while since people have been happy with Apple) or replacing their laptop with a Fairphone or Graphene OS phone than switching to Linux from Windows 10.
Windows 11+ however... is another story. Anything but letting the IngSoc Smart TV become the OS. The issue is that computers come bundled with Windows and so they use "Secure Boot" to trap you. You can't use Secure Boot without Windows, and you can't play many online games if you do not have Secure Boot (even if the excuse as to why is a filthy lie) so if you're gaming you basically have to hope that Steam OS triumphs.
Best option is to just go to places where the wifi service is affordable but not free so that the operator needs to keep tabs on whether users are doing something other than browsing the internet or playing games (i.e. stealing people's info or putting malware on their machine). Unfortunately, there doesn't seem to be any great demand for internet cafes anymore in my location.
I don't really see the connection there with somebody bringing down their own firewall, hosting open services, and basically putting out the welcome mat. You can burn yourself on any OS (and if you can't, I don't want to be using or pushing it).
What place charges little enough for the WiFi to be affordable but has somebody live monitoring network traffic?
You're telling me Internet Cafes can't exist? Yes, they're not available, but they should be. And supporting industry of small business IT Security providers still do business with motels and hotels.
Maybe increase the standards of service requirements, but if not? Yeah, we need to find a way to make free WiFi that doesn't demand you trust the operator will monitor for malicious users, instead of limiting safe internet access to our own homes at best.
Internet cafes, at least in my experience, provide you computers. They don't sell you WiFi access. And I very much doubt they have somebody monitoring network traffic live.
If you're saying they COULD exist, I doubt they're financially viable.
Maybe it's different in the EU then. Here, when cafes had internet, they offered a WiFi password for customers.
I feel like we mean very different things with the term 'Internet cafe'. This is what the term brings to mind for me.
Apparently you're thinking of actual cafes with F&B. Cultural differences I guess.
I still don't see the point. Even if the location offers some sort of 'secure' WiFi, you cannot trust them. Every link on the chain between your device and the server must be considered potentially malicious. The main thing that needs to change is the current leak of sidechannel data needs to be halted.
The EU is almost just as bad, I know the bar is high compared to the US, but still.
That's why audits exist