[Discuss] comcast wifi question

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Eric Chadbourne
>  
> I've tried two different vpn apps (avast & surf easy) and both really
> sucked.  If I have some free time I might try rolling up an openvpn
> server this weekend.  Using unencrypted wifi just seems insane.

Oh.  THAT is what you're concerned about?  That's a little bit insane, because nevermind the wifi near you, your traffic goes across the whole internet.  If you're connecting to secure services, then your traffic is secure, even on the unencrypted wifi.  And if you're connecting to insecure services, your traffic is insecure on the whole internet, not just your local wifi hop.

Let's go into that one step deeper.  So you're concerned about people near you sniffing your wifi traffic.  You think wifi encryption will help.  You're wrong, because #1 everyone near you knows the password anyway.  So even with wifi encryption, they can still sniff your traffic.  And #2 there's no conceivable chance in hell you're using wifi encryption with 256 bit randomly generated keys (EAP,etc) that are strong enough to keep out any hackers.  Because it's not an enterprise secure network.  You are certainly using a wifi encryption password that could have been brute forced without much effort.  

No.  That's not the *real* thing to be concerned about with the public wifi connection.  The real thing to be concerned about is who's controlling DNS.  You can afford yourself a certain amount of protection by using https and requiring that the server respond with valid signed certs.  But aside from that, non-SSL/TLS traffic could easily be manipulated in transit.  I do in fact regularly see public wifi networks have DNS that does things I consider to be malicious - they say they do it for your benefit.  For example, opendns, which is widely used in public wifi networks, performs lots of DNS manipulations.  Some are kind of obvious and I don't actually mind - like refusing to serve up porn and hacking and other "bad" sites.  You're connecting to a public wifi, they enforce content restriction.  Ok.  Other things are a little more malicious, like performing a MITM relay for google.com.  If you browse to non-encrypted http://google.com they sniff and harvest and potentially manipulate your search results.  Of course they can't do that for https://google.com.  Either way they still manipulate DNS to resolve google.com to their own IP address; but with the https connection they have to brainlessly pass-thru all encrypted traffic without analyzing it (in order to preserve the integrity of google's cert).  They don't sniff or manipulate it because they can't without invalidating the cert.  But the http traffic, they can and do sniff, and presumably sometimes manipulate although I haven't actually observed proven manipulation of the http traffic.