[Discuss] comcast wifi question
Bill Ricker
bill.n1vux at gmail.com
Thu Nov 6 09:24:25 EST 2014
Ned -
Your comments on WiFi encryption and Insecurity of DNS are right on.
But ..
> If you're connecting to secure services, then your traffic is secure, even on the unencrypted wifi.
Maybe. Maybe not.
tl;dr - Google HTTPS *is* safe from MITM but *only* with Chrome so
far. Rest of HTTPS not as much.
If the hacker with control of the WiFi AP is working for an
organization with control of any of the many Root CA certs built into
your device/browser (Hong Kong Post Office, US DOD, Chinese Govt,
...), or illicit access to a leaked CA key, or can trick any of them
into creating wildcard certs, the untrusted WiFi node can do MITM on
your HTTPS session *silently*, no "bad cert" clickthru required..
Aside from VPN, the one defense today is host cert (actually CA)
pinning. (Google properties have this via Chrome; internet draft
recommending this for all site/browser pairs !).
(I think Chromium is included in the above but not certain. One might
hope Android native browser has the google pinning but also IDK
without checking.)
--
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux
More information about the Discuss
mailing list