Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] comcast wifi question

Ned -

Your comments on WiFi encryption and Insecurity of DNS  are right on.

But ..

> If you're connecting to secure services, then your traffic is secure, even on the unencrypted wifi.

Maybe. Maybe not.

tl;dr - Google HTTPS *is* safe from MITM but *only* with Chrome so
far. Rest of HTTPS not as much.

If the hacker with control of the WiFi AP is working for an
organization with control of any of the many Root CA certs built into
your device/browser (Hong Kong Post Office, US DOD, Chinese Govt,
...), or illicit access to a leaked CA key, or can trick any of them
into creating wildcard certs, the untrusted WiFi node can do MITM on
your HTTPS session *silently*, no "bad cert" clickthru required..
   Aside from VPN, the one defense today is host cert (actually CA)
pinning. (Google properties have this via Chrome; internet draft
recommending this for all site/browser pairs !).

(I think Chromium is included in the above but not certain. One might
hope Android native browser has the google pinning but also IDK
without checking.)

-- 
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org