Hacker News new | ask | show | jobs
by CommentCard 3164 days ago
So now I need a VPN for my cellular data connection. What happened to privacy laws? You could quickly grab highly personal identifying information by setting up an encrypted wifi network at a business with plenty of foot traffic and no open wifi networks. Then you could have a sign or placard directing passerbys to visit a URL of your choosing to get the wireless password. Then you'd implement this API on your website.

Now you've got their personal info. Scary..
1 comments
jpeg_hero 3164 days ago
No, this doesn’t work on Wifi.

The claim is you need to be on the carrier’s mobile data network, the carrier gives you an IP address, then a website owner asks the carrier who is at that ip address and then the carrier gives the website owner the data that it has on you (your real name, the address where they send the bills, the phone number they assigned to you, etc)

link
kevin_nisbet 3164 days ago
Just a word of warning, long term this may not always be a safe assumption.

For supporting technologies like wifi offload, VoLTE, etc the phone can be told to tunnel traffic back to the carrier network, even when using wifi. This is to support features like using wifi to complete voice call's, but could be used for IP mobility as well (keeping you're IP address as you switch access networks).

I'm a bit rusty as I've been out of the industry for a year now and didn't work on this directly, so I forget how the phone get's this configuration. I think it might be an APN setting to connect back to the ePDG when on other access networks, but I could easily be mistaken.

link
slipstream- 3164 days ago
You misunderstood: the commenter said they'd provide a passworded wifi network and a sign somewhere saying "visit this URL to get the password for the wifi!"

People would visit that URL using mobile internet...

link
CommentCard 3164 days ago
This is exactly what I was describing. You'd visit the site while on cellular data to get the password.
link
k_sh 3164 days ago
Yeah, that's what GP is describing, I think - people would visit the evil URL while on a cellular connection in order to, ostensibly, get the password for the secured WiFi connection.
link