Hacker News new | ask | show | jobs
by teekert 636 days ago
Hmm, my father in law refuses to use WiFi outside his house, afraid of them hackers, since he has no mobile internet he is often off line for long periods.

I always tell him he is being paranoid, because every app, especially the ones het finds important (like banking) encrypt their traffic. So who cares if the WiFi layer is encrypted or not.

For the people that do use WiFi away from home: It's easy to create an access-point that is malicious and has wpa2. Also, wpa2 isn't that great anymore, right?

I could tell him to just use a (trustworthy) free vpn (ie protonvpn, or just pay for mullvad) if he really needs to connect. That would take care of his concerns.

Am I wrong?
1 comments
frogsRnice 636 days ago
There have been cases of applications not performing chain validation - see the paper Spinner: semi automatic detection of pinning without hostname verification (in particular page 8)

While it may be paranoid, there are still risks involved with connecting a device to an untrusted network

link
bugtodiffer 636 days ago
There have been cases? I see this kind of stuff all the time. I once saw an app that had a popup warning me that the TLS cert is wrong but still let me connect...
link
frogsRnice 636 days ago
Haha thats terrifying! I was just trying to point out that assuming that apps do this correctly is a bad idea; but my experience echoes yours, its a common mistake - even just browsing stack overflow people give some pretty gnarly advice.

Unless I’ve looked at the app myself i wouldnt touch public wifi - even then there are other risks to consider

link
teekert 636 days ago
Would you do it with a VPN? (I would, just checking)
link
frogsRnice 636 days ago
A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend

Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.

link
bugtodiffer 636 days ago
I wouldn't, especially not having looked at the VPN at first. It might expose you to even more attackers than could fit in your Starbucks
link
teekert 636 days ago
VPNs have a bad reputation, but I trust Mullvad (have used and paid them often), and Proton (currently paying them).
link