A Question About Public Wi-Fi

[Knightoftheapp]

I just downloaded a wifi finder app from the app store. It shows locations for both free and paid public wifi. Is it safe to assume that public wifi that you pay for is more secure than wifi that you DO NOT pay for. Or is that just a "twilight zone" assumption on my part?

 

[Somerled]

If there is no password to connect, it is not secure at all, no matter how much you pay.

 

[DontUnderstandMyIpad]

I just downloaded a wifi finder app from the app store. It shows locations for both free and paid public wifi. Is it safe to assume that public wifi that you pay for is more secure than wifi that you DO NOT pay for. Or is that just a "twilight zone" assumption on my part?

Payed Wifi and security don't necessarily go hand in hand. You don't get charged for security, but for having internet access. In general public wifi is not secure, hence the name public, regardless of whether the wifi requires you to pay.

Now, there are two common methods used for payed internet services and it depends on the hotspot provider which one is used. Often a payed wifi network requires a password, as the network is encrypted to prevent random people from joining. Or the wifi network is unencrypted, but you have to sign in with an account. The first method does provide a little bit more security then the second one, but not by much.

What this means is, that a wifi network, which does not ask for a password upon joining is definitely unencrypted and not safe. But you can't make the assumption that a payed wifi is secure either. A wifi network is never safe, if there is more then one user on it! Even if the wifi network is encrypted, does it not provide more security, because everyone on the same network has the same encryption key and can thus not only record all wifi traffic, but also decrypt the information. An encrypted wifi network only prevents people without the wifi key of decrypting your wifi transmitted data.

So essentially no public wifi is safe, unless you use a vpn service to encrypt your own data again.

 

[rainman4tech]

Public Hotspots

I've got to disagree with the previous poster, as I understand it if the AP is configured WPA even though all users have the same password they cannot see each others traffic. WPA speck calls for the password to be hashed with the id of the client system and the key is created from that so each user has a different key.

Steve Gibson Gibson Research Security Now Podcast #272 talking about Firesheep on page 24 of 25.
http://www.grc.com/sn/sn-272.pdf

Steve: Yup. Just use a simple - all you have is a simple password because, as we discussed, WPA does enforce inter-client isolation. Individual clients negotiate their own private keys with the access point, even though they're using a common password. The password gets them in, but then their sessions are individually isolated. So that provides you protection against this kind of passive eavesdropping. So it's trivial for Starbucks to fix the problem, and it'd be great if they did

Hope this helps and more can be uncovered at Steve's site where at an earlier popcast he goes even deeper into WPA Encryption.
Enjoy Rainman

 

[DontUnderstandMyIpad]

@Rainman

You bring up some good points. On an encrypted Wifi network, normally users don't see each others traffic.

However, my point is, that once you are on a wifi network, you can run a program to capture all traffic, even if it is encrypted and then decrypt it. It doesn't matter, that WPA is used. Once you know the wifi password, and the SSID, you can decrypt the traffic going through the wireless network.

Now, the average user may not know how to do this, but it is enough if one person has the knowledge and let's their computer capture all traffic to decrypt it at a later time. There just is no safety on a public wifi network, not even if it is encrypted. A combination of Wireshark&TShark will decrypt the WPA encrypted traffic into plain text from anyone on the same network.

I am not saying this is legal in any way, unless you agree to have your wifi traffic decrypted, but it is possible and should be kept in mind.

Anyway, here is a proof-of-concept:
Wireshark and TShark: Decrypt Sample Capture File (by Joke Snelders)

 

[wasabinuki]

What if you used a travel router to create a new network from the public wi-fi connection provided by Starbucks? Would that secure your connection, or would people still be able to intercept the data once it leaves your travel router and into the Starbucks network?