Ask HN: Dangers of Unsecured WiFi?
Connected to an unsecured WIFi network last week from my MacBook. When I restarted I couldn’t login and had to go through safe/recovery mode and use reset password utility from the terminal to get back in (thankfully I could log in to my Apple ID.
Now I’m not able to login to my Firebase console even from another laptop.
What’s going on here?
There is a CVE issued a week ago for all Apple OSs that are not on the latest update (Mac iOS, etc). Maybe you were affected.
https://www.cisa.gov/news-events/alerts/2024/09/18/apple-rel...
Thank you! Yes I’m still 2 OS versions back.
You are living very dangerously and running 2 whole major versions back. The only Apple Operating Systems (macOS, iOS, etc.) that have both the latest Platform Security features and get 100% of security patches is the very latest version.
This is well known within both the security community and Mac Sys Admin community.
Thanks, I’m realizing that now. It helps that you’re emphasizing the need to stay up to date.
I don’t upgrade to the latest version when it comes out thinking it may not be stable enough yet. And then I remember about it when I’m about to start working or in the flow. I know, silly excuses!
And for some reason I used to think security patches get back ported to all the supported versions and by not upgrading I was only missing out on new features.
Thanks for letting me know that’s not correct!
BTW always wondered... often docs show that a wifi with a password uses encryption, and wifi without password are not encrypted, I'm wondering why that is?
Is it for backward compatibility with old devices?
Why isn't the standard that when connecting to a wifi without password, everything would be just like if there was a (fake) "public password" like the string "password", so that traffic is still encrypted?
When you connect to a WiFi network, the goal is to be part of the network. Which means that all the devices on the network can reach each other.
If you have a password, it means that you select who can be part of that network (and hence who can reach your computer). If you don't have a password (e.g. a guest network somewhere), then there is no selection at all.
Now, if you let anyone connect and have a "fake" password, you still don't have any filter and should know that you are on a "public" network (i.e. you should not blindly trust other devices). So it's actually better to be able to see that you are on a "public" network (versus a "trusted" network like your home LAN).
Or did I misunderstand your question?
WPA3 offers secure-open and unique+forward key secrecy. WPA2 is twenty years old.
Not sure how this addresses my question? Or is the issue with "not encrypted when there is no password" only a WPA2 issue?
Have you confirmed you are locked out of Firebase? Performed a password reset?
If you get to login, check your compute resources since most of these bots just deploy tons of compute and use them for DDOS. This can be in the hundreds of dollars per hour figure.
It is possible to have your session hijacked when using any wifi really, its a lot harder on secured wifi though.
I only tether to my phone now in public, and never use unsecured wifi for anything.
Didn’t try the password reset until you mentioned. Thanks, that worked.
Google did send me two Security alerts (one for each laptop) when I tried signing in yesterday with my old pwd. So they must have reset my password or something?
In any case, lesson learned: never connect to an unsecured Wi-Fi again! (I rarely do, but I was at this conference last week trying to demo Appomate AI, and was wanting it to be as snappy as possible. Bad decision!)
unless you accepted an invalid https certified popup, its not possible, even on public wifi. or maybe you still type: http:// instead of https://, and then is easy to fake a dns response to point to a clone site
Ironically because MITM attacks for corporate security are that common, a lot of developer tools are configured to just ignore TLS checks instead of importing the correct root certificate.
In case of an unsecured WiFi connection this is of course much more dangerous even.
Wow! Didn’t know this!
I would’ve thought they would let devs handle it because if anything they’re more capable of these kinds of things (not counting myself ofc :-))
There are whole swathes of developers these days who don't even know what a network stack is, much less understand how HTTPS works. I expect these people were gumming up the bug trackers so they dumbed down the dev tools.
Fwiw, though, when I used Python behind a corporate proxy some 5-6 years ago nothing was configured to ignore the HTTPS warnings.
I think developers are especially at risk, because we all think we know the risks and can manage them better... yeah, right lol.
It's like how doctors and nurses are notoriously bad at getting their own health checkups. They're experts, they know better!
Pfft. How many of us actually spend time (and have the knowledge for) auditing the security of our OS, cert chains, HTTPS setup, etc.? I've seen experienced senior devs share private keys over Slack for the whole team to reuse, manually disable HTTPS checks with a comment like "too much trouble", etc. It's pretty scary.
I was amused by a prompt I received from Android Studio, requesting permissions to turn off anti-virus scanning for development directories. Which, of course, speeds up compile time dramatically (4 or 5x faster? A seriously non-trivial amount). Development directories, and SDK directories (including SDK binaries).
No more anti-virus protection for the directories that you as a developer should be most concerned about. What could possibly go wrong?
I'd be more concerned if I hadn't already done that, I suppose. Because compiles run so much faster when you do. But I was amused, nonetheless. :-/
That does sound very familiar!
Thanks, that makes me feel a little better because I did use the https bookmark I had and didn’t type in the addr.
You're confidently wrong, dangerous :)
Your question is meaningless and context-free.
The only difference with "unsecured WiFi" is its lack of key and encryption.
You've said nothing about who provided that WiFi service, where it was, or anything. Plenty of reputable and well-managed WiFi networks are unsecured these days. Even my ISP runs them; they're perfectly safe. I don't use a VPN.
We're not your tech support department, and it's impossible for us to troubleshoot your bugs with so little information. Your local machine got messed up somehow. It sounds like PEBKAC. What leads you to believe that the WiFi network was to blame? No, I don't care.
Take your machine to an Apple store or something. Contact the administrator of the WiFi network. Go to Geek Squad. Factory reset and reinstall your computer. Who knows how you've shot yourself in the foot?
What a weird reply to a call for advice. 'your machine got messed up somehow'. They now that, provide some recovery tips instead of downplaying.
"You're wrong, but I don't feel like teaching. Just feeling smug about my supposed superiority."
I have negative feelings towards this sort of long winded holier than thou garbage.
And it's a documented self inflicted "why does nobody want to contribute to $project?" By burned out devs.
Perhaps I could be less condescending, but is it not teaching, and constructive feedback, to warn this poster that it's impossible to diagnose without much more context, rather than engaging in wild speculation like other commenters? It would seem that they're the harmful ones. And I did suggest several avenues for superior support, rather than trying to tackle it all alone.
Hmm, my father in law refuses to use WiFi outside his house, afraid of them hackers, since he has no mobile internet he is often off line for long periods.
I always tell him he is being paranoid, because every app, especially the ones het finds important (like banking) encrypt their traffic. So who cares if the WiFi layer is encrypted or not.
For the people that do use WiFi away from home: It's easy to create an access-point that is malicious and has wpa2. Also, wpa2 isn't that great anymore, right?
I could tell him to just use a (trustworthy) free vpn (ie protonvpn, or just pay for mullvad) if he really needs to connect. That would take care of his concerns.
Am I wrong?
There have been cases of applications not performing chain validation - see the paper Spinner: semi automatic detection of pinning without hostname verification (in particular page 8)
While it may be paranoid, there are still risks involved with connecting a device to an untrusted network
There have been cases? I see this kind of stuff all the time. I once saw an app that had a popup warning me that the TLS cert is wrong but still let me connect...
Haha thats terrifying! I was just trying to point out that assuming that apps do this correctly is a bad idea; but my experience echoes yours, its a common mistake - even just browsing stack overflow people give some pretty gnarly advice.
Unless I’ve looked at the app myself i wouldnt touch public wifi - even then there are other risks to consider
Would you do it with a VPN? (I would, just checking)
A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend
Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.
I wouldn't, especially not having looked at the VPN at first. It might expose you to even more attackers than could fit in your Starbucks
VPNs have a bad reputation, but I trust Mullvad (have used and paid them often), and Proton (currently paying them).
I trust Mullvad more than others, because IIRC they were one of the few that actually had RAM only infrastructure when they were audited
I once connected to unsecured wifi and 2 minutes later started getting ungodly amounts of spam, just spam everywhere filling up my inbox etc.
I started panicking, going over to people around me asking if they've ever experienced such a thing. All I got was a bunch of "huh? no never"s.
I found out a couple hours later that by pure coincidence my friend pranked me right then by signing my email address up for all the spam newsletters etc. he could find....
Hehe….life would be so boring without coincidences!
But I definitely panicked too and still a worried if I carried something over to my home network.
I’m a developer and at least superficially aware of the issues. Can’t imagine what non techies go through when faced with such situations!!
The London underground now provides mobile connectivity. I have a gut feeling that that is more secure, but probably costly and bureaucratic.
I hear you!
I really need to let go of these self-sabotage tendencies fast!!
[My works-on-my-machine]
By default, I tether my phone. In the places that's not possible, the public WiFi is typically part of large scale infrastructure like an airport.
The biggest practical advantage of tethering is not security. It's repeatability. Sure security matters and I trust my phone's security. But not having to navigate other people's ideas of internet access is why I tether.
Good luck.
Thanks, makes sense!