6

Every article (and post on this website) I find on public Wi-Fi safety is mostly concerned with other people connected to the same network snooping on our communications. As far as I understand it, we’re mostly secure as long as we’re connecting through HTTPS. “Mostly” because there could be flaws in the encryption software or the bad actor could redirect us to a fake page.

But what about the provider? I sometimes connect to free Wi-Fi hotspots (bus, hospital) that require me to accept an agreement before connecting. Sometimes that agreement says they can monitor my communications.

So, assuming I connect to such a Wi-Fi network and only do HTTPS-related connections, could they:

  1. Snoop on those communications in any way.
    • If not, what can they actually know (I assume just know the host I’m connecting to, but not the content of the communication).
  2. Do some trickery like intercepting the HTTPS request, send it to the server as me, get the response and send it back to me.
  3. Other.
user137369
  • 693
  • 5
  • 9

2 Answers2

4

Generally speaking†, one cannot intercept HTTPS communications.

However, a hot-spot provider can do the following:

  1. See the hostnames you want to connect to from your DNS requests
  2. See the IP addresses you connect to
  3. If you type in say http://yourbank.com, hoping for a redirect to https://yourbank.com, the hot-spot owner can intercept that and redirect you or serve you their own content. This is one reason why HSTS exists. If the site uses HSTS or you type in https://yourbank.com or you use a VPN you are fine.

† With the following assumptions:

  1. the site gets a reasonable score on https://www.ssllabs.com/ssltest/
  2. the browser gets a reasonable score on https://www.ssllabs.com/ssltest/viewMyClient.html
  3. the user doesn't override cert warnings
Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • @SteffenUllrich not if the user types http:// in first – Neil McGuigan Apr 30 '16 at 19:01
  • Acutally one can. It will be detected by the browser. It then depends on 1) how the browser shows the warning and/or allows bypassing it and 2) user habits regarding annoying warnings when trying to access his website. – spectras Apr 30 '16 at 19:59
  • 1
    Regarding your point 1, what if I set up custom DNS servers on my computer (I do, I connect to OpenDNS)? – user137369 Apr 30 '16 at 20:08
  • @user137369 you can prevent them from seeing hostnames if you use DNSSEC but they can always see IP addresses. And if they can see IP addresses, they can find the hostname with a reverse lookup. So use VPN if you're concerned about that – Neil McGuigan Apr 30 '16 at 20:11
  • @NeilMcGuigan Not really concerned about that part, just curious. Thank you for the answer. – user137369 Apr 30 '16 at 20:32
  • @NeilMcGuigan DNSSEC doesn't give confidentiality, only integrity: it prove the answer is correct, but doesn't encrypt: it's only a signature mecanism. – Tom May 01 '16 at 17:42
  • 2
    @Tom yes, you're right, I'm keeping the comment to own my shame – Neil McGuigan May 02 '16 at 18:50
1

This doesn't directly answer your question (it was answered adequately above), but given your paranoia the one thing you do need to be wary of is using public terminals provided by a vendor, such as in a library, internet cafe, employer, school, etc.

If they are providing you the endpoint/device, they can manipulate the certificate chain and intercept all your HTTPS traffic or far worse. You won't get any warnings in this case since the eavesdropper will be trusted by the terminal.

With BYOD (as with hotspots) they can try to manipulate the chain but your personal device won't inherently trust their proxy/MITM unless you've been compromised beforehand**, and when your browser sees the certificate for gmail.com was issued by "aruba-networks" or "fart-school-for-the-gifted.edu" and not "Google" it will raise errors.

** The easiest way to get your device compromised is by letting them force you to "install this software before you can use our network." Sometimes it's just an innocuous VPN client or some .NET garbage related to Microsoft's Network Access Protection, but othertimes they shove adware, a backdoor/RAT, trusted certificate or a monitoring agent in there.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • Doesn’t this contradict the other answer? As I mention in the question, I sometimes connect to a hotspot owned by a company (bus and hospital are my examples). You answer seems to suggest that yes, they can do what they can and own my connection, and HTTPS will not protect me at all. – user137369 May 03 '16 at 00:48
  • No, don't get me wrong-- the other answer IS correct. By default, on a clean device, you can trust HTTPS. I just added some caveats, namely that if the hotspot owner *coerces you into installing some kind of software binary which contains malware or a bogus root CA cert*, it can undermine the protections built into your browser. You literally have to download an exe or apk and install it before you can connect. That's how you can become compromised. – Ivan May 03 '16 at 01:41
  • Regarding them asking me to install something, I’m not worried as I wouldn’t do it. You only introduce that idea in your third paragraph, though, but mention them manipulating the certificate chain in the second. That’s what made me think you were contradicting the other answer, as the connection between the two ideas isn’t clear. They seem like two separate thoughts. – user137369 May 03 '16 at 03:28