This was touched on briefly in a previous post, but it bears further exploration.
I recently took a short trip, and brought along my new iPad (a birthday present from my amazing wife). It’s a WiFi only model.
So, while I was waiting in the airport, I checked out if there was an available connection, and saw “free public wifi”. I was about to connect but had second thoughts.
Was this really an airport-operated service?
Anybody could bring a hotspot device to the airport and set their SSID to “free public wifi”. Then just sit back and capture all the information sent by the people who connect to you. This is a major security issue with WiFi.
What we need is something like the social networks’ verification for celebrity posters…some way to establish trust in an advertised network. I’m not sure what the answer is, or if it is reasonably possible, but I can see certificates as a route to the end goal of verified networks.
Even if this is an official public WiFi connection there’s other concerns.
Firesheep is old news now, but it still works. If you aren’t familiar with Firesheep, here it is in a nutshell.
Unencrypted HTTP packets can be read from within the network. In the initial demonstration, someone would log into Facebook, and the session key (stored in a cookie) could be copied and used to impersonate that user.
Facebook has since updated their service to use https all the time, but there are plenty of vulnerable session identifiers that could be abused in this way.
So be careful when connecting to open networks. It may be less convenient, but you should never let your OS remember open networks. Accept them on a case by case basis to reduce your risk of connecting to a bad actor.