Using public WiFi safety questions

[psingh01]

isn't connecting to websites over HTTPS also encrypted?

The difference is SSL encrypts what you send and receive to a website, but not that you are talking to that website. When you connect to macrumors.com or some other site you have to tell the network to get you connected. Once you are talking to macrumors.com server it follows the SSL protocol to establish the encrypted connection between your computer and their server. But the network can see or block your access to macrumors.com.

With a vpn you establish that encrypted connection to a vpn server. Then you relay requests to that server that you want to talk to macrumors.com. The vpn is a middle man that you are supposed to trust to carry your messages and requests to connect to other servers. Even inside the vpn connection you will use SSL to talk to macrumors.com. So they can't see what you are exchanging with the website but they can see that you are talking to them. And to the local public wifi that you are using, they don't know that you are viewing macrumors.com at all. To them you are just talking to the vpn server (they may not even know it is a vpn server).

Some people jump through multiple vpn connections to really hide what they are doing.

 

[Apple_Robert]

Do you mind explaining this? I've not use Tailscale before, but I sort of understand that I can install it on my home Mac and use that as a hub. But how would I use Apple TV as the hub? I can install Tailscale on the Apple TV? And let my iPhone and iPad etc connect to the Apple TV when I'm away?

Here is a good video to get you going.

 

[SevenTheGamingKitty]

The difference is SSL encrypts what you send and receive to a website, but not that you are talking to that website. When you connect to macrumors.com or some other site you have to tell the network to get you connected. Once you are talking to macrumors.com server it follows the SSL protocol to establish the encrypted connection between your computer and their server. But the network can see or block your access to macrumors.com.

With a vpn you establish that encrypted connection to a vpn server. Then you relay requests to that server that you want to talk to macrumors.com. The vpn is a middle man that you are supposed to trust to carry your messages and requests to connect to other servers. Even inside the vpn connection you will use SSL to talk to macrumors.com. So they can't see what you are exchanging with the website but they can see that you are talking to them. And to the local public wifi that you are using, they don't know that you are viewing macrumors.com at all. To them you are just talking to the vpn server (they may not even know it is a vpn server).

Some people jump through multiple vpn connections to really hide what they are doing.

But they can't see what content is actually being sent to macrumors, right? if you're shameless, it'd probably be fine, i assume

 

[goldmac2006]

will be in a hospital room for the next week and need to use their public WiFi?
For banking and logging into financial sites

Obviously I’ll be in lockdown mode, MacBook, I’ve read a vpn doesn’t offer any real safety benefits, don’t currently use one.

May I ask what safety precautions and procedures should I follow? How do I truly protect my passwords? Any other advice would be greatly appreciated as I’m lost with security concerns and I know I’ll need to access sites I want to keep 100% private while using a public WiFi.
Any help is appreciated thank you

To keep your Mac secure while using a public guest free WiFi network, follow these guidelines:

What NOT to Do:
•Avoid accessing bank accounts.
•Refrain from playing multiplayer games or using game chats like Roblox, as IP bans can affect others on the same network.
•Do not engage in online shopping or any activities involving payment information or sensitive data. Instead, use a secure VPN like ProtonVPN or connect via cellular data on your iPhone to do financial or personal transactions (only if there’s no cell connection, then you can use guest WiFi ).
•Never visit websites or perform actions that could harm your Mac, as malware can spread to other users on the same network.

What TO Do:
•Encrypt all backups, data, and everything on your Mac.
•Maintain optimal privacy settings. Gatekeeper and Xprotect are your best friends.
•Keep “Find My” enabled.
•Use virtual machines to have separate control over other operating systems, cos all the virtual machine data does not access data on your main machine.

 

[Alameda]

To keep your Mac secure while using a public guest free WiFi network, follow these guidelines:

What NOT to Do:
•Avoid accessing bank accounts.
•Refrain from playing multiplayer games or using game chats like Roblox, as IP bans can affect others on the same network.
•Do not engage in online shopping or any activities involving payment information or sensitive data. Instead, use a secure VPN like ProtonVPN or connect via cellular data on your iPhone to do financial or personal transactions (only if there’s no cell connection, then you can use guest WiFi ).
•Never visit websites or perform actions that could harm your Mac, as malware can spread to other users on the same network.

What TO Do:
•Encrypt all backups, data, and everything on your Mac.
•Maintain optimal privacy settings. Gatekeeper and Xprotect are your best friends.
•Keep “Find My” enabled.
•Use virtual machines to have separate control over other operating systems, cos all the virtual machine data does not access data on your main machine.

You’re a bit late to game in this thread. I think your advice is overkill given the state of SSL.

 

[maflynn]

isn't connecting to websites over HTTPS also encrypted?

Yes, obviously, but its not the end all and be all, a sound security policy is to have a layered approach. Also there are some Man in the middle attacks that can work, even on https, along with possible compromised certificates. So do you blindly trust the traffic that you have no control over and possible bad actors being involved or do you ownership of your security and employ a VPN when the risks are higher.

 

[Alameda]

Yes, obviously, but its not the end all and be all, a sound security policy is to have a layered approach. Also there are some Man in the middle attacks that can work, even on https, along with possible compromised certificates. So do you blindly trust the traffic that you have no control over and possible bad actors being involved or do you ownership of your security and employ a VPN when the risks are higher.

Can describe how a man in the middle attack can unencrypt and obtain your data over SSL?

 

[maflynn]

Can describe how a man in the middle attack can unencrypt and obtain your data over SSL?

One possible way is insert themselves between you and the server and trick your browser into trusting them.

 

[maflynn]

Another method I just googled and asked chathpt seems to be the use of a new trusted root certificate (various ways, including malware, mdm, etc). The attacker intercepts the connection.

 

[goldmac2006]

You’re a bit late to game in this thread. I think your advice is overkill given the state of SSL.

I understand that it’s rly wordy 😂 but this is from what I seen from experience.

I just saw this in my feed yesterday so I do apologize for commenting on it late

 

[Sully]

Another method I just googled and asked chathpt seems to be the use of a new trusted root certificate (various ways, including malware, mdm, etc). The attacker intercepts the connection.

The safety (http:/s, DNS encryption) embedded in modern browsers makes these type of attacks mostly theoretical for most people who are careful. Good job using AI to answer this person’s question (which I think is rhetorical or they could have found this out themselves.)

I Grocked this as well because it’s an interesting topic. Theoretical or not, the risks of connecting to an Evil Twin in a moment of frantic carelessness are risks that I’m not willing to take.


I use 2 different pay VPN providers mostly for privacy and I never connect to public WiFi. I use my cell provider and I teather if using my computer. All that traffic also goes through a VPN.

I treat public Wi-Fi as inherently insecure, regardless of the protections embedded in modern browsers and regardless of the theoretical risk.

 

[Grumpus]

Can describe how a man in the middle attack can unencrypt and obtain your data over SSL?

No, but I don't believe that's the way things are usually done. Once an attacker has control of your network traffic, your attempt to make an initial connection to a given web site can be redirected to a replica web site which the attacker controls and who's address is a homophone of the legitimate web site, complete with a valid certificate. This is a form of social engineering. Just as typo squatting is a thing, homophone squatting is a thing. You might think that you're so observant that you'd never fall for such a thing. To that I would only say "may it be so."

 

[Alameda]

No, but I don't believe that's the way things are usually done. Once an attacker has control of your network traffic, your attempt to make an initial connection to a given web site can be redirected to a replica web site which the attacker controls and who's address is a homophone of the legitimate web site, complete with a valid certificate. This is a form of social engineering. Just as typo squatting is a thing, homophone squatting is a thing. You might think that you're so observant that you'd never fall for such a thing. To that I would only say "may it be so."

So they can point you to weellsfargo instead of wellsfargo, and you won't notice? My password manager will, and I think Apple's password manager will as well.

 

[Alameda]

Another method I just googled and asked chathpt seems to be the use of a new trusted root certificate (various ways, including malware, mdm, etc). The attacker intercepts the connection.

You would have to hack the certificate authority to do this, wouldn't you?

 

[maflynn]

You would have to hack the certificate authority to do this, wouldn't you?

Obviously

And I know your next question. Has it ever happened? And yes it has

 

[Grumpus]

So they can point you to weellsfargo instead of wellsfargo, and you won't notice? My password manager will, and I think Apple's password manager will as well.

It's more like wėllsfargo vs wellsfargo, if you actually read the page I linked to. But, I'm not here to argue, I was only pointing out that there are things other than SSL which can affect your outcomes on a compromized network.

 

[erihp]

'Public Wi-Fi' to me implies unencrypted SSID, meaning all of your devices traffic can be surveilled and recorded by anyone within the same airspace. Is this happening in the hospital by hostile actors? I don't know.

I can appreciate the idea that SSL solves for most of the concerns connecting to secure https endpoints, but I do agree that a multi-layered approach to security is best.

VPN tunneling to/through a trusted network (like your home, or trusted VPN provider) is a worthwhile approach for an added layer of security. Doing so enables routing through a network you already trust with this type of traffic.

This works to obfuscate your traffic to both the airspace in an 'open' network, and from the Hospital network itself. Now all of your SSL traffic has an additional encapsulation and insulation from DNS profiling/poisoning and well as protection from software you may have installed that could be compromised by an unpatched vulnerability.

iCloud Relay is another option to help protect yourself from DNS related attacks or spying.

But as suggested, the simple approach is to tether to your iPhone.

 

[brilliantthings]

You would have to hack the certificate authority to do this, wouldn't you?

While it's important to understand that https websites are encrypted, reducing internet security to an http/https binary is a dangerous oversimplification. But that can be easily fixed with a simple Google search.

 

[maflynn]

I treat public Wi-Fi as inherently insecure, regardless of the protections embedded in modern browsers and regardless of the theoretical risk

Agreed, and that's why I said in an earlier post that I take a layered approach. I also think its not the best idea to mindlessly think someone is safe either because they're on a mac, or because they see the little lock icon in the url.

 

[Alameda]

While it's important to understand that https websites are encrypted, reducing internet security to an http/https binary is a dangerous oversimplification. But that can be easily fixed with a simple Google search.

I love this, "I cannot answer your question but Google it."
Why don't you Google it yourself?

 

[brilliantthings]

I love this, "I cannot answer your question but Google it."
Why don't you Google it yourself?

I have 😍
And your question has been well answered here already
(This thread is becoming absurd)

 

[brilliantthings]

For anyone genuinely interested:

Common Methods on Public Wi-Fi

• Evil Twin Attacks: Attackers set up a rogue hotspot with a name identical to a legitimate one (e.g., "Starbucks_Free_WiFi"). Your device may auto-connect to it if the signal is stronger.
• Packet Sniffing: Using tools like Wireshark, hackers capture unencrypted data packets moving across the network to harvest passwords and sensitive info.
• SSL/TLS Stripping: A technique where the attacker downgrades your secure https:// connection to an unencrypted http:// version, making your login credentials visible.
• Session Hijacking: Hackers steal "session cookies" to impersonate you and access your accounts (like banking or social media) without needing your password.
• DNS Spoofing: The attacker manipulates your device's request to visit a site, redirecting you to a fake, malicious version of that website.

 

[kevcube]

isn't connecting to websites over HTTPS also encrypted?

the connection is not encrypted, but the data that will be sent to/from is encrypted. a VPN encrypts the connection, which as @Alameda is repeatedly saying, is a mostly useless protection measure.

We are on an apple forum, we all probably pay Apple at least 99 cents per month and have access to iCloud private relay, which provides an equivalent level of protection to a VPN. It will hide your DNS traffic, which is essentially the only privacy benefit of a VPN. As for security benefits of VPNs, there pretty much aren't any.

 

[kevcube]

Another method I just googled and asked chathpt seems to be the use of a new trusted root certificate (various ways, including malware, mdm, etc). The attacker intercepts the connection.

to install a trusted root certificate onto your machine, the attacker must have root access to YOUR machine.

At that point, VPN or not, you're screwed. So this one is a moot point.

 

[ifxf]

Some companies block VPN on their guest wifi since they filter websites that are not appropriate for a work environment and they can’t look inside a VPN connection.