iCloud Private Relay is great for Safari but nothing else. It doesn't help with apps
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Using public WiFi safety questions
- Thread starter cSalmon
- Start date
- Sort by reaction score
Non-Euclidean
macrumors 6502a
For me, I use Malwarebytes on our devices (PCs, iPads, iPhones). The level of subscription I have includes a VPN.
SevenTheGamingKitty
macrumors regular
i regret to inform you that all my apple hardware and software is too old to support iCloud
If this isn’t a troll and your hardware/software is that old, then it probably shouldn’t be online at all, nor trusted to be used for accessing sensitive accounts and services.
SevenTheGamingKitty
macrumors regular
It's not a troll. I'm in eternal fear tech-wise, yet I refuse to upgrade because the newer stuff (non-apple, if you were gonna ask) kind of sucks
SevenTheGamingKitty
macrumors regular
yes and the whole thread we've been discussing web browsing.
Fair. And that simplifies things. If everything you're doing is on Safari then iCloud Private Relay is plenty.
Alameda
macrumors 68020
Duh, but how?
The website has a certificate signed by a CA and tied to the URL. If you visit a domain which does not have an SSL certificate issued by a CA, the browser won’t authenticate, SSL will not initiate and the browser will display a huge warning message.
If the device youre using is vulnerable to a known CVE/exploit, it could be used to install a malicious cert chain without the users awareness.
This could also occur by tricking the user installing a malicious cert chain during an evil twin/spoofed captive portal or 'free wifi' sign in process.
Even if it isnt fully pwning the cert chain, many users get fooled by free wifi captive portals and give up critical credentials to socials or google accounts when prompted to login to 'free wifi'. Then attackers abuse those credentials to wreak havoc on someones digital identity. Once an attacker has access you a primary email account, they can password reset themselves into all sorts of other accounts.
This cant happen if you connect to a secure network with PSK credentials, or a trusted one (like your own device tether).
Last edited:
maflynn
macrumors Broadwell
I seem to be needing to connect the dots for you, its really not worth painting a picture, given that you are failing to understand my point - at this stage, I think its safe to say we can agree to disagree, and move on.
yes
I was referring to your "Even if it isnt fully pwning the cert chain, many users get fooled by free wifi captive portals ..." part
still i dont think stupid is the right word.
not everyone is tech savvy and might not bat an eye at a social OAUTH login prompt on a captive portal that appears legitimate. but i know you could never be fooled because youre clearly super l33t.
Last edited:
Sully
macrumors 6502
The Air Snitch WiFi attack is a the most powerful security argument for using a VPN on public WiFi. It’s a newly discovered (and timely for this thread) design defect inherent in all wireless networking.
This exploit is defeats any network encryption by sniffing the Layer 2 data packets on a network. All traffic from to and from the router can be read.
Using an on VPN tunnel defeats this. Apparently, nothing else does. Seems like a huge issue for public WiFi and for those who rely only on HTTPS:/
This exploit is defeats any network encryption by sniffing the Layer 2 data packets on a network. All traffic from to and from the router can be read.
Using an on VPN tunnel defeats this. Apparently, nothing else does. Seems like a huge issue for public WiFi and for those who rely only on HTTPS:/
The attacker needs to be on the same hardware as you and if you're on a network with multiple SSIDs he needs to know the password to one of the SSIDs to bypass (and not break) the encryption.
Single SSID that only you know the password = safe. McDonalds SSID? Never was safe anyway.
Alameda
macrumors 68020
The article said that VPN does not defeat this attack. It defeats LAN encryption on a wireless network. https still works.
That doesn’t make sense. Once the tunnel is established, all traffic from the client to the VPN endpoint is encrypted and encapsulated before it hits the wire (air). AirSnitch could see/capture this traffic, but it would be encrypted.
Saturn007
macrumors 68000
Had to read this twice! The double negative threw me! 😎
What NOT to Do: 🙈❗️
In fact, that was actually a list of things TO DO! Things to follow; precepts to uphold!
You should:
Yet, as pointed out, it seems to be outdated advice given SLL and associated certificates.
Bottom line
Is that about right?!
What NOT to Do: 🙈❗️
- Avoid accessing bank accounts. [Makes it sound as if you should! 🥹]
- Refrain from…
… etc.
In fact, that was actually a list of things TO DO! Things to follow; precepts to uphold!
You should:
• Avoid accessing bank accounts.
• Refrain from playing multiplayer games …
• NOT engage in online shopping or any activities involving payment information or sensitive data….
• Never visit websites … that could harm your Mac…
Yet, as pointed out, it seems to be outdated advice given SLL and associated certificates.
Bottom line
“Use a secure VPN like ProtonVPN or connect via cellular data on your iPhone to do financial or personal transactions”
Or, perhaps, even to access just about anything else if you don't want to be tracked…Is that about right?!
Sully
macrumors 6502
I’m not sure this statement is accurate. The only discussion of VPN’s was the tried and true warning that all VPN providers are not created equal.
Here’s what it said regarding VPN’s:
Mullvad and Proton specifically don’t leak DNS queries and “other traffic.” Metadata? I don’t know. But, the bottom line here is that the secure encrypted tunnel created by the VPN defeats this attack.
I’m not convinced by this imprecise paragraph that Mullvad’s technology leaks anything. And, this is the the only paragraph in the article that discusses VPN’s. I ran this article through Claude and Grok and both came back with a report describing how this Air Snitch attack works and exactly how VPN technology would defeat it.
Here’s what the article said about HTTP:s/
I didn’t read that the same way you did. I don’t think that it implies that https still works. But, I don’t think it says that https doesn’t work either. I’m confident that Mullvad (or any other legitimate VPN) works. I’m not confident that https works in all cases. The bottom line is that, since an attacker has to be inside of your network to execute this attack, I’m not worried about my personal network because it’s secured and only trusted people use it. I don’t use public wifi and default to my cellular data connection, connected to a VPN, instead. Best to live by the mantra that public wifi in inherently insecure.
Alameda
macrumors 68020
AirSnitch essentially breaks LAN encryption. So now you’re in the same situation as using unencrypted WiFi.
So if you use HTTPS, the traffic is encrypted. If you use a VPN, the traffic is encrypted and the attacker does not know what website you visited.
HOWEVER, whether you use a VPN or not, AirSnitch can attach devices on your LAN, like NAS and file shares.
Perhaps you are trying to say something else or dont know the right words to use but you have simplified what youve read or how you understand it into this awkward statement.
'Essentially breaks LAN encryption' is not correct / is not a thing.
Airsnitch lets an attacker attach to a wireless network and snoop on other traffic routing though the same access point, including traffic routed through a separate SSID/VLAN/Subnet, previously believed to be isolated. There is no 'LAN encryption' involved here.
The context of this post was a client on a public network, like a hospital.
If said client is just a guest on the open network, and attaches and successfully connects to a VPN, Airsnitch does nothing. Even without Airsnitch, an attacker who is capturing the unencrypted open ssid traffic in the air could do the same thing, capture all packets of this users traffic, and -all- of that VPN traffic would be encrypted. This is why a VPN is the best option when on public networks. Man in the middle is not possible when the traffic is encapsulated, versus raw https, because the traffic is not at all exposed outside of the tunnel.
Airsnitch would be troubling only for the other hospital networks/subnets also broadcasting access alongside the public network. In this case an attacker would potentially be able to access the hospital LANs not intended for public access. However typically access to network file storage and other systems have additional authentication that isnt magically broken just because they can be reached.
Alameda
macrumors 68020
If you use HTTPS, your traffic is encrypted. An attacker knows what website you’re visiting. Not a big military secret.