nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
GOP delegates suckered into connecting to insecure Wi-Fi hotspots

Anonymous Coward

" When joining public Wi-Fi, consumers should utilize a VPN service [...]"

Did they measure how many connections used a VPN?

10
0
Bronze badge

Well given they gave percentages by the service they connected to, I am assuming (hoping) that at east the users they logged were not. But I suspect a vanishingly small number.

0
0

RE: How many used a VPM

2

According to the brilliant and totally not forgotten forum system a post must contain letters, so I will add to the post:

That's not a %

0
0

Why? - Let's have some critical journalism

This is a vendor produced survey - so surely a little more of the scepticism the Register is famous for?

Last time I looked Gmail, Amazon, Sykpe, What'sApp all used HPPS and/or were Encrypted protocols.

So what is actually the problem?

And why do I need a VPN? Other than a vendor is trying to flog me one?

2
10

Re: Why? - Let's have some critical journalism

Avast obviously weren't being malicious.

However.

Let's say I can convince you to connect to a WiFi access point (AP) I control.

Chances are you use the DHCP server in my AP to get an IP address *and DNS server address*.

So I configure my AP to point you at a DNS server I also control.

When you type www.facebook.com in the browser, I can deliver a DNS result that points you at a web server I also control, that provides a facebook lookalike login page.

You don't look close enough to notice that this particular connection to Facebook isn't redirected to HTTPS, you log in, I get your facebook password.

You can replace "facebook" for "most other secure websites", unless you've visited them before, and they use HTTP Strict Transport Security, and your browser supports it (Facebook actually do send HSTS headers, but many other secure sites, e.g. online banks, don't.

17
0

Re: Why? - Let's have some critical journalism

And actually, I don't need to control the DNS server, that just makes it easier. Since I can see and intercept all your traffic to my AP, I can look out for any initial non-HTTPS request and spoof a response, for example.

This also works with secure access points, if there is a common password I can get hold of (e.g. WPA2-PSK). If there's a hotel or pub that has a known WiFi password they provide to customers (maybe they stick it up behind the front desk/bar), for example, I could easily set up an AP using the same SSID and password and chances are at least some of the time (e.g. if your device has a stronger signal from my AP than from the hotel's) you will end up connecting to my network.

12
0
Anonymous Coward

Re: Why? - Let's have some critical journalism

Google "Man in the middle attack" and "Proxy Server"

When I'm at work my work Proxy Server is kind enough to remind me that it will be spoofing my connection to gmail so it can have a look at all the content before it gets sent as https to google. It also spoofs the stuff that's coming back i.e. it pretends to be me and then passes on the content to me. It does this because work doesn't want me downloading any attachments, well not at least until they have been virus checked, once they are checked (takes a few milliseconds) and cleared they are passed them on to me. This is all done transparently except for the initial page from the proxy server reminding me that it's going to be reading all the content. I work for a nice company, they just do this for virus checking, they aren't really interested in my personal emails and they don't keep a record of my login details, but they do warn me that they can see all of this stuff because I'm going through their Wireless access in the office and onto the internet.

Man in the middle attacks do the same thing except you don't get a nice warning screen and they aren't looking to virus scan any attachments for you they are after all the content including of course your google username and password.

3
0
Silver badge

Re: Why? - Let's have some critical journalism

Upvote for this. How is a fake WiFi AP any more dangerous than other public forms of Internet?

Most people have their apps and browsers remember logins, and that isn't fooled by a fake encrypted site. Downgrading to HTTP would disable automatic login and likely present an insecure form warning. Mobile apps and firmware are digitally signed to prevent tampering.

The one exception is sites not using HTTPS for login. No respected site would do that, right Reg?

3
0

Re: Why? - Let's have some critical journalism

I suspect that your company will have installed into your browser a special company-only root certificate, to enable you to get an HTTPS connection to the proxy server. Because otherwise your browser will complain that it is not certified by Google.

But if you're at the Republican Convention on an iPhone (i.e. browser supports HSTS) then I think it would refuse to connect to a proxy for GMail (or other sites with HSTS).

0
0

Yahoo! mail!

jeez the Republicans have moved on, I thought they would be AOL, you know Assholes On Line.

16
4
cd
Bronze badge

Re: Yahoo! mail!

That was the old days, now they're all yahoos. Maybe Yahoo sent them install CD's.

3
0
Bronze badge

Stating the bloody obvious

John Leyden sir, this is a pretty tech savvy site do you really need to tell us Avast is an antivirus firm?

3
4
DJO

Re: Stating the bloody obvious

Really, I always thought they made CPU stress test software, the AV stuff is surely just a by product of winding the CPU up to 100%

13
0
Flame

Wow! 1.5% Windows Phone

Looks like we're all wrong, WP is alive,well and positively thriving.

3
0

Re: Wow! 1.5% Windows Phone

[quote]Looks like we're all wrong, WP is alive,well and positively thriving.[/quote]

Well dinosaurs use dinosaur phones after all

1
0
Silver badge

I have pureVPN on my phone (paid for version) but it has never worked great on vodafone and is almost never works on three.

1
0
Silver badge

Interesting. Wonder if those networks deliberately interfere with VPNs, or maybe VPN traffic is just less tolerant of shitty networks?

0
0
Silver badge

The pop up on the app says the network may be interfering with traffic but it's hard to tell.

0
0
Silver badge

• 0.24 per cent visited pornography sites like Pornhub.com

While at the convention hall itself?

The toilet stalls must have been full of wankers.

2
0
Anonymous Coward

Well the convention hall was anyway....

22
1
Silver badge

Try harder. 1 out of 800 delegates visiting a porn site at least once during the convention seems rather low. I wonder what percentage the Democrats would ring up?

Not that this sort of scrutiny will be needed for Democrats, mercy!

3
3
Silver badge

Sorry, brain fart time. The ratio is actually 1:400, twice as smutty as I stated before.

Still, that's more like it! :-D

2
0
Silver badge
Paris Hilton

Must be just one or two lonely types or someone doing "research". Rumor has it the party conventions are rather notorious for their randiness. A bit yelling, shouting, music to get people hyped up and they hit the night spots as soon as evening's events are over. Then their main event for being there starts...

Paris.. well because....

0
0
Anonymous Coward

GOP Convention Spikes Demand for Male Escorts

https://nypost.com/2016/07/21/male-escorts-are-making-crazy-money-at-the-rnc/

0
0
Anonymous Coward

Not really a valid study since this was at the Republican National Convention, so by definition everyone there is an idiot.

10
4

Pokemon Go

That will probably be the due to the guy running Stephen Colberts Condiment Cam on Facebook.

0
0

Yes yes

But hiw many of them bought a coffee?

Starbucks et al are basically rain shelters and wifi providers these days arent they?

1
0
Silver badge
WTF?

Shurely shome mishtake

More people shopped on Amazon than played Pokemon Go?

0
0
Bronze badge

A.C.: I work for a nice company,

Until the guys with the most stock sell said "nice company" to Attila the takeover artist, and one way to pay off the resultant huge debt load is to sell all the skimmed info (employees and customers) on the open market. Or the company goes bankrupt and the trustee does the same.

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing