If you have HTTPs everywhere on, how much harm can a malicious wifi network do?
from IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com to privacy@lemmy.ml on 24 Feb 19:23
https://lemmy.dbzer0.com/post/38580115

I kinda don’t trust my home network because my brother is douche and I feel like he’s gonna do some weird things with the connection, so I prefer to juse use my phone’s data (unlimited data plan) to avoid any shenanigans. Hypothetically, how much harm can an evil wifi do?

Does using HTTPS avoid all risks? What about evey program on your computer or every app on your phone, do they also have HTTPS everywhere on? (I use Android btw)

How much could a VPN do better that HTTPS cant?

#privacy

threaded - newest

catloaf@lemm.ee on 24 Feb 19:30 next collapse

The HTTPS everywhere extension only covers the browser. Other applications might be vulnerable. If he controls the network, he could hijack your DNS and intercept all other connections. He could also use a downgrade attack to force an insecure version of TLS and compromise that.

But that’s extremely unlikely, unless he’s either a skilled attacker or can use tools like metasploit.

furrowsofar@beehaw.org on 24 Feb 19:33 next collapse

Kind of depends. The one thing that an untrusted network may be able to do is adjust routing tables. Some systems and some VPNs may be protected from this, some may not. At least the https connections should be secure but where you’re connecting can be trracked. DNS is vunerable too unless you set your browser system to use a secure connection to DNS server you trust.

cmgvd3lw@discuss.tchncs.de on 24 Feb 19:39 next collapse

HTTPS encrypts traffic making it hard for packet sniffers to know what is being transferred. If you are using unsecured WiFi, there is a chance of DNS manipulation like, switching domain names etc. If you’re using VPN, you hide your identity (IP) from the websites you visit and also if its configured to use their own DNS server, you can somewhat eliminate the DNS manipulation.

Anyways if you’re not sure, try to use a VPN and HTTPS everywhere and use firewall to lock down all your exposed ports. I don’t know how to configure firewall for port lockdown in android, but Rethink DNS (check Fdroid) is kind of helpful here.

Xanza@lemm.ee on 24 Feb 19:57 next collapse

but Rethink DNS (check Fdroid) is kind of a helpful here.

Correct. Rethink DNS covers private DNS, VPN connections, and firewall for android.

cmgvd3lw@discuss.tchncs.de on 24 Feb 20:46 collapse

Rethink does not have built in vpn, but can use wireguard config

Xanza@lemm.ee on 24 Feb 21:15 collapse

Yes, this is what I’ve said.

JubilantJaguar@lemmy.world on 24 Feb 20:22 collapse

if you’re not sure, try to use a VPN and HTTPS everywhere and use firewall to lock down all your exposed ports

If beginners are reading, don’t panic. This advice should be taken with a grain of salt. I remember being a beginner and getting this kind of advice and how it caused me a whole of lot of completely unnecessary anxiety.

VPN: all but unnecessary for security purposes (it’s useful for geo spoofing). If you really don’t trust your wifi, then start by manually setting your DNS (to 1.1.1.1 or whatever) as others have said.

HTTPS everywhere: sure, and this is now the default in your browser.

Firewall: totally unnecessary to fiddle with this on a home PC. It will be hard-set in your router anyway, there’s nothing to worry about.

hemko@lemmy.dbzer0.com on 24 Feb 19:50 next collapse

As others have mentioned, DNS is probably your worst enemy. It doesn’t take much technical knowledge to just create a DNS server and start logging all domains you’re accessing. Say, to tell mom how often you’re browsing porn or something.

Manually configuring DNS servers in your OS would resolve this issue, but also using VPN like mullivad would just bypass such worries with 99% certainty.

Or just keep using mobile data, because why not

Peffse@lemmy.world on 24 Feb 20:10 next collapse

Correct me if I’m wrong but- manually configuring your DNS in the OS would still enable traffic monitoring, wouldn’t it? I always thought DNS traffic is not encrypted by default.

AnAmericanPotato@programming.dev on 24 Feb 20:13 next collapse

Generally true. You would want to use DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to be sure your DNS queries are encrypted in transit.

root@lemmy.world on 25 Feb 02:31 collapse

Technically if you have a NAT redirect rule that routes all outbound traffic on a specific port, you could redirect to port 53 on the pihole and it would be visible because the DoT/ DoH terminates at the Pi which his brother could control? VPN is still a safe bet.

Darkassassin07@lemmy.ca on 25 Feb 05:28 collapse

You can redirect regular DNS like that, but DoH/DoT is encrypted using certificates with a chain of trust just like any other tls connection (that’s kind of the whole point). It would throw security errors breaking dns resolution if you redirected the connection to your own server.

You would still be better off with a vpn wrapping the connection however as the SNI in each https connection is unencrypted and can be used to log your traffic.

root@lemmy.world on 25 Feb 05:51 collapse

That’s true. Was going to setup a NAT rule to test it out but then realized that there’s no way I can redirect outbound traffic on 443 to a Pi Hole on 53, lol.

hemko@lemmy.dbzer0.com on 24 Feb 22:04 next collapse

Oh, yeah you’re absolutely correct. I was fixated too much on the DNS logging lol

DoH (DNS over HTTPS) or DoT (DNS over TLS) would fix that

ShortN0te@lemmy.ml on 24 Feb 23:32 collapse

Actually no. The SNI is still not encrypted. So every site you are visiting can still be sniffed.

Akui@lemmy.ml on 25 Feb 17:49 collapse

This is resolved in TLS 1.3 with ECH. Adoption is still not wide though, so your concern is valid.

ShortN0te@lemmy.ml on 26 Feb 09:42 collapse

Was not aware ECH was actually in TLS 1.3 thanks for that. But yes it will take a long time for widespread adoption.

pHr34kY@lemmy.world on 25 Feb 10:06 collapse

I’ve configured my home wifi to capture all DNS regardless of its intended recipient. It’s unencrypted so it’s possible.

I also use encrypted DNS on my phone.

Flagstaff@programming.dev on 25 Feb 07:50 collapse

Or just keep using mobile data

That merely moves it to the carrier knowing, though, right?

hemko@lemmy.dbzer0.com on 25 Feb 08:20 collapse

Nope, but OP mentioned in the post that they’re sketched off from their brother who’s in control of the home network

Telorand@reddthat.com on 24 Feb 20:07 next collapse

I think there’s some fundamental misunderstandings about what each technology does.

  • HTTPS encrypts the data you send to each website. However, there’s no guarantee a website will respect that setting (though they often do) and it may or may not include ancillary data and trackers from third party JavaScript; if there’s an issue, your browser may fallback to HTTP mode. DNS requests will almost always be unencrypted, so each gateway between you and the website can at least see where your IP address went.
  • VPNs essentially act as a proxy for your internet browsing. What that means is that anyone who could sniff your traffic can see that you established an encrypted tunnel to the VPN IP, but they would have to be able to track that second IP address to see where you were going. Each gateway operator between you and the VPN can only see that you connected to the VPN, and the VPN will forward all traffic requests you made back to you via an encrypted tunnel. Good VPNs will also send your DNS requests to their servers, so all anyone can see is that your connection is wholly tied to the VPN.

In your case, your brother could mess with the DNS on the router to send you wherever he wants when you type in google.com, he could set up a hosts file to block you from going to specific sites or IP addresses, or he could manipulate any unencrypted data packets you receive.

Using your phone internet just puts your privacy in the hands of your phone’s network operator instead. How much do you trust them not to rat you out?

If you want anonymity or ways to get around blocks, you need to use a logless VPN at minimum or something like Tor, depending on your needs.

doodledup@lemmy.world on 26 Feb 12:52 collapse

Https only encrypts the packet content.

What can happen:

TL;DR: Evesdropping, spoofing, device vulnerabilities (e.g. using exposed ports).

  • Attackers can listen and log to which servers you’re talking to. This can be combined with the attack explained in the following.
  • The can do spoofing attacks by replying to your DNS request with their own IP. For example: you open domain.com and the attacker will not forward domain.com to the trusted DNS server but will instead send you their own IP and website that looks exactly like the website you intent to visit. Since they control this spoofed website they can also intercept all the credentials you enter. If you don’t enter credentials or upload or download stuff, nothing can happen. However you’ll be safe from spoofing attacks in most cases as popular websites use HSTS which hardcodes the IP addresses corresponding to domains result into your browser, bypassing DNS.
  • An attacker could exploit device vulnerabilities that are unrelated to https web traffic. So make sure your OS and software are up to date and you don’t have applications running with exposed ports!

A VPN will prevent the first two attacks.