[Berlin-wireless] encryption over open wifi

[tomas at tuxteam.de]

On Sat, Apr 02, 2022 at 01:40:08AM -0700, freifunki098 at riseup.net wrote:
> hi, 
> there's something I'm wondering about: 
> 
> freifunk provides open wifi. Does this mean that the information
> transmitted over this wifi are unencrypted, unless the client enforces
> encryption, let's say via ssl? 

This is independed. Typically there is also encryption in an open
WiFi (cf. WPA/WPA2). Still, since both sides don't authenticate
against each other, a man-in-the-middle attack is possible.

So using application-specific protocols (SSL/TLS for HTTP, SSH
and so on) is strongly recommended.

> https has become a standard so about that part there isn't to much to
> worry about. 
> ssl for DNS requests aren't yet.

That would be DNSSEC (it can't be TLS, DNS uses the wrong protocol
suite for that). It's not widespread, but it exists.


>            And honestly even I don't know how I
> would set it actually up. The explanations I found confused me, but even
> if I did, I could only do this for my device, but not for the other
> devices that connect to freifunk. 
> So as I understand things, it is freely accessible what webpages people
> look at if they use open wifi and are in the same range (please correct
> me if that assumption is wrong.)

I don't quite understand the above: you can, of course, access web sites
over https via an open WiFi, this is independent.

> If those assumptions are correct, I've been wondering about encrypted
> open access WiFi.

As I wrote above, it /is/ most probably encrypted already, but it isn't
difficult for an eavesdropper to insert itself into the stream: after
all, how do you know the access point out there you are connecting
to is the one you trust (i.e. the authentication problem).

It is more important to you to know the bank you are making a transaction
with is actually your bank, and there are procedures in place to make
that (somewhat) possible (certificates).

>  I learned that with this new wpa3 allows encrypted
> connections, that can't just be decrypted if someone listens on the same
> network. So it would still be a protected encrypted connection, even if
> the password to login is public. 

Exactly. The over-the-air stream is encrypted. It is decrypted at
both ends (your computer and the access point). If you /know for
sure/ you can trust the access point, all is fine. But you don't
know that, at least most of the time :-)

Cheers
-- 
tomás
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 195 bytes
Beschreibung: nicht verfügbar
URL         : <https://lists.berlin.freifunk.net/pipermail/berlin/attachments/20220402/0ebdec34/attachment.sig>