• learnsec101
  • Posts
  • What happens when you connect to an open public WiFi? Or what the worst could happen?

What happens when you connect to an open public WiFi? Or what the worst could happen?

Using a VPN these days is more common than using strong passwords on our accounts but do you really need a VPN on open networks? Or What would happen if you didn't connect to one?

Let's see!

When you type in the URL of your favorite website such as google[.]com - your browser doesn't actually know where google[.]com is. As the internet works on IP addresses such as 17.36.36.1 and google[.]com is just a human-friendly 'name' that makes it easier for us to remember the website we want to visit.

What happens when you hit enter?

  • Your browser queries the DNS server to find the IP address of the URL. (“DNS - Domain Name System” is an Internet Directory/Database that maps IP addresses to a domain names)

  • First, the browser checks its own cache for the URL

  • If not found, it checks the Operating System's DNS cache

  • Still no luck? It queries your ISP's DNS server. Which either resolves the IP from its cache or uses a DNS recursive resolver that makes requests recursively until it finds the IP.

  • Next, the root name server directs the query to the TLD nameserver (Top-Level Domain) for '.com'.

  • TLD nameserver is like an index for a specific domain extension, such as .com, .org, or .in.

  • The TLD server directs to Google's authoritative name server.

  • Finally, we get the IP address as the response and it gets stored in various caches for faster future access.

This is a short summary of the working of the DNS that translates domain names to IP addresses.

HTTPS: Your First Line of Defense

You’ve probably noticed the padlock icon before URLs in the search bar. This indicates an HTTPS connection, encrypting your communication via TLS. And no one even on the same network can see your password as you type it into a website.

But HTTPS has limitations, especially on public networks.

While using a public WIFI, the admin can only see which sites and apps you’re browsing, for how long, and how often you switch between them. They can't read your WhatsApp messages.  But they can see you're using WhatsApp. They know you're browsing YouTube, but not which video, only the time you spend on the app is visible. The network spikes indicate you’re watching something. But what if you’re not on HTTP(S)? 🤕 

Then they might see everything including that 28-character password you're so proud of. Or steal your session ID for any login that could be used to impersonate you or access your accounts.

DNS Spoofing: When Google Isn't Google

The DNS spoofing: (if the DNS record were to be manipulated by changing the IP of google[.]com to the IP of a malicious website like sniffer[.com] that look identical to google but it’s fake) - could lead to phishing attacks.

The Man-in-the-Middle

If someone managed to install their SSL certificate on your device, they could perform an MITM attack. It's like someone intercepting your mail, reading it, maybe changing it, then sending it on its way – and you're blamed.

Basic example of this is when you use the burp suite tool that requires you to install a burp certificate in your browser’s root authorities. But imagine this happening at the OS level – much more intrusive!

SSL Pinning

Some apps use SSL pinning to prevent such practices. It's like the app having a unique handshake with its backend server. If anyone tries to intercept, the handshake fails. While effective, it's not foolproof on public Wi-Fi.

MAC Address Randomization

From android 9 onwards, your phone's MAC address (its physical network identifier) is randomized for each Wi-Fi network. It's not randomized every single connection, but it does change per network. This makes tracking harder, but not impossible.

Even with a random MAC address, your browsing habits can make it easier to uniquely identify you on the network.

The websites you visit daily, the apps you use, how you scroll through YouTube – it all creates a unique digital fingerprint.

Deep Packet Inspection and AI

Network admins can perform DPI (Deep Packet Inspection) to closely analyze your encrypted traffic patterns, identifying user behaviors based on data flow. With AI it gets even more personal like creating your detailed profile by studying your network activity over time based on the network spike you cause at particular time intervals on day to day basis.

Evil Twin Siblings

In rare cases, you can be a target of Evil Twin Attacks. In which, the bad actor creates a WIFI network named exactly like the one you’re connected to. Then using an wireless adapter to broadcast Deauthentication Packets (a type of network data packets) that kicks you off the network. Unless, they stop sending the packets, you won’t be able to reconnect to the same network, tricking you to connect to their fake evil twin network – where they're waiting to capture all your data.

The list goes on what can be done wirelessly.

To protect yourself:

  1. Use a VPN

  2. Use common sense to not access sensitive data on such networks

  3. But

When you connect to a VPN (reputable ones like Proton or Mullvad). Your every query, message, client request gets masked with the dedicated IP from the VPN provider that passes through the VPN tunnel and reaches the end server, that demands the response on your behalf and gets back to you. But if it's some free or sketchy ones that claims too good to be true, then surely you are no good as you were on an open network.

They could:

  • Sell your browsing data to advertisers

  • Inject ads into your browsing

  • Might not actually encrypt your traffic

  • Could be malware in disguise

  • Or much worse - using your device as a part of their botnet

So, are you at risk without using a VPN? Well, not always, but why take the chance? A trustworthy VPN adds that extra layer of protection, especially on public Wi-Fi, where you never really know who's watching.

Reply

or to participate.