Dear Journal,
This is where my journey begins. 35,000 feet in the air and as soon as he’s able he powers me on, AGAIN. Whatever happened to “Sorry for a delayed reply, I was on a plane!” Come on man, enjoy 9½ hours of uninterrupted time staring into the clouds, reading that in-flight magazine, or better yet catching up on your sleep! Nope, he’s not listening to me as he’s is impatiently trying to connect to in-flight Wi-Fi, along with many other passengers on this United flight to London. Yes, he flies United. Does he ever learn anything?!
Did you know that a Wi-Fi attack on an open network can take less than 2 seconds. This is scary! Hello? Are you listening to me? You must know how to use Wi-Fi hotspots securely and if you must stay connected, can you at least use a VPN connection?! Or better yet, power me down, sit back, relax, and enjoy the flight.
Did you know that the main Wi-Fi network that passengers are supposed to use on this flight is no different from the public Wi-Fi available at any coffee shop, mall, hotel? I always thought it’s a lot more secure, considering all the security measures we must go through to even travel by air. Nope, the network is wide open.
It’s super easy for hackers to use a man-in-the-middle (MitM) attack to eavesdrop on your data as it travels from point A (your laptop for example) to point B (a website) and see which websites you’re browsing, emails that you’re sending and receiving, and passwords that you use to log in to Facebook.
GOOD BOY! He’s logging into the WatchGuard Firebox SSL VPN. I taught him well!
Download A Field Guide to Secure Wi-Fi–Observations From Your Laptop eBook and continue with me on my adventure.
Until next time,
Mac
Kurt says
If they can see your facebook password, what’s stopping them from seeing the ssl vpn password?
Marc Laliberte says
Most Wi-Fi MitM attacks require that the initial web request is sent over unencrypted HTTP. In normal web browsing, this is common because most users enter a URL without manually specifying whether to use HTTP or HTTPS (e.g. they enter “facebook.com” instead of “https://facebook.com”).
SSL VPN connections like those to the WatchGuard Firebox on the other hand, are initiated by special client software (not a web browser) and hard-coded to require TLS. An attacker on the wireless network cannot MitM the connection without triggering obvious TLS warnings like certificate errors. If the victim happily clicks through a certificate error, there really isn’t a whole lot you can do to protect them.
–Marc
Kurt says
Facebook automatically forwards the user to “https://facebook.com” if only “facebook.com” is entered so is this a bad example? Many other sites are moving to https only as well, especially with the new Chrome changes coming into affect soon.
Marc Laliberte says
Ignoring things like HSTS (which can be defeated using domain name redirects), Facebook and other sites use HTTP redirects in their response messages to forward users to the secure version of their site. Here is an example of the request/response headers for a user entering “facebook.com” into their browser.
**Request**
Request URL: http://facebook.com/
Request Method: GET
**Response**
location: https://www.facebook.com/
status: 301
The browser sees the 301 status code and sends a new request to the destination returned in the “location” header.
In the case of a MitM attack, the attacker receives the request via HTTP and uses a proxy to send a new request off to the actual Facebook. This proxied connection is redirected to HTTPS and loads no problem on the attacker’s end. The attacker then sends the loaded content back down to the victim over the original channel, no HTTPS needed.
–Marc