cross-posted from: https://slrpnk.net/post/25779751
The intative promises to be privacy-friendly with no tracking. Stating:
Your privacy is important. The WiFi4EU app ensures a private online experience with no tracking or data collection. Simply connect and enjoy free public Wi-Fi without concerns.
Source: https://digital-strategy.ec.europa.eu/en/policies/wifi4eu-citizens
Will be interesting to see how this spans and plays out in reality. Looks promising too, did a quick scan of their builtin permissions and trackers and looks good too. (Scanning tool is called Exodus)
I feel like the OP you’re responding to. Explain how I should be comfortable? The idea creeps me out, but I admit I haven’t delved into security for a few years.
HTTPS is used on virtually every site out there these days. That is used to encrypt your traffic from the get go. So specifics of the traffic/request won’t be obvious/known. The EU could be big enough to force manufacturers to inject their certificates into devices… could be a man in the middle attack. But you can always just remove certs you don’t trust from your devices.
DNS by default is often plaintext. You can setup your device to use DoH or other encrypted versions of DNS.
That leaves just the raw connection analysis… eg, that your device is sending traffic to some known IP… many site share hosts so that can be hard to determine though often not really… Proxy or VPN services can make it impossible to do this type of analysis… but then those services will be able to tell.
Ultimately being able to say that “Shalafi sent some packets to an IP that google owns and received a bunch back” could be email… could be youtube… could be any number of things… at some point it become educated guess at best. And what specifically happened (ex: Watched a video about tying shoes) is simply unknown. It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources… which usually means more than one party is already working together against you. At that point you’ve got bigger issues usually.
this is such an oversimplification. maybe it’s hard to distinguish between google services, but if you play some online game, chat over whatsapp or signal, or have a voip call, that’s an entirely different story. these can probably be told apart by DNS requests or active connections, and in the case of communications, messaging and voice calling is obvious to tell apart because of the difference in the volume of data. when having a voip call, through a service that supports peer to peer calls (most do, and it’s default on), an observer may even be able to deduct something about who you are speaking with, like what general area they live at.
then what if you have apps that try to establish connections to services at home. like smb or nfs, https services. your smb/nfs client may leak your credentials, I think even linux does not encrypt smb communication unless you request it in a mount option, and with HTTPS you leak your internal domain names because of TLS SNI.
Forgive me for not covering 100% of this advanced topic in my 3 paragraphs on Lemmy… Nuance gets long, and most people have attention spans of a squirrel.
Already covered as
Where specifics can’t be divined… but other details might.
Addressed already with
Actually this is quite unlikely. ASNs are not as structured as you think. It takes an external database that specifically tracks DHCP’d ISP addresses. Case in point, when I moved to my new house… Google maps though I was a good 60 miles away from where I was… it was after repeated access to google maps and other service for about a month before maps started getting accurate with where I’m accessing their service from.
And that point is covered with
If you purposefully steer your car off the road… of course you’re going to crash. If you’re going to expose non-encrypted things onto the internet…
I would suspect the untrusted wifi to NOT be the leading thing you’d want to care about in this situation. But even then… I would start making reasonable assumptions such as you’re likely on a DHCP connection without static addressing… your site and resources will rotate IPs every once in a while. Makes tracking you even harder.
Encrypted SNI (ESNI) / Encrypted Client Hello (ECH) exists… Cloudflare for example supports ECH, and they transit a LOT of data.
But once again… would be outside of the scope of discussion here. Yes… an ISP can make an educated guess of where you’re likely to be going… and maybe even make a reasonable guess of what you could doing… But certainly not the details of it.
And this all ignores the fact that a random coffee shop isn’t going to do full packet inspection to get this data to begin with. It’s not worth it for them. They gain very little from collecting meta data without some bigger company backing them to do so… Which falls under
Edit: Typo that changed meaning. Fixed.
Quite obviously the problem is not that you did not write an 560 page essay, but that you were misleading by basically saying “nah, it’s fine, nothing could leak, everything is ultra secure nowadays”.
did you just ignore a whole lot of points here? DNS, SNI? smb clients? whatever else? its not like I’m using HTTP. things are largely encrypted, the rest is out of reach!
how many sites exactly support that configuration? do you need additional configuration for that in e.g. nginx? if so, most selfhosters probably don’t have it, because it’s talked about almost nowhere.
and is it finally enabled by default in firefox? will firefox just retry without encryption when the connection fails?
it is certainly in scope. the discussion is not about security and your accounts getting hacked by evil EU, but privacy and data mining, for which all of these is a treasure trove.
probably not the coffee shop but the networking equipment, where even cheaper models include some form of “smart cloud security”
The fact that I addressed some of these items literally line by line and you bring it up again as if I didn’t address it tells me that you’re arguing in bad faith. Have a good day. Find someone else to complain to.
You don’t HAVE to be comfortable. But if you use any sort of public WiFi, this is no riskier than any of those networks. They can grab some metadata unless you use a VPN, but likely less than what your ISP already has on you anyway. Basically, there’s no reason this should be putting up any major red flags. We’re past the days when a malicious access point could MitM most connections due to lack of encryption.
Every site uses HTTPS which encrypts your data in transit. Even if they sniff the packets, they would spend literal decades trying to decrypt it.
Just be wary of visiting sites or sending traffic not over HTTPS. Its rare, but it does happen.
HTTPS does not protect against everything. there’s many other protocols that apps can use for whatever use case, and even HTTPS traffic leaks lots of information directly or indirectly, like the websites you visit (because of DNS, and TLS SNI)
What the others said. If you want a practical example of this working, have a look at eduroam. It’s the joint WiFi of all European universities and I cannot recall that there ever were any privacy issues.