cross-posted from: https://slrpnk.net/post/25779751
The intative promises to be privacy-friendly with no tracking. Stating:
Your privacy is important. The WiFi4EU app ensures a private online experience with no tracking or data collection. Simply connect and enjoy free public Wi-Fi without concerns.
Source: https://digital-strategy.ec.europa.eu/en/policies/wifi4eu-citizens
Will be interesting to see how this spans and plays out in reality. Looks promising too, did a quick scan of their builtin permissions and trackers and looks good too. (Scanning tool is called Exodus)
You don’t have to trust them any more than you trust your local Starbucks WiFi. We’re at the point where your traffic should no longer be vulnerable just because you’re on the wrong WiFi network.
My traffic is not vulnerable, but my device might be.
When you connect to public WiFi, you also share it with others, and maybe someone on that network wants to test out their new hacker skills ?
Maybe not as much of a problem for phones, but that juicy developer laptop running unauthenticated MongoDB with a dump of the production database… yup, that now “mine”.
Ideally all those services should be listening on 127.0.0.1 / ::1, but everybody makes mistakes. Maybe the service comes preconfigured to listen on 0.0.0.0.
I feel like the OP you’re responding to. Explain how I should be comfortable? The idea creeps me out, but I admit I haven’t delved into security for a few years.
HTTPS is used on virtually every site out there these days. That is used to encrypt your traffic from the get go. So specifics of the traffic/request won’t be obvious/known. The EU could be big enough to force manufacturers to inject their certificates into devices… could be a man in the middle attack. But you can always just remove certs you don’t trust from your devices.
DNS by default is often plaintext. You can setup your device to use DoH or other encrypted versions of DNS.
That leaves just the raw connection analysis… eg, that your device is sending traffic to some known IP… many site share hosts so that can be hard to determine though often not really… Proxy or VPN services can make it impossible to do this type of analysis… but then those services will be able to tell.
Ultimately being able to say that “Shalafi sent some packets to an IP that google owns and received a bunch back” could be email… could be youtube… could be any number of things… at some point it become educated guess at best. And what specifically happened (ex: Watched a video about tying shoes) is simply unknown. It would take a bunch of external additional data to actually tie you to anything directly, eg server logs or other sources… which usually means more than one party is already working together against you. At that point you’ve got bigger issues usually.
You don’t HAVE to be comfortable. But if you use any sort of public WiFi, this is no riskier than any of those networks. They can grab some metadata unless you use a VPN, but likely less than what your ISP already has on you anyway. Basically, there’s no reason this should be putting up any major red flags. We’re past the days when a malicious access point could MitM most connections due to lack of encryption.