Recently I visited my dental office and noticed a Wi-Fi configuration I haven't seen before. First, there is unsecured (no password) Wi-Fi, but I cannot surf the web yet. I am redirected to a webpage where I see 2 buttons (Facebook and Twitter) to choose from for authentication in order to fully access the internet. I declined to click on any over the unsecured network. As far as I know, my activity can be sniffed while I am on such a network. On the other hand, if I am not mistaken, social network authentication is considered relatively safe. So the question comes, is it safe to merge those two? Is there a risk of my password being sniffed? I also think that it poses a risk on disclosure of personal patient data if that is stored in the same network.
-
Maybe you should describe how it prompted you to login with a social media account. Probably not the official facebook/twitter pages I guess? – Potaito Jun 12 '16 at 09:02
-
At first, there is basically a page with 2 buttons to choose from (fb or twitter). I haven't clicked on any, so I cannot tell where would I be redirected then. – ZygD Jun 12 '16 at 09:15
-
3The authentication is probably `https://` secured. Wonder what happens on different browsers when someone `arpspoof`s you and runs `sslstrip`, and then you try to authenticate. (so, that would break down to http://security.stackexchange.com/questions/1525/is-visiting-https-websites-on-a-public-hotspot-secure). More sophisticated attacks (e.g. DNS-spoofing to redirect you on a completly different login site, the verfy first one) could still be interesting. But if you check that both you are really connected to the right login page and it's using HTTPS, the authentication is secure. – Maximilian Gerhardt Jun 12 '16 at 09:32
-
@MaximilianGerhardt Both Twitter and Facebook use HSTS which makes a simple use of sslstrip useless (in case the servers were requested in the past using the device). However, as you said there are more advanced techniques to sniff data in this scenario, even bypassing HSTS. – bayo Jun 13 '16 at 05:49
-
@MaximilianGerhardt - I guess, assuming I would be redirected to the right login pages after clicking on any of those 2 buttons, I would be at risk only if [the initial page is not HTTPS](http://security.stackexchange.com/questions/1525/is-visiting-https-websites-on-a-public-hotspot-secure#1569)? – ZygD Jun 13 '16 at 09:23
2 Answers
One of the points of social media login is to avoid password entry by resuing your existing loggged-in state with the social media.
If you have not already logged in to the social media site in your browser, simply do that over mobile connection and then connect to this wifi.
Some social media may want to verify your password before you can approve an association, but they will almost always pre-fill the username and may even display your profile picture. This is currently not possible with normal phishing. And as always, check HTTPS and the domain in the address bar before entering the password.
- 3,892
- 1
- 17
- 24
WPA protects against casually plucking your data out of the air on the way to the Wi-Fi router. It has nothing to do with the end-to-end security that Facebook and Twitter uses (HTTPS). Also, logging in this way does not grant them the ability to directly observe your username or password. All they get is a unique token that identifies your account, plus whatever information you explicitly grant access to. Overall, it's an exceptionally safe system. You can even revoke access to their Wi-Fi "app" later from the security / apps section of the relevant social network. If they had WPA encryption, you'd actually have your data encrypted twice up to the Wi-Fi router, once by WPA, and a second time by HTTPS. After it hits the router, WPA no longer applies, but the HTTPS continues all the way to the social network's servers.
- 5,724
- 21
- 24
-
We don't know that OAuth is used as OP didn't check to see. Perhaps it asks for username and password. And with an unsecured network like this, you can't be sure that you're not directly connected to a MITM – Neil Smithline Jun 12 '16 at 14:03
-
The OQ doesn't describe that the wireless network was using WPA. I understood it was neither WEP, nor WPA and of course nor 802.11i protected. – dan Jun 12 '16 at 14:53
-
@NeilSmithline The user should, of course, verify that the padlock icon is shown and matches Facebook's certificate, but there's nothing suspect about the setup as described. TLS would call out a problem if the connection was suspect, because that's one thing it's designed to prevent, a MITM attack. WPA/WEP/etc does not guarantee against a MITM attack, it only limits the ability of people with promiscuous WiFi cards from reading the raw packet data. They're two different, unrelated levels of security. – phyrfox Jun 12 '16 at 15:18
-
@danielAzuelos I mentioned WPA only to emphasize that a secured WiFi connection doesn't protect the data from the access point to the server; that's TLS's job. With a "secured connection", you actually end up with data that's encrypted twice, instead of just once. With an "unsecured connection", an attacker could see the encrypted data going to the server, but they'd still not know the contents, as TLS is intended for that purpose, to encrypt data so a passive attacker can't see the payload. – phyrfox Jun 12 '16 at 15:21
-
What if after such authentication I go to other sites (not HTTPS ones)? Can my packets be read by MITM the same way as they would be without such implementation of authentication (remembering that the WiFi is unsecured)? – ZygD Jun 13 '16 at 09:59
-
1@ZygD yes all activity is subject to eavesdropping, so http:// pages will be visible to everyone. But you wouldn't send important traffic over those anyway would you ;-) this is no different from ANY public wifi you use, it is going to have this issue unless they are assigning long, unique WPA2 passwords to every different user. – Jeff Meden Jun 13 '16 at 16:03