If you have HTTPs everywhere on, how much harm can a malicious wifi network do?
-
but Rethink DNS (check Fdroid) is kind of a helpful here.
Correct. Rethink DNS covers private DNS, VPN connections, and firewall for android.
Rethink does not have built in vpn, but can use wireguard config
-
Rethink does not have built in vpn, but can use wireguard config
Yes, this is what I've said.
-
Correct me if I'm wrong but- manually configuring your DNS in the OS would still enable traffic monitoring, wouldn't it? I always thought DNS traffic is not encrypted by default.
Oh, yeah you're absolutely correct. I was fixated too much on the DNS logging lol
DoH (DNS over HTTPS) or DoT (DNS over TLS) would fix that
-
Oh, yeah you're absolutely correct. I was fixated too much on the DNS logging lol
DoH (DNS over HTTPS) or DoT (DNS over TLS) would fix that
Actually no. The SNI is still not encrypted. So every site you are visiting can still be sniffed.
-
Generally true. You would want to use DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to be sure your DNS queries are encrypted in transit.
Technically if you have a NAT redirect rule that routes all outbound traffic on a specific port, you could redirect to port 53 on the pihole and it would be visible because the DoT/ DoH terminates at the Pi which his brother could control? VPN is still a safe bet.
-
Technically if you have a NAT redirect rule that routes all outbound traffic on a specific port, you could redirect to port 53 on the pihole and it would be visible because the DoT/ DoH terminates at the Pi which his brother could control? VPN is still a safe bet.
You can redirect regular DNS like that, but DoH/DoT is encrypted using certificates with a chain of trust just like any other tls connection (that's kind of the whole point). It would throw security errors breaking dns resolution if you redirected the connection to your own server.
-
You can redirect regular DNS like that, but DoH/DoT is encrypted using certificates with a chain of trust just like any other tls connection (that's kind of the whole point). It would throw security errors breaking dns resolution if you redirected the connection to your own server.
That's true. Was going to setup a NAT rule to test it out but then realized that there's no way I can redirect outbound traffic on 443 to a Pi Hole on 53, lol.
-
As others have mentioned, DNS is probably your worst enemy. It doesn't take much technical knowledge to just create a DNS server and start logging all domains you're accessing. Say, to tell mom how often you're browsing porn or something.
Manually configuring DNS servers in your OS would resolve this issue, but also using VPN like mullivad would just bypass such worries with 99% certainty.
Or just keep using mobile data, because why not
Or just keep using mobile data
That merely moves it to the carrier knowing, though, right?
-
Or just keep using mobile data
That merely moves it to the carrier knowing, though, right?
Nope, but OP mentioned in the post that they're sketched off from their brother who's in control of the home network
-
Correct me if I'm wrong but- manually configuring your DNS in the OS would still enable traffic monitoring, wouldn't it? I always thought DNS traffic is not encrypted by default.
I've configured my home wifi to capture all DNS regardless of its intended recipient. It's unencrypted so it's possible.
I also use encrypted DNS on my phone.
-
Actually no. The SNI is still not encrypted. So every site you are visiting can still be sniffed.
This is resolved in TLS 1.3 with ECH. Adoption is still not wide though, so you're concern is valid.
-
This is resolved in TLS 1.3 with ECH. Adoption is still not wide though, so you're concern is valid.
Was not aware ECH was actually in TLS 1.3 thanks for that. But yes it will take a long time for widespread adoption.
-
I kinda don't trust my home network because my brother is douche and I feel like he's gonna do some weird things with the connection, so I prefer to juse use my phone's data (unlimited data plan) to avoid any shenanigans. Hypothetically, how much harm can an evil wifi do?
Does using HTTPS avoid all risks? What about evey program on your computer or every app on your phone, do they also have HTTPS everywhere on? (I use Android btw)
How much could a VPN do better that HTTPS cant?
Https only encrypts the packet content.
What can happen:
TL;DR:
Evesdropping, spoofing, device vulnerabilities (e.g. using exposed ports).- Attackers can listen and log to which servers you're talking to. This can be combined with the attack explained in the following.
- The can do spoofing attacks by replying to your DNS request with their own IP. For example: you open domain.com and the attacker will not forward domain.com to the trusted DNS server but will instead send you their own IP and website that looks exactly like the website you intent to visit. Since they control this spoofed website they can also intercept all the credentials you enter. If you don't enter credentials or upload or download stuff, nothing can happen. However you'll be safe from spoofing attacks in most cases as popular websites use HSTS which hardcodes the IP addresses corresponding to domains result into your browser, bypassing DNS.
- An attacker could exploit device vulnerabilities that are unrelated to https web traffic. So make sure your OS and software are up to date and you don't have applications running with exposed ports!
-
System shared this topic on
