Not sure if I used the correct terms but what is the difference in security and privacy between downloading from a public wifi (or a closed wifi; with password) and mobile hotspot (sharing 4G/5G data from your phone to your computer)? Which one is recommended or does it not matter?
Well, using a mobile hotspot will tie the IP address to your phone, so probably not a great idea if your name is listed on the account. Honestly, just use a quality VPN and you’ll be fine with your home connection.
Even if it’s not the same protection as with a VPN sharing your mobile connection is a better idea than using your real ISP connection. Cause in fact most of mobile ISP use about 200 people on the same IP adress, that’s why for example these IPs are good for scraping, because Google and others web services whitelist these IPs cause they know that they are going to ban 200 people
I also did use a VPN on both mobile and computer. Does that change anything?
Yes a VPN will hide your IP address from the server you’re connecting to. The VPN service will still see your IP and may log/record it. You also have to watch out for things like DNS leaks.
Also have to make sure that the public WiFi network one’s device is connected to doesn’t block VPN connections, as was the case at at least one Walmart I tried using the WiFi at.
Absolutely! Wireguard (for example) uses UDP 51820 (normally) which will mlre than likely be blocked, but that won’t stop you from using something like cntlm to proxy it over an allowed port like 443/80. DPI or some intercepting proxies would likely still filter it.
On the public wifi, the operator of that wifi can see any data you pass through their network. They can likely see what sites you visit, but probably can’t see what data you send to and from those sites, due to encryption. Unless they have an account with you, or you provide your information in clearext, they can link your data to your devices, but not to you directly, at least not from your use of the AP. They can potentially link your data to your image on their cameras, and thus your identity.
Your ISP has the same access to your data, but they also have a payment account linked to you, and they regularly cooperate with rights holders and law enforcement.
A VPN can do the same thing as an ISP: they know what sites you visit, but probably don’t know what data you are sending and receiving, and they can link it to your payment account. However, they generally do not cooperate with rights holders, and may or may not cooperate with law enforcement in their jurisdiction. While you are using a VPN, your ISP knows you are using them, but doesn’t know what you are sending back and forth, due to encryption.
If you want to remain as anonymous as possible, use a burner device with no accounts on public wifi.
If you want to avoid harassment by rights holders while you engage in piracy, a VPN is sufficient.
Your ISP has the same access to your data, but they also have a payment account linked to you, and they regularly cooperate with rights holders and law enforcement.
This varies widely by ISP and jurisdiction. I never use a VPN and my ISP doesn’t give a fuck what I download. They forward me the scary letters from the rights holders but they always preface it with “don’t worry, we ain’t no snitch”
What incentive do they have to actually follow through on that claim?
I pay my ISP $600/yr. If a third party with a bug up their ass creates $601 worth of trouble for my ISP, why wouldn’t they throw me under the bus?
No ISP is deserving of the kind of trust you describe. It costs them nothing to put those words in a letter.
I don’t particularly trust a VPN provider either, for much the same reason. But, the VPN provider wants to know as little about me as possible, while the ISP needs to know everything.
The law in Canada limits the ISP’s risk exposure and the pursuable damages of the rightsholder. Also it definitely would cost them if they told me “we have not responded to this notice from the rightsholder” and then turned around and did exactly that. That would be a flat out lie to their client. I’d have grounds to sue in a situation like that.
Also, I’ve been doing this for almost a decade and never had any problems. Maybe you shouldn’t assume that your situation is everyone’s situation.
You don’t have any justification to be that condescending. Your security practices are reliant on the law, and the law is not a factor under your direct control. It has changed without your input before, and it will change without your input in the future. Meanwhile, your ISP is building a record of your non-compliance that it can provide to rightsholders just as soon as it likes.
Good security practice minimizes reliance on factors outside your control. You can’t control whether your ISP has your personally identifiable information, but you can deny them knowledge of your data transfers. You can’t control whether a VPN has knowledge of your data transfers, but you can deny them knowledge of your PII.
Also it definitely would cost them if they told me “we have not responded to this notice from the rightsholder” and then turned around and did exactly that. That would be a flat out lie to their client.
As of the time of their letter, they had not responded to that notice. They could respond tomorrow without ever having lied to you. You would not have grounds to sue.
Just out of curiosity, will your Canadian ISP and your (current) Canadian laws protect you when a rightsholder portrays you as a pedophile instead of a pirate? If they anonymously publish a torrent containing their movie and some hidden CSAM, are you fucked?
That level of paranoia is a waste of energy. I know that what I’m doing works just fine. Why would some Hollywood studio plant CSAM in a torrent? That would implicate them as well. It makes zero sense. They have better things to do than entrap some nobody in a country whose laws don’t favour them seeking any damages. It would cost them far more in legal fees to come after me than to just leave it alone. The notices they send out are entirely automated and exist primarily as a scare tactic.
If you’re willing to be curious and open minded about things beyond your limited perception and experience, rather than be a know-it-all, I’d be happy to share with you an example email that I recieved recently. I think the language they use is quite interesting.
That level of paranoia is a waste of energy.
I know I am paranoid, but am I paranoid enough?
Identifying and evaluating vulnerabilities is a critical component of any security plan. In a good one, any vulnerabilities will be well outside the scope of feasibility.
Why would some Hollywood studio plant CSAM in a torrent?
To cast FUD on piracy in general. To inextricably link “pirate” with “pedophile” in the mind of the general public. To convince the general public to treat copyright infringement as criminal rather than a civil matter.
That would implicate them as well.
They hire or extort someone to initially seed from some third world ISPs, and the swarm takes over from there. It never gets traced back to them.
It would cost them far more in legal fees to come after me than to just leave it alone.
You aren’t the objective, just the means. The purpose is to make piracy a truly objectionable practice in the eyes of the public.
None of this is a likely threat, but is any of it completely outside the realm of feasibility?
None of this is a likely threat, but is any of it completely outside the realm of feasibility?
Yes. It’s well beyond being worth considering. You’re describing a massive conspiracy where hundreds of people from multiple countries’ governments as well as private corporations would all need to work together without any information leakage. All this to entrap some Canadian programmer who tried to torrent season 2 of a TV show aired in 1990. If any of this was worth doing, it would have been done by now, yet we hear of nothing like this ever happening.
I’ve gone my entire adult life downloading copyrighted material without using a VPN and it’s never caused me any problem. My contract with my ISP confers me a level of trust that I’m perfectly comfortable with. I’m familiar with the Canadian law around this stuff, and how it’s been interpreted by the courts in the past. I am under no threat of financial damages being pursued against me. My ISP has no incentive to log my online activity or report it to foreign authorities. And even if they did, the Canadian courts limit the pursuable damages to four figures; barely enough to pay for the lawyer that would file the suit.
If copyright holders want to take action, their complaints will go to the ISP subscriber.
So, that would either be the entity operating the public wifi, or yourself (if your mobile data plan is associated with your name).
If you’re in a country where downloading copyrighted material can have legal consequences (eg, the USA and many EU countries), in my opinion doing it on public wifi can be rather anti-social: if it’s a small business offering you free wifi, you risk causing them actual harm, and if it is a big business with open wifi you could be contributing to them deciding to stop having open wifi in the future.
So, use a VPN, or use wifi provided by a large entity you don’t mind causing potential legal hassles for.
Note that if your name is somehow associated with your use of a wifi network, that can come back to haunt you: for example, at big hotels it is common that each customer gets a unique password; in cases like that your copyright-infringing network activity could potentially be linked to you even months or years later.
Note also that for more serious privacy threat models than copyright enforcement, your other network activities on even a completely open network can also be linked to identify you, but for the copyright case you probably don’t need to worry about that (currently).
When you use a hotspot from your phone the site/peers/whatever sees an IP that your ISP has assigned to you and could share that with authorities etc.
When you use a WiFi they see an IP assigned to the owner of the WiFi.
Security wise its easier for others in the WiFi to try and fuck with your computer since you are on the same LAN.
So it depends on what you fear the most.
most properly configured public wifi will enable client separation, of course that potentially still leaves lower level protocol and radio attacks.
I have no idea what this client separation is.
As far as I know there isn’t really any client separation on wifi. It’s a shared medium.
At least I don’t see anything preventing you from reading someone else traffic. So anything unencrypted on a wifi is also accessible to any other clients.
I had tools more than 10 years ago that could automatically hijack session cookies on wifi for anybody connected and not using https.
no worries.
the net effect of client separation is that your device sees no other layer 2 devices on the wlan besides the gateway. this would typically be enforced at the frame level by the APs and is separate from any radio privacy cryptography.
a properly configured wireless setup would assume every client is compromised and would also disallow local client-client via source routing or proxy ARP or any other escape options. 100% secure? probably not, but its a non trivial barrier that would have to be circumvented.
as with e.g. broken WEP years ago, there are still options to mess with clients at ~Layer 1 but I dont believe its currently as trivial as it used to be.
Do you have any documentation on how this work ? Is there a name to this special protocol? Is it a recent addition to the wifi standard ?
Again a wifi AP doesn’t send data to a specific client. So how does an AP can enforce that one client can’t read a frame for someone else that is properly authenticated? How would an AP prevent someone spoofing mac addresses from receiving that data ?
I’m really confused by this feature I never heard of even when I was playing with aircrack and so on. Yes sometimes your mac address can get filtered but even that is not really difficult to avoid.
Sorry I have so many questions but I honestly did quite some “tinkering” with wifi years ago and none of this sounds familiar.
To add to the other reply, client isolation is about controlling whether an ap, switch, or router willingly sends traffic between clients. Because of that, it doesn’t kick in if you listen to packets over the air before they’ve been received by an AP. For that kind of security you need a wifi specific security measure - which I think “enhanced open” is what you’d be interested in. It allows you to have an open passwordless wifi but it generates temporary encryption keys for each connected client, then the rest is as if it was using WPA, so that you don’t need to enter a password but your traffic gets encrypted and protected from anyone else listening in on the WiFi.
If you combine both then you should have a network where each device is isolated both over the air and from a routing perspective so that each device only sees an Internet connection and no other devices.
Is this similar to vLAN that could be configured in my router but I never bothered since it was overkill for me?
You can achieve a similar thing using vlans - usually by default they’re isolated but you may add specific rules that allow traffic between vlans if it meets certain criteria (specific ports, specific types of traffic, traffic to or from specific hosts, any combination of those). So yeah you can imagine client isolation being like having each client on their own vlan - except without needing a different subnet for each client.
Thanks ! That’s exactly how I think it could be implemented but that confirms that this is certainly not something you can find commonly where I live.
That confirms the fact that if you use the same wifi and everyone has entered the same encryption key then there is no real client isolation…
It’s cool that wifi keeps evolving. It comes a long way from the WEP beginnings.
Client seperation is implemented by the AP. There’s lots of info, it’s called client isolation normally. check this out
Good explanation, a note that most public WiFi will use client separation. Macca’s, starbucks, airplanes etc you will only ever see your device and the gateway. (More for other people that are reading, I assume you know this 😄)
Client separation on WiFi is supposed to force clients to only talk to the AP and prevent them from talking directly to each other. The motivation is to allow the AP to enforce appropriate policies.
The feature may well be as antiquated as WEP now, it’s been years since I looked into how it actually functions.
If you’re using a trusted VPN like Mullvad, it doesn’t matter really.
Short answer: Mobile hot spot (w/ your own cellular device) is preferable to public wifi from a security perspective.
There are other considerations, such as how much cellular data downloads cost to you, what sites you’re visiting, what you’re actually doing, etc. In general, it’s advisable to avoid public wifi if you can, but if you must connect to public wifi, then you should make darn sure you connect to the right network (watch out for imposter networks w/ a legitimate looking name) and use VPN (ideally a paid service) to encrypt your traffic. Even with both of these measures, you’re best off avoiding sensitive activities like online banking on public wifi. If you must do banking or other sensitive stuff, either do it on your phone or wait until you get home.
Hope this helps.
Editing to add: When I initially responded, I’d forgotten which community I was in. In this context, I believe the other responses are better than mine, but I’ll keep mine up in case it helps other readers.
It depends on his threat model and what he’s trying to hide really. Public WiFi is fine, as long as you validate/check the SSL cert it’s using is from your bank and is legitimate. Using public WiFi with a VPN is more secure as long as you trust your VPN provider. If he’s asking these questions, then he’s probably not doing banking though, and should ideally be using VPN+TOR or something similar.
If the thing they are trying to do requires lots of data transfer, somehow, then TOR would not be ideal. Big Data makes TOR a bad experience. For that use case, a VPN alone is mostly enough (except the risks that can mitigated by reading other comments here)
Yeah absolutely if he’s downloading Linux ISOs, just use a VPN and you’ll be fine 99% of the time. TOR if he is doing anything else surrupticiaous. 😬
I have this very same question. Guess I’ll just wait for someone more experienced and knowledgeable to enlighten us here in the comments. Sorry if I’m not much help, have a nice day <3
Edit: I know, I shouldn’t give a shit. But writing a fairly long comment to share my knowledge on this only to see it immediately downvoted without any explanation kind of sucks. So I’m removing this comment and will not interact here anymore.
Use a VPN if you’re in the West/Far East. That’s it