Information Security
tls wifi snooping
Updated Tue, 14 Jun 2022 06:11:47 GMT

Can free Wi-Fi hotspot providers snoop on HTTPS communications?


Every article (and post on this website) I find on public Wi-Fi safety is mostly concerned with other people connected to the same network snooping on our communications. As far as I understand it, were mostly secure as long as were connecting through HTTPS. Mostly because there could be flaws in the encryption software or the bad actor could redirect us to a fake page.

But what about the provider? I sometimes connect to free Wi-Fi hotspots (bus, hospital) that require me to accept an agreement before connecting. Sometimes that agreement says they can monitor my communications.

So, assuming I connect to such a Wi-Fi network and only do HTTPS-related connections, could they:

  1. Snoop on those communications in any way.
    • If not, what can they actually know (I assume just know the host Im connecting to, but not the content of the communication).
  2. Do some trickery like intercepting the HTTPS request, send it to the server as me, get the response and send it back to me.
  3. Other.

Solution

Generally speaking†, one cannot intercept HTTPS communications.

However, a hot-spot provider can do the following:

  1. See the hostnames you want to connect to from your DNS requests
  2. See the IP addresses you connect to
  3. If you type in say http://yourbank.com, hoping for a redirect to https://yourbank.com, the hot-spot owner can intercept that and redirect you or serve you their own content. This is one reason why HSTS exists. If the site uses HSTS or you type in https://yourbank.com or you use a VPN you are fine.

† With the following assumptions:

  1. the site gets a reasonable score on https://www.ssllabs.com/ssltest/
  2. the browser gets a reasonable score on https://www.ssllabs.com/ssltest/viewMyClient.html
  3. the user doesn't override cert warnings

Comments (5)

  • +0 – @SteffenUllrich not if the user types http:// in first — Apr 30, 2016 at 19:01  
  • +0 – Acutally one can. It will be detected by the browser. It then depends on 1) how the browser shows the warning and/or allows bypassing it and 2) user habits regarding annoying warnings when trying to access his website. — Apr 30, 2016 at 19:59  
  • +1 – Regarding your point 1, what if I set up custom DNS servers on my computer (I do, I connect to OpenDNS)? — Apr 30, 2016 at 20:08  
  • +0 – @user137369 you can prevent them from seeing hostnames if you use DNSSEC but they can always see IP addresses. And if they can see IP addresses, they can find the hostname with a reverse lookup. So use VPN if you're concerned about that — Apr 30, 2016 at 20:11  
  • +2 – @Tom yes, you're right, I'm keeping the comment to own my shame — May 02, 2016 at 18:50  

External Links

External links referenced by this document:

References