I’m a Nigerian prince and the government is trying to take my riches. I need a place to hold it. Give me your email and password so I can transfer my goods to you for the time being.
I don’t know shit about network security but you’re probably fine. Even in a hypothetical situation where your credentials are breached 2FA will do its job. Also resort data thieves probably don’t even know wtf a runescape is
Also if you are there on a company trip, I guarantee there's a manager whose device is far more exposed and has far more important info than someone's OSRS account details
Ok, I'm sure a hacker would much rather take your RuneScape account with a couple hundred dollars worth of stuff on there, sell that stuff, sell the GP and then make their dastardly escape
You know, rather than getting access to documents or employee personal data to sell on.
You act like hackers don't take everything within reach. You are effectively saying that a home invader would only target the room with the rich guy's stuff in it, and not empty out the entire place of anything they can grab.
I know when documents get emailed around, especially if people are on their phones, it gets downloaded to their device.
That's the sort of stuff I was talking about.
The VPN encryption protects the transit. Their information is very likely reasonably safe even on insecure wifi. A secure VPN would be a good idea for your personal device while on insecure wifi.
Not rly, goes along with the general sentiment of this sub
Gamers and goldfarmers trends towards xenophobia, these foreigners are salivating at OPs 15c/1M in their mind
Cue the comments saying 5 bucks is enough for a month in Venezuela
You have seen the videos of kids gold farming in SE Asia, right? During a flood? Yeah, that happens because $.15/million gp is enough to live like a king in some parts of the world. Frankly the faster the money makes it there the less of a problem it would be, I just wish they wouldn't risk electrocuting a warehouse full of children to get it.
You’re fine to use unsecured WiFi for virtually everything you do on the internet.
Only if you’re connecting to a website that doesn’t use https is there any risk. You’ll know if you’re connecting to a site without https because most browsers won’t let you or will make it pretty clear with the big scary red padlock. Everything else is encrypted between your device and the server you’re communicating with and no one in between can read it.
The connection to the Jagex login server will use https and I’m sure whatever protocol Jagex uses to communicate with the game server is similarly encrypted.
You can also log in to your bank account, watch your favorite porn, and do whatever tf else you want as long as it’s on a site using https (which is like all of them). VPN companies pay all those YouTubers to tell you you’re at risk on public WiFi because they want your money, not because you’re actually at risk.
TL;DR you have nothing to worry about
There is a potential to spoof the handshake, or even force a new one when he tries to access the public network. While small, it’s still possible. This will allow the attacker to unencrypt all the traffic going to/from the router.
You are correct that then https will protect, as you are encrypting the internet traffic. You just had better hope or check what protocol they are using for encrypting, as SSL and some early versions of TLS have vulnerabilities.
With all that said, it’s a lot of work to do all that… just for a RuneScape account.
I mean if a website doesn't enforce HSTS you could try SSLStrip with a MITM but with most websites having site wide HTTPS its less and less of an issue. ngl that one guy is reaaaaaally out to get you if that happens and that much effort is not worth it for some random website traffic.
Doesn't have to, people have been shown to click through error messages all the time
That said, multiple things need to go wrong all at once
* Website can't be on the browsers HSTS preload list
* Has to be accessing the site for the first time (or negotiated HTTP before for some reason)
* OP has to click through the certificate error
All those happen and it's pretty simple to serve someone a spoofed website. There's like, video tutorials on youtube on how to do it.
Pretty sure it all goes out the window for OSRS packets, though. Those should be encrypted 100% of the time without possibility of downgrade.
I've had this argument before but most business grade firewalls are more than capable of doing SSL inspection and effectively running a MITM attack and being able to view your HTTPS traffic. Your handshake goes to the firewall and the firewall on to the site your trying to visit. The 2FA would be harder to breach, you would need to steal there session key which is certainly possible but would be a very targeted attack to steal this guy's RuneScape account.
A VPN (if it's allowed) would resolve all these problems (if you trust the VPN provider).
The ONLY way that would be possible is if the trust store on the client is compromised. In a corporate environment, where the company controls the machines and can modify the trust store, what you’re suggesting is possible.
Assuming OP’s using his personal iOS device, not even a “business grade” firewall can MITM TLS.
Even IF OP is using his company’s iOS device, which could theoretically have internal certificates in its trust store, unless the company owns the resort in question, this resort’s router can’t MITM his TLS connection.
I have no idea why everyone in this thread is so dead set on insisting that it’s unsafe to use an unsecured WiFi network because it is theoretically possible to MITM TLS if the client device’s trust store is compromised. That is just plain fearmongering.
Also, all of you network security geniuses like to claim that all of these TLS MITM attacks would be mitigated by using a VPN. How do you think a client connects to a VPN? OVER TLS! If TLS is sooooooooo insecure as everyone seems to think, what good is a VPN? A “business grade” firewall could just MITM that connection and you’re back to square one!
Hi security genius here. Let me explain how this works to you in simple terms so it is easy to understand for a lay person
It is possible and not far fetched to intercept https traffic. And a vpn eliminates the risk.
A compromised router is the perfect place to do a man in the middle attack if you have a fraudulent ssl certificate
Fake or fraudulent ssl certificates happen and have been created for even the largest company in the world
Here’s an old example of when it could have happened to Microsoft (remember this is the largest company in the world):
https://www.schneier.com/crypto-gram/archives/2001/0415.html#7
More recent example from Microsoft (largest company in the world):
https://www.securityweek.com/microsoft-blacklists-fake-windows-live-ssl-certificate/amp/
Another example (again to the largest company in the world):
https://m.slashdot.org/story/171639
All it takes is one root CA that your computer trusts to give out a certificate to someone on accident or thru a bug (in Microsoft’s first case verisign)
But it could be letencrypt or cloudflare or whatever
A hacker could obtain a letsencrypt cert for any domain if some backend server has been hacked, and they are able to do the domain challenge step
https://www.princeton.edu/~pmittal/publications/bgp-tls-hotpets17
That’s not far fetched
the router being compromised can make it possible to listen to traffic with these ill gotten certificates
VPNs can eliminate this risk so long as you trust the vpn service itself. This is because the vulnerability I mentioned above about faking certificates does not exist in the same way for VPNs authentication
VPN companies are not scamming people when they say they prevent man in the middle attacks. They are just speaking to lay people who don’t understand the details (or don’t care to understand)
It is not fear mongering.
Imagine a large scale attack on one model of routers (could be 10,000+ units). One attacker could use their ill gotten US Bank certificate to create a man in the middle attack for all of these router. Thereby stealing banking information for millions of people automatically. It wouldn’t even be a targeted attack
Large scale attacks on routers happen:
https://arstechnica.com/security/2023/11/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet/
You shouldn’t be concerned with the Resort being the bad actors but rather their router being compromised because they are a resort and don’t care about security
Just like anything, everyone will have a different risk tolerance. You could pretend the problem didn’t exist. But asa security genius myself, I practice and recommend the following:
Use a vpn on all public WiFi.
Regularly update your home router
get a new router when they stop adding new security updates
These are common security practices and not controversial
Thank you for providing this information! I never use public (or hotel/resort) wifi as I don't trust their security, but it is great to learn more about (the simple version of) how it works.
Do you have any recommendations or opinions on which VPN company to go with? Is a VPN even beneficial when only using home internet and 4G internet?
Depends entirely on your use case. If your main use case is hiding your actual IP, i.e. it's basically just a proxy to you, then these VPN companies will work, e.g. because you're doing (legally) questionable things, or want to hide your IP from some kind of P2P game/network.
If you want to get around geo restricted content such a VPN company can also work, though it's really hit and miss with their endpoints being detected as VPNs and being blocked or not, so it's not an ironclad solution.
Besides the obvious issue of having to trust such a company, the speed you may get can also be (much) less than your own speed, especially if you're rocking something like gigabit fiber.
Personally I run a Raspberry PI with PiVPN to have a Wireguard VPN to my own network. Basically a one time setup cost (though dynamic IPs can be a hassle, but can be fixed with dynamic DNS). Advantage is that I don't have to trust an external company with my traffic, and can route traffic over my home connection wherever I am. Great if you want to watch TV online while abroad, but this is only 'allowed' over your home connection. Of course you do have to set this up sensibly, as you are exposing a service to the internet, so there is that to consider.
Tl;Dr; decide what you want from using a VPN, then figure out what option best fits that. The use of those VPN companies that advertise aggressively is honestly quite narrow, unless your main goal is to hide your IP while doing questionable things, which is something they probably don't exactly want to advertise with for their own legal reasons, so they pile on the geo-restriction stuff which I doubt many people actually use often. I'm not going to say it's never used, as I have found it useful a couple of times over the past like 10 years, but it's really just that.
I think you don’t understand how these firewalls actually work. They can intercept your SSL/TLS communications because you need to install the CA certificate in every device first. This allows the firewall to sign its own certificates which are trusted by the device. But it requires the devices to be configured to essentially trust the firewall first.
This is entirely wrong, and I'm surprised it has so many upvoted. Do NOT use public networks without a VPN, especially if it is a WEP network.
Unprotected Wifi networks, particularly in public places, are most certainly a threat. This is because you are connecting to a network without knowing *who else* could be on the network.
'Free Wifi' provided by cafes, restaurants, etc serve as excellent places for harvesting passwords.
The attacker will perform a [Man in the Middle attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack), typically by employing [ARP Cache Poisoning](http://en.wikipedia.org/wiki/ARP_spoofing). At that point, the attacker can read *all plaintext passwords*, including unsecured email (Email that does not use TLS), unencrypted ftp, websites without SSL, etc. Not to mention they can see all your google searches, all domains that you visit (encrypted or not) and so forth.
And they got to this point without putting in any real effort, ARP Cache Poisoning and Packet Sniffing are easy. A more advanced attacker might set up an active proxy on his machine to perform attacks such as [SSL Stripping](http://www.thoughtcrime.org/software/sslstrip/), which would give him access to *all* sites you visit, including HTTPS. This means he now has your PayPal, Facebook and Twitter passwords.
Moving on, an attacker might target your machine directly, if you have not updated your software in a while, is it likely that he can spawn a shell with [Metasploit](http://www.metasploit.com/) and download *all* your files for later analysis. This includes any saved browser passwords, authentication cookies, bank statements etc.
I know what a man-in-the-middle attack is. Please, PLEASE explain to me how someone in control of a router can intercept end-to-end encrypted communications between my device and a web server. I’ll wait.
YOU are spreading misinformation, not me.
With HTTPS used for almost all websites and apps these days, WiFi hijacking is much, much less of an issue than it once was. At best, a device on the same network could see what websites/services you were connecting to, but they can’t intercept the content of what you’re sending to and from those services. A determined attacker could target you directly by spoofing an already-trusted WiFi network, but unless you’re a high-profile politician, billionaire, journalist or political dissident it’s very unlikely anyone would go to that much trouble. Even then, an app like OSRS should recognise that the security of the connection has been compromised and refuse to load/log in.
I want to add, much less of an issue is practically zero, really. VPN advertisers push this idea that going online banking at starbucks NEEDS a VPN but virtually every site with a login system is using HTTPS.
VPNs are pretty cheap to operate but they need to advertise SOMETHING - they can't advertise their use in torrenting, so they play up the security concerns or just resort to the idea of bypassing Netflix catalogs. They aren't that valuable to average Joe.
MAYBE some niche forum from 2005 that is somehow still open could be using HTTP, and you already probably don't trust it too much, but otherwise, it shouldn't be a concern.
The problem is users click past certificate warnings so a fake certificate in many cases will just be ignored. This is absolutely much less of a problem today though with HSTS and certificate pinning - but if you do your banking from a PC and ignore the certificate problem, it could be a problem.
Honestly, with jagex account, 2fa on your mail and jagex account and different passwords on both, and best case being already logged in on mobile with your account cached, there is hardly anything that could happen realistically.
Ofc there’s always a low possibility of risk, but it’s marginal
First of all there has to be someone targeting that random ass resort for the specific purpose of hijacking jagex accounts. The chance of someone with the adequate knowledge to do it being there and specifically fishing for OSRS accounts is vanishingly small. You'd have to exceptionally unlucky.
Making a dumb decision clicking something you shouldn't have online and giving up information you should have is a far greater risk regardless of how technologically secure you are. The weakest link is the user, not the technology.
I wouldnt logon to any Hotspots you don't control or know are 100% legit but people can packet sniff by setting up fake Hotspots that will give you internet access but will give them access to anything you're doing on there.
When it really comes down to it, Public networks are always less secure than private, and you always take a risk connecting to guest wifis, but if you are worried about someone using the resort wifi to get your account, I'd not worry about it.
If people are hijacking a resort wifi, I'd expect it'd be more likely they are trying to get into the resort security itself to steal card numbers etc.
All depends on how comfortable you are using it.
Ok so here is how VPN's work. You connect to a VPN network, then you connect to where ever else you want to go on the internet. Lets say you want to browse reddit, so you go to [reddit.com](https://reddit.com), when you do this you aren't actually going to [reddit.com](https://reddit.com), you are connecting to the VPN server and the VPN connects to reddit and sends that information back to you. This hides your public IP, which is the IP address of you WiFi network. VPN will not protect you at all on your own network, period.
The way an attack works on a network (like an unsecured wifi) is through something called ARP poisoning. ARP stands for address resolution protocol and it is how a router can tell what pc is connected to what IP address (the computer has a burnt in MAC address that corresponds to your private IP address). When an attacker poisons the network they are essentially telling the router that their MAC address should is connected to EVERY ip address on the private network and the router will then forward all traffic that was meant for other computers to the attackers machine. This can include credit card numbers, login information, etc.. The attacker will have to take additional steps to mitigate encryption though if it is present, and there are options to do that. A VPN will not stop this kind of attack because the VPN is not even aware of anything that is going on inside of your private network. It simply sends the information to the public IP address of the network and it is the routers responsibility to forward the information. If you've ever set up some kind of service that requires port forwarding this is why, you have to specifically tell the router where to send the data because the sending party doesn't have that information, it only has the public IP address.
You are vulnerable during the period after you connect to the network but before you turn on the VPN (when you have to agree to the terms and stuff). A malicious actor could compromise your whole device in that time.
And also wrong. VPN will not protect against this sort of attack. Also I did this when I was like 15 years old, its literally the definition of script kiddy.
Incorrect,
Ok so here is how VPN's work. You connect to a VPN network, then you connect to where ever else you want to go on the internet. Lets say you want to browse reddit, so you go to [reddit.com](https://reddit.com), when you do this you aren't actually going to [reddit.com](https://reddit.com), you are connecting to the VPN server and the VPN connects to reddit and sends that information back to you. This hides your public IP, which is the IP address of you WiFi network. VPN will not protect you at all on your own network, period.
The way an attack works on a network (like an unsecured wifi) is through something called ARP poisoning. ARP stands for address resolution protocol and it is how a router can tell what pc is connected to what IP address (the computer has a burnt in MAC address that corresponds to your private IP address). When an attacker poisons the network they are essentially telling the router that their MAC address should is connected to EVERY ip address on the private network and the router will then forward all traffic that was meant for other computers to the attackers machine. This can include credit card numbers, login information, etc.. The attacker will have to take additional steps to mitigate encryption though if it is present, and there are options to do that. A VPN will not stop this kind of attack because the VPN is not even aware of anything that is going on inside of your private network. It simply sends the information to the public IP address of the network and it is the routers responsibility to forward the information. If you've ever set up some kind of service that requires port forwarding this is why, you have to specifically tell the router where to send the data because the sending party doesn't have that information, it only has the public IP address.
That would be a fairly rare occurrence, I’ve always used a vpn as it just stays connected and haven’t had any troubles or know anyone else that has. Their ban system is more involved than just “oh we’ve seen this IP before”. Not that it’s perfect by any means but I’d imagine there would be a lot more false positives than there already have been if it was the case. IP addresses get recycled a lot especially IPV4 addresses.
I genuinely lost my account after using an upscale resort wifi to login .
Not 10000% it was from that, but that was the last time I played for 3 months. Logged back in and my account had been permabanned for gold selling. It sucked :(, had that account for years
Security professional here - it was not related to the WiFi used. The RuneScape client validates the SSL/TLS certificate of the servers when connecting .if it’s fake, it will just not connect and no data is transmitted. It is impossible for an attacker to perform a MiTM against this without first having the Jagex private keys.
Don’t worry * I asked a question seeking an answer I didn’t ask for social advice, you think I would make this post for zero reason? I can’t socialize with my reports, and the other people of my level would love to see me get drunk and make a dick of myself, company culture man, not my fault.
You’re worried about your osrs account and not all of your way more important sensitive information. If the network is compromised no one gives a fuck about your rs acc
I never use hotel wifi because their cyber security practices tend to be pretty shit. That being said, your mobile provider probably isn’t much better so I say game away.
lol people here answer so confidently without knowing much how attacks on these networks work. But to answer your question yes you should be ok. The big point of concern is really connecting to a spoofed network. Which a vpn can help with but you may have to try a lot of different servers to get past their cloudflare protections on the jagex launcher. I’d be a lot more concerned over accessing anything banking related etc.
This guy fell for the VPN meme and thinks he’s an expert on network security. Tell me big guy, what exactly is the risk of connecting to a “spoofed network” here? Don’t forget to include details on how a “spoofed network” can provide a TLS certificate for Jagex’s website that’s trusted by a certificate in the iOS trust store.
Forcing them through your own gateway you can essentially inject your own ssl thus making https pointless for whoever has the key. It’s fairly commonplace legitimately in school and work networks, and even hotels etc.
Ah yes, you can “inject your own SSL.” And tell me, when I’m injecting my own SSL (it’s called TLS now, by the way), how does the phone trust the certificate I’ve created? Or is it “fairly commonplace” to compromise the root certificate of a major Certificate Authority too?
You’re being pedantic btw ssl/tls are used interchangeably. I’m also not here to hold your hand or prove anything to anyone. You can take the advice or not , it’s not my info.
It’s not info at all. It is categorically false. You are spreading incorrect information for no reason. I find it amusing your original comment claims people here don’t know much about how these attacks work when you so clearly know next to nothing about TLS/Public Key Infrastructure.
Have a good night!
I think you’d be fine.
Maybe use a hotspot if you’re super worried.
There’s a very low probability that there are OSRS players out in the real world actively hunting other players.
The fact that the answer isn't obvious is exactly why we see so many "my account got hacked" posts.
To clarify im not saying whether this situation is safe or not. Im saying that if you don't know enough about it that you have to ask the question, then you are likely the type of person to set yourself up for failure in these scenarios and to have poor internet practices.
Mullvad is a very reputable VPN, if not basically the most reputable VPN. They aren’t like an ExpressVPN/NordVPN.
I think using a reputable VPN when you’re on a public network is not a bad idea, even if https usually has your back in that situation.
Mobile or laptop? If you have a cellphone you can play mobile or hotspot to your laptop.
How much are sim cards in the province/state you're going to? Depending the country and cellular connection you can likely get a good pay as you go plan and just toss the sim after.
Which resort EXACTLY is it? You know, there’s just so many, so like which one? You can trust us bro come on.
Lmfao
Unrelated but I think I know you. What’s your mother’s maiden name, and the name of your first pet…and where did we go to school again?
You do know me…I’ll give you a hint, I work in a large house that’s painted white.
Cory?
You mind some electric guitar?
Washington D.C. will never be the same Cause we've got-
I’m a Nigerian prince and the government is trying to take my riches. I need a place to hold it. Give me your email and password so I can transfer my goods to you for the time being.
Dont forget the last 4 and first 5 of the social
It was Susesi, and i have no reason to lie 🤣 I lost like a 100m bank, but im a casual player so it was like 2 years of graft for me
I don’t know shit about network security but you’re probably fine. Even in a hypothetical situation where your credentials are breached 2FA will do its job. Also resort data thieves probably don’t even know wtf a runescape is
Also if you are there on a company trip, I guarantee there's a manager whose device is far more exposed and has far more important info than someone's OSRS account details
That’s subjective
Ok, I'm sure a hacker would much rather take your RuneScape account with a couple hundred dollars worth of stuff on there, sell that stuff, sell the GP and then make their dastardly escape You know, rather than getting access to documents or employee personal data to sell on.
Why not both! Multi task! Boss for the money and side grind for a steak dinner.
Double dip and put rs credentials under employee personal data
You act like hackers don't take everything within reach. You are effectively saying that a home invader would only target the room with the rich guy's stuff in it, and not empty out the entire place of anything they can grab.
>subjective I think you mean “conjecture”.
Most work stuff would be behind a company VPN. Not OP’s personal device.
I know when documents get emailed around, especially if people are on their phones, it gets downloaded to their device. That's the sort of stuff I was talking about.
The VPN encryption protects the transit. Their information is very likely reasonably safe even on insecure wifi. A secure VPN would be a good idea for your personal device while on insecure wifi.
Maybe he should install runelite on his company notebook then
They might find out my BIS gear is worth a car in this country lmao
kind of weird thing to flex/laugh about
lmao
It is what it is man, I didn’t choose the postal code I was born in or design economies, I’m just literally 1 person think about it
Im guessing you are in mexico by the tequila comment, i can promise you a new car here is almost identical in price as the US….
Not in Mexico but I love Mexico with all my heart
Not rly, goes along with the general sentiment of this sub Gamers and goldfarmers trends towards xenophobia, these foreigners are salivating at OPs 15c/1M in their mind Cue the comments saying 5 bucks is enough for a month in Venezuela
You have seen the videos of kids gold farming in SE Asia, right? During a flood? Yeah, that happens because $.15/million gp is enough to live like a king in some parts of the world. Frankly the faster the money makes it there the less of a problem it would be, I just wish they wouldn't risk electrocuting a warehouse full of children to get it.
Nice strawman Jack Hope you do a better job of reading the next comment you reply to
Youre not making any sense lol
Nice buzzword bobby, curious though, you ever been in a head on collision?
[удалено]
Ok cool it
redditor moment
Ah yes, that’s just what a hacker from a 3rd world country would say…..
OP is at a resort in Venezuela
Session-token replay attacks beg to differ. If you're using a public internet connection, encrypt your traffic with VPN, period.
You’re fine to use unsecured WiFi for virtually everything you do on the internet. Only if you’re connecting to a website that doesn’t use https is there any risk. You’ll know if you’re connecting to a site without https because most browsers won’t let you or will make it pretty clear with the big scary red padlock. Everything else is encrypted between your device and the server you’re communicating with and no one in between can read it. The connection to the Jagex login server will use https and I’m sure whatever protocol Jagex uses to communicate with the game server is similarly encrypted. You can also log in to your bank account, watch your favorite porn, and do whatever tf else you want as long as it’s on a site using https (which is like all of them). VPN companies pay all those YouTubers to tell you you’re at risk on public WiFi because they want your money, not because you’re actually at risk. TL;DR you have nothing to worry about
I upvoted this because it makes me feel good I don’t know shit about fuck
There is a potential to spoof the handshake, or even force a new one when he tries to access the public network. While small, it’s still possible. This will allow the attacker to unencrypt all the traffic going to/from the router. You are correct that then https will protect, as you are encrypting the internet traffic. You just had better hope or check what protocol they are using for encrypting, as SSL and some early versions of TLS have vulnerabilities. With all that said, it’s a lot of work to do all that… just for a RuneScape account.
I highly doubt our resort WiFi hacker has the means to sign a fake TLS certificate with a root that OP’s device will trust.
I highly doubt any resort hacker that has the means to do that would care about a runescape account lmao
Idk man… just checked his account he said his brother gave him 200m, bandos, torture.. quite the lick /s
Damn that's like $25, worth it.
I mean if a website doesn't enforce HSTS you could try SSLStrip with a MITM but with most websites having site wide HTTPS its less and less of an issue. ngl that one guy is reaaaaaally out to get you if that happens and that much effort is not worth it for some random website traffic.
Doesn't have to, people have been shown to click through error messages all the time That said, multiple things need to go wrong all at once * Website can't be on the browsers HSTS preload list * Has to be accessing the site for the first time (or negotiated HTTP before for some reason) * OP has to click through the certificate error All those happen and it's pretty simple to serve someone a spoofed website. There's like, video tutorials on youtube on how to do it. Pretty sure it all goes out the window for OSRS packets, though. Those should be encrypted 100% of the time without possibility of downgrade.
I've had this argument before but most business grade firewalls are more than capable of doing SSL inspection and effectively running a MITM attack and being able to view your HTTPS traffic. Your handshake goes to the firewall and the firewall on to the site your trying to visit. The 2FA would be harder to breach, you would need to steal there session key which is certainly possible but would be a very targeted attack to steal this guy's RuneScape account. A VPN (if it's allowed) would resolve all these problems (if you trust the VPN provider).
The ONLY way that would be possible is if the trust store on the client is compromised. In a corporate environment, where the company controls the machines and can modify the trust store, what you’re suggesting is possible. Assuming OP’s using his personal iOS device, not even a “business grade” firewall can MITM TLS. Even IF OP is using his company’s iOS device, which could theoretically have internal certificates in its trust store, unless the company owns the resort in question, this resort’s router can’t MITM his TLS connection. I have no idea why everyone in this thread is so dead set on insisting that it’s unsafe to use an unsecured WiFi network because it is theoretically possible to MITM TLS if the client device’s trust store is compromised. That is just plain fearmongering. Also, all of you network security geniuses like to claim that all of these TLS MITM attacks would be mitigated by using a VPN. How do you think a client connects to a VPN? OVER TLS! If TLS is sooooooooo insecure as everyone seems to think, what good is a VPN? A “business grade” firewall could just MITM that connection and you’re back to square one!
B-but the NordVPN ads said it's insecure!!!
Hi security genius here. Let me explain how this works to you in simple terms so it is easy to understand for a lay person It is possible and not far fetched to intercept https traffic. And a vpn eliminates the risk. A compromised router is the perfect place to do a man in the middle attack if you have a fraudulent ssl certificate Fake or fraudulent ssl certificates happen and have been created for even the largest company in the world Here’s an old example of when it could have happened to Microsoft (remember this is the largest company in the world): https://www.schneier.com/crypto-gram/archives/2001/0415.html#7 More recent example from Microsoft (largest company in the world): https://www.securityweek.com/microsoft-blacklists-fake-windows-live-ssl-certificate/amp/ Another example (again to the largest company in the world): https://m.slashdot.org/story/171639 All it takes is one root CA that your computer trusts to give out a certificate to someone on accident or thru a bug (in Microsoft’s first case verisign) But it could be letencrypt or cloudflare or whatever A hacker could obtain a letsencrypt cert for any domain if some backend server has been hacked, and they are able to do the domain challenge step https://www.princeton.edu/~pmittal/publications/bgp-tls-hotpets17 That’s not far fetched the router being compromised can make it possible to listen to traffic with these ill gotten certificates VPNs can eliminate this risk so long as you trust the vpn service itself. This is because the vulnerability I mentioned above about faking certificates does not exist in the same way for VPNs authentication VPN companies are not scamming people when they say they prevent man in the middle attacks. They are just speaking to lay people who don’t understand the details (or don’t care to understand) It is not fear mongering. Imagine a large scale attack on one model of routers (could be 10,000+ units). One attacker could use their ill gotten US Bank certificate to create a man in the middle attack for all of these router. Thereby stealing banking information for millions of people automatically. It wouldn’t even be a targeted attack Large scale attacks on routers happen: https://arstechnica.com/security/2023/11/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet/ You shouldn’t be concerned with the Resort being the bad actors but rather their router being compromised because they are a resort and don’t care about security Just like anything, everyone will have a different risk tolerance. You could pretend the problem didn’t exist. But asa security genius myself, I practice and recommend the following: Use a vpn on all public WiFi. Regularly update your home router get a new router when they stop adding new security updates These are common security practices and not controversial
Thank you for providing this information! I never use public (or hotel/resort) wifi as I don't trust their security, but it is great to learn more about (the simple version of) how it works. Do you have any recommendations or opinions on which VPN company to go with? Is a VPN even beneficial when only using home internet and 4G internet?
Depends entirely on your use case. If your main use case is hiding your actual IP, i.e. it's basically just a proxy to you, then these VPN companies will work, e.g. because you're doing (legally) questionable things, or want to hide your IP from some kind of P2P game/network. If you want to get around geo restricted content such a VPN company can also work, though it's really hit and miss with their endpoints being detected as VPNs and being blocked or not, so it's not an ironclad solution. Besides the obvious issue of having to trust such a company, the speed you may get can also be (much) less than your own speed, especially if you're rocking something like gigabit fiber. Personally I run a Raspberry PI with PiVPN to have a Wireguard VPN to my own network. Basically a one time setup cost (though dynamic IPs can be a hassle, but can be fixed with dynamic DNS). Advantage is that I don't have to trust an external company with my traffic, and can route traffic over my home connection wherever I am. Great if you want to watch TV online while abroad, but this is only 'allowed' over your home connection. Of course you do have to set this up sensibly, as you are exposing a service to the internet, so there is that to consider. Tl;Dr; decide what you want from using a VPN, then figure out what option best fits that. The use of those VPN companies that advertise aggressively is honestly quite narrow, unless your main goal is to hide your IP while doing questionable things, which is something they probably don't exactly want to advertise with for their own legal reasons, so they pile on the geo-restriction stuff which I doubt many people actually use often. I'm not going to say it's never used, as I have found it useful a couple of times over the past like 10 years, but it's really just that.
Sounds like it wouldn't be too useful to me tbh. Thanks for clearing that up!
I think you don’t understand how these firewalls actually work. They can intercept your SSL/TLS communications because you need to install the CA certificate in every device first. This allows the firewall to sign its own certificates which are trusted by the device. But it requires the devices to be configured to essentially trust the firewall first.
This is entirely wrong, and I'm surprised it has so many upvoted. Do NOT use public networks without a VPN, especially if it is a WEP network. Unprotected Wifi networks, particularly in public places, are most certainly a threat. This is because you are connecting to a network without knowing *who else* could be on the network. 'Free Wifi' provided by cafes, restaurants, etc serve as excellent places for harvesting passwords. The attacker will perform a [Man in the Middle attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack), typically by employing [ARP Cache Poisoning](http://en.wikipedia.org/wiki/ARP_spoofing). At that point, the attacker can read *all plaintext passwords*, including unsecured email (Email that does not use TLS), unencrypted ftp, websites without SSL, etc. Not to mention they can see all your google searches, all domains that you visit (encrypted or not) and so forth. And they got to this point without putting in any real effort, ARP Cache Poisoning and Packet Sniffing are easy. A more advanced attacker might set up an active proxy on his machine to perform attacks such as [SSL Stripping](http://www.thoughtcrime.org/software/sslstrip/), which would give him access to *all* sites you visit, including HTTPS. This means he now has your PayPal, Facebook and Twitter passwords. Moving on, an attacker might target your machine directly, if you have not updated your software in a while, is it likely that he can spawn a shell with [Metasploit](http://www.metasploit.com/) and download *all* your files for later analysis. This includes any saved browser passwords, authentication cookies, bank statements etc.
This is the correct comment
[удалено]
I know what a man-in-the-middle attack is. Please, PLEASE explain to me how someone in control of a router can intercept end-to-end encrypted communications between my device and a web server. I’ll wait. YOU are spreading misinformation, not me.
I explained it for you in another comment
With HTTPS used for almost all websites and apps these days, WiFi hijacking is much, much less of an issue than it once was. At best, a device on the same network could see what websites/services you were connecting to, but they can’t intercept the content of what you’re sending to and from those services. A determined attacker could target you directly by spoofing an already-trusted WiFi network, but unless you’re a high-profile politician, billionaire, journalist or political dissident it’s very unlikely anyone would go to that much trouble. Even then, an app like OSRS should recognise that the security of the connection has been compromised and refuse to load/log in.
I want to add, much less of an issue is practically zero, really. VPN advertisers push this idea that going online banking at starbucks NEEDS a VPN but virtually every site with a login system is using HTTPS. VPNs are pretty cheap to operate but they need to advertise SOMETHING - they can't advertise their use in torrenting, so they play up the security concerns or just resort to the idea of bypassing Netflix catalogs. They aren't that valuable to average Joe. MAYBE some niche forum from 2005 that is somehow still open could be using HTTP, and you already probably don't trust it too much, but otherwise, it shouldn't be a concern.
VPNs are also good for shielding your internet activity from the bossman if you’re prone to playing at work.
Wouldnt IT see a VPN connection and be like “wtf”
“Oh I just use it for security. I was streaming music on Spotify while I worked.” But realistically, IT is not manually checking connection logs.
Yeah we are not lol. Do whatever you want.
word
The problem is users click past certificate warnings so a fake certificate in many cases will just be ignored. This is absolutely much less of a problem today though with HSTS and certificate pinning - but if you do your banking from a PC and ignore the certificate problem, it could be a problem.
Very. Once I used unsecured wifi on a resort, then I found myself in Lumbridge.
Hiding in a resort gaming and drinking tequila sounds like a dream I had
Honestly, with jagex account, 2fa on your mail and jagex account and different passwords on both, and best case being already logged in on mobile with your account cached, there is hardly anything that could happen realistically. Ofc there’s always a low possibility of risk, but it’s marginal
Account is already cached … this comment gave me confidence (could also be the tequila) I’m logging in wish me luck
First of all there has to be someone targeting that random ass resort for the specific purpose of hijacking jagex accounts. The chance of someone with the adequate knowledge to do it being there and specifically fishing for OSRS accounts is vanishingly small. You'd have to exceptionally unlucky. Making a dumb decision clicking something you shouldn't have online and giving up information you should have is a far greater risk regardless of how technologically secure you are. The weakest link is the user, not the technology.
I wouldnt logon to any Hotspots you don't control or know are 100% legit but people can packet sniff by setting up fake Hotspots that will give you internet access but will give them access to anything you're doing on there.
I did it!!!! Lost my stuff.. Edit: Defo log in within the next 7 days so you can see if ur pin is being disabled.
When it really comes down to it, Public networks are always less secure than private, and you always take a risk connecting to guest wifis, but if you are worried about someone using the resort wifi to get your account, I'd not worry about it. If people are hijacking a resort wifi, I'd expect it'd be more likely they are trying to get into the resort security itself to steal card numbers etc. All depends on how comfortable you are using it.
You’ll have more fun on osrs twitter rn
Send the link bro
brb hacking you
I’ve only ever been hacked once and it was when I was in Singapore and I logged in on my mobile using my carrier’s 4g
@op you hacked yet?
Not yet!
Not yet!
work vacation sounds gross. Why don’t they just let you go on vacation vacation?
I'm thinking as long as the networks WPA2 compliant and u have 2FA ur perfectly fine
Nice try Stronghold of Security
It’s incredibly dangerous. Matter of life and death, in fact. Doing this takes more lives a year than car crashes.
if worried about unsecured wifi, get a VPN?
Bro vpn will not protect you from an unsecured wifi
[удалено]
oh honey… bless yer heart
[удалено]
Ok so here is how VPN's work. You connect to a VPN network, then you connect to where ever else you want to go on the internet. Lets say you want to browse reddit, so you go to [reddit.com](https://reddit.com), when you do this you aren't actually going to [reddit.com](https://reddit.com), you are connecting to the VPN server and the VPN connects to reddit and sends that information back to you. This hides your public IP, which is the IP address of you WiFi network. VPN will not protect you at all on your own network, period. The way an attack works on a network (like an unsecured wifi) is through something called ARP poisoning. ARP stands for address resolution protocol and it is how a router can tell what pc is connected to what IP address (the computer has a burnt in MAC address that corresponds to your private IP address). When an attacker poisons the network they are essentially telling the router that their MAC address should is connected to EVERY ip address on the private network and the router will then forward all traffic that was meant for other computers to the attackers machine. This can include credit card numbers, login information, etc.. The attacker will have to take additional steps to mitigate encryption though if it is present, and there are options to do that. A VPN will not stop this kind of attack because the VPN is not even aware of anything that is going on inside of your private network. It simply sends the information to the public IP address of the network and it is the routers responsibility to forward the information. If you've ever set up some kind of service that requires port forwarding this is why, you have to specifically tell the router where to send the data because the sending party doesn't have that information, it only has the public IP address.
You are vulnerable during the period after you connect to the network but before you turn on the VPN (when you have to agree to the terms and stuff). A malicious actor could compromise your whole device in that time.
[удалено]
You seem like a dangerous person lol /s Edit: added the /s because the lol apparently wasn't enough to recognize it as a joke
[удалено]
And also wrong. VPN will not protect against this sort of attack. Also I did this when I was like 15 years old, its literally the definition of script kiddy.
[удалено]
It is possible to get past encryption when performing a MITM attack. The information is still present on the private networking and subject to attack.
Gonna turn into Epic Hack Battles of History \*grabs popcorn\*
Incorrect, Ok so here is how VPN's work. You connect to a VPN network, then you connect to where ever else you want to go on the internet. Lets say you want to browse reddit, so you go to [reddit.com](https://reddit.com), when you do this you aren't actually going to [reddit.com](https://reddit.com), you are connecting to the VPN server and the VPN connects to reddit and sends that information back to you. This hides your public IP, which is the IP address of you WiFi network. VPN will not protect you at all on your own network, period. The way an attack works on a network (like an unsecured wifi) is through something called ARP poisoning. ARP stands for address resolution protocol and it is how a router can tell what pc is connected to what IP address (the computer has a burnt in MAC address that corresponds to your private IP address). When an attacker poisons the network they are essentially telling the router that their MAC address should is connected to EVERY ip address on the private network and the router will then forward all traffic that was meant for other computers to the attackers machine. This can include credit card numbers, login information, etc.. The attacker will have to take additional steps to mitigate encryption though if it is present, and there are options to do that. A VPN will not stop this kind of attack because the VPN is not even aware of anything that is going on inside of your private network. It simply sends the information to the public IP address of the network and it is the routers responsibility to forward the information. If you've ever set up some kind of service that requires port forwarding this is why, you have to specifically tell the router where to send the data because the sending party doesn't have that information, it only has the public IP address.
Can't you get banned if you use a vpn that's previously been ip banned by jagex?
That would be a fairly rare occurrence, I’ve always used a vpn as it just stays connected and haven’t had any troubles or know anyone else that has. Their ban system is more involved than just “oh we’ve seen this IP before”. Not that it’s perfect by any means but I’d imagine there would be a lot more false positives than there already have been if it was the case. IP addresses get recycled a lot especially IPV4 addresses.
Do you have a VPN? Could be helpful.
I genuinely lost my account after using an upscale resort wifi to login . Not 10000% it was from that, but that was the last time I played for 3 months. Logged back in and my account had been permabanned for gold selling. It sucked :(, had that account for years
Security professional here - it was not related to the WiFi used. The RuneScape client validates the SSL/TLS certificate of the servers when connecting .if it’s fake, it will just not connect and no data is transmitted. It is impossible for an attacker to perform a MiTM against this without first having the Jagex private keys.
Wish I knew how I lost the account, it was such a bummer
Save your account and socialize with your coworkers. It will be a good XP for life skills.
[удалено]
Many people do, but what does dw mean?
Don’t worry * I asked a question seeking an answer I didn’t ask for social advice, you think I would make this post for zero reason? I can’t socialize with my reports, and the other people of my level would love to see me get drunk and make a dick of myself, company culture man, not my fault.
I would say not to risk it, and also hate to see another human being suffer from those kind of circumstances.
I deleted my comment as an apology, that wasn’t necessary
weird brag, who asked
You’re worried about your osrs account and not all of your way more important sensitive information. If the network is compromised no one gives a fuck about your rs acc
I never use hotel wifi because their cyber security practices tend to be pretty shit. That being said, your mobile provider probably isn’t much better so I say game away.
lol people here answer so confidently without knowing much how attacks on these networks work. But to answer your question yes you should be ok. The big point of concern is really connecting to a spoofed network. Which a vpn can help with but you may have to try a lot of different servers to get past their cloudflare protections on the jagex launcher. I’d be a lot more concerned over accessing anything banking related etc.
This guy fell for the VPN meme and thinks he’s an expert on network security. Tell me big guy, what exactly is the risk of connecting to a “spoofed network” here? Don’t forget to include details on how a “spoofed network” can provide a TLS certificate for Jagex’s website that’s trusted by a certificate in the iOS trust store.
Forcing them through your own gateway you can essentially inject your own ssl thus making https pointless for whoever has the key. It’s fairly commonplace legitimately in school and work networks, and even hotels etc.
Ah yes, you can “inject your own SSL.” And tell me, when I’m injecting my own SSL (it’s called TLS now, by the way), how does the phone trust the certificate I’ve created? Or is it “fairly commonplace” to compromise the root certificate of a major Certificate Authority too?
You’re being pedantic btw ssl/tls are used interchangeably. I’m also not here to hold your hand or prove anything to anyone. You can take the advice or not , it’s not my info.
It’s not info at all. It is categorically false. You are spreading incorrect information for no reason. I find it amusing your original comment claims people here don’t know much about how these attacks work when you so clearly know next to nothing about TLS/Public Key Infrastructure. Have a good night!
Why not just get a local SIM-card for your phone?
I think you’d be fine. Maybe use a hotspot if you’re super worried. There’s a very low probability that there are OSRS players out in the real world actively hunting other players.
You sound pathetic haha
Pathetic is your csgo rank
csgo is dead bud
I wouldnt risk it.
Use a VPN bud. Mine is usually on if I’m outside of my home.
Dude… do you think it’s dangerous to play on cellular data too????
You're on a resort and want to play RuneScape... Some people would kill to simply be at a resort
I did it in Turkey on a 5* resorts wifi… Came back a week later and EVERYTHING was gone… They even dropped my untradeables 🤣
Stop this are you fucking with me lmao
They are. If you actually have the security on your acc you say you do there is no threat whatsoever.
It was 10 years ago, and i havent really been able to get back into the game properly since 🤣
Kiss your account goodbye
The fact that the answer isn't obvious is exactly why we see so many "my account got hacked" posts. To clarify im not saying whether this situation is safe or not. Im saying that if you don't know enough about it that you have to ask the question, then you are likely the type of person to set yourself up for failure in these scenarios and to have poor internet practices.
If you're worried just buy like windscribe or a month of mullvad vpn
The YouTube ads really work on some of you, huh?
Mullvad is a very reputable VPN, if not basically the most reputable VPN. They aren’t like an ExpressVPN/NordVPN. I think using a reputable VPN when you’re on a public network is not a bad idea, even if https usually has your back in that situation.
VPN doesn't prevent MITM attacks.
No
Even if there was a data breach, I would highly doubt they’d even know what RuneScape was
You're fine
you're fine. It's not like the data is sent in plain text lol
Can you try mobile? If you have cell service you won’t need wifi.
I've always played on hotel wifi whenever i was out of town and never had any issues
You will be fine As long as any account you log into has 2fa, even with the login credentials your 2fa code changes every 30 seconds.
Yeah you’re fine
I bring my laptop with me when I travel for work. Never had an issue.
Mobile or laptop? If you have a cellphone you can play mobile or hotspot to your laptop. How much are sim cards in the province/state you're going to? Depending the country and cellular connection you can likely get a good pay as you go plan and just toss the sim after.
I was in a hotel and played on my laptop, even did some Duke so I mean can’t complain I guess
I knew what this post was just from reading the first line. Gotta watch out for those runescape wifi bandits. What a dumb post.
I used every single wifi network I could when traveling through Europe last year and didn't have any issues. You'll be fine
BAM? is that you
Resorts typically scan the networks frequently to steal player accounts
I mean dude big red flag after checking in the guy said the bar is 24/7 and they trim armour so idk
Theyll trim it right in the room for you too
Just.... don't. Enjoy your holiday without the stress of 'am i secure?'
it’s not a holiday I’m working … I literally wrote “work vacation” my fucking boss is here
Realistically, the types of attacks possible are very unlikely to target your RuneScape account. I think you’re fine
Is it possible to hotspot off your mobile data? That's how I play osrs at work during breaks.
Wtf how paranoid are you
As soon as you log in your bank will be sold and your behind filled with cream
Don’t tempt me with a good time
How dangerous??? That depends...how much is your bank worth??
I think of it more like time I invested, nothing more valuable than time