I noticed a library that has ethernet ports, which I must say is quite impressive. So many libraries strictly expect people to use wifi which has downsides:
- many (most?) wifi NICs have no FOSS drivers (ethernet is actually the only way I can get my FOSS laptop online)
- ethernet is faster and consumes less energy
- wifi radiation harms bees and other insects according to ~72 studies (update: separate discussion thread here which shows the research is heavily contested)
- apparently due to risk of surrounding households consuming bandwidth, 2FA is used (which is inadvertently exclusive at some libraries)
- enabling wifi on your device exposes you to snooping by other people’s iPhones and Androids according to research at University of Hamburg. Every iPhone in range of your device is collecting data about you and sending it to Apple (e.g. SSIDs your device previously connected to). From what I recall about this study, it does not happen at the network level, so ethernet devices attached to the same network would not be snooped on (and certainly SSID searches would not be in play).
- (edit) users at risk to AP spoofing (thanks @[email protected] for pointing this out)
I don’t know when (if ever) I encountered a library with ethernet. Is this a dying practice and I found an old library, or a trending practice by well informed forward-thinking libraries?
BTW, the library that excludes some people from wifi by imposing mobile phone 2FA is not the same library that has ethernet ports, unfortunately. If you can’t use the wifi of the SMS 2FA library then your only option is to use their Windows PCs.
deleted by creator
The security pitfalls are far more vast on WiFi, in fact by your own suggestion: anyone in range of the library can setup their own spoofed AP. You can even be several blocks away and point a directional yagi antenna at a library or cafe to do this. It would be foolish to try this from inside the library because not only would you be in plain visible sight but the malicious traffic would be visible to the library’s admins (which in the case at hand is outsourced to Cisco). It would also be trivial for admins to detect when a new device is connected for longer than the library’s open hours.
You would have to evade the surveillance cams, ensure no trace of your identity on the router (which you would have to buy using cash), plant it using gloves so no fingerprints, and do something creative to hide it because the ports are in plain sight at waist level. If you opt to store the snooped data on the router which you then must return to fetch, that’s an insane risk that just would not justify the gains. And what do you think would be a gain that’s not possible over wifi? Even if the ethernet LAN differs from the wifi LAN, they would be configured with the same security anyway.
If someone wants to plant a malicious device in the library, wifi still makes more sense. E.g. an attacker can carve out a smartphone sized hole out of the center of a book and plant a device in a book that reaches wifi. Or if they want to power the device, there are still more options to hide it anywhere there is power, vs. trying to hide a device that must plug into an exposed ethernet port in an open room. Thus:
- the attack surface of wifi is bigger than the attack surface of ethernet
- the attack surface of ethernet is a subset of the wifi attack surface
A Venn diagram of this would be a circle wholly inside another circle. If someone thinks otherwise, please give a viable attack scenario.
As a library user, how do I know I’m not connecting to a spoofed AP? Users are trivially safer plugging into the wall.
(BTW, if you appreciate security, you might be interested to know that your instance [lemm.ee] is a Cloudflare site; thus a US gatekeeping tech giant sees all your traffic on that instance in-the-clear. You might want to change instances. You’re welcome!)
UPDATE
They really are (excessively) on their security game – it turns out the ethernet ports are just a decoy to distract hackers from resources that actually function. Though in seriousness, we can only say they are on their security game if we scrap availability as a security objective (as non-wifi users are stuffed in this situation).
How do you tell if something is a Cloudflare site? (I really don’t know)
There are several ways:
- You can hit F12 in either Firefox or Chrome, look at the headers for a “CF-ray” field. (or a simple CLI way:
curl -I "$URL" | grep -i cf-ray
) - this page will check for you. (there is a clearnet version of that link but i don’t recall); caveat: if a non-CF host has CF hosts on the same domain, this checker treats all hosts on the domain as CFd.
- You can do a whois lookup to see if the IP belongs to Cloudflare.
- If you do a DNS query, that will often give clues (though AFAIK you cannot distinguish users of CF’s DNS service from those of their proxy service)
- There are some browser add-ons here which will tag Cloudflare sites so you can avoid them. The BMCA plugin will auto-redirect visits to CF sites to the archive.org mirror. Note those plugins can be tricky to install.
Note that your instance (lemmy.dbzer0.com) is free from Cloudflare.
- You can hit F12 in either Firefox or Chrome, look at the headers for a “CF-ray” field. (or a simple CLI way: