Public Wifi: Fingerprinting methods and mitigation

Questions
1

With more online services blocking VPNs and TOR, there are a lot of scenarios where a user needs to create an account for temporary usage without any VPN connection.

Lets say someone goes to a restaurant or other location that has public Wifi, what methods can be used to fingerprint or identify a connected device?

Assumptions:

  1. The connected device uses mac address randomization.
  2. The wifi network doesn’t have a captive portal.
  3. The web browser used is privacy focused.
  4. Physical surveillance is not a concern in this hypothetical scenario. While it could be used to identify a user, realistically the average cafe isn’t retaining CCTV footage indefinitely. Additionally, if the location is fairly busy with multiple people using free wifi at the same time, there is an element of plausible deniability unless you have a direct recording of their screen.

Followup question: If tracking or identification is possible in this scenario, what mitigating steps could this user take to prevent identification?

2

Who is the threat actor in this scenario? The operator of the endpoint webserver? The ISP? The cafe’s network operator? Other devices?

3

The operator of the endpoint webserver, and the ISP are the main threat actor.

I’m curious about the capabilities of all of those listed though as well.

4

Would it be a problem if the portal just let you check a ToS (Terms of Serive) box?

5

Whoops, I never returned to this thread

The ‘threat’ of public WiFi is largely outdated/overstated. 99.5% (I made this number up, but it’s a vast majority) of modern websites use HTTPS now, your comms are encrypted with SSL

Threats & Mitigations:

Threat: although the content of your packets is secure, their destination - i.e. the website you are visiting - is visible to adversaries on the LAN or ISP network

Mitigation: use a proxy, be it Tor or a trusted VPN, maybe both if you have reason to conceal Tor usage

Threat: your device is exposed to potential adversaries on an untrusted network, who may try to exploit your machine

Mitigation: use a trusted OS, like GrapheneOS or Qubes, both of which are hardened

Threat: the endpoint webserver is hostile, you don’t want to reveal your location

Mitigation: once again, use a proxy. VPN for privacy, Tor Browser if anonymity is needed

Threat: LAN operator may try to fingerprint your device across sessions via network activity

Mitigations: MAC address randomization + Tor using snowflake proxy or a Tor Bridge. This technique uses a private, dynamic IP as your entry point to the Tor network. Only necessary if you think there’s a risk an adversary present between you & your proxy server, competent & determined enough to fingerprint your network activity across sessions

Threat: general fingerprinting on an endpoint webserver that would exist regardless of your LAN connection

Mitigation: PG recommendations for browsers, Brave Ironfox et al for privacy. Tor Browser for anonymity

Threat: you may inadvertantly connect to an unencrypted HTTP site, exposing all network communications to the network

Mitigation: block all HTTP requests with a local firewall like RethinkDNS

That’s every threat I can imagine, curious if anyone can add anything else

6

Also, MAC randomization can be done per-connection instead of per-WiFi. GrapheneOS has per-connection MAC randomization enabled by default, which would make your device harder to fingerprint.