@exaCORE
if you do use public Wi-Fi you should:
- use an always random MAC address
- my Brace does this by default
- GrapheneOS and DivestOS do this by default
- use a generic or blank hostname
- on Linux
localhost
will typically result in no hostname being set/advertised - GOS/DOS do this by default
- note most Android systems will reuse previous DHCP states too, GOS/DOS won’t
- on Linux
- don’t give any information to the captive portal
- they’ll often accept anything for an email/name if they ask
- ensure all software is updated
- use a system wide encrypted DNS
- encrypted DNS doesn’t help with privacy here, but does provide integrity of the results
- consider using browser encrypted DNS too for benefit of ECH where supported
- if ECH is used, then privacy is benefited
- set your browsers to forced HTTPS mode
- do not access HTTP content
- use a proper browser
- a few forks disable critical security checks like CRLite/OCSP/CT
- ensure your firewall is set proper:
- for Windows Public should be ok, someone else can confirm
- last I used Mac OS X, it had a stealth option
- for firewalld or ufw set inbound to drop
- ensure no unnecessary ports are opened
- ensure any running services have proper authentication/access controls
- remember anyone on the network can (try to) toy with your traffic
- remember anyone listening on the radio can observe all past/present/future traffic
- WPA2/3-EAP and WPA3-PSK largely mitigate this
- you can use Qubes on a supported machine to isolate the network interface to its own virtual machine
- otherwise you should at least ensure the networking daemons are sandboxed
- brace does this for wpa_supplicant
- otherwise you should at least ensure the networking daemons are sandboxed
These should largely be done regardless of public/private/friends/etc.
I personally use public Wi-Fi sometimes, but I route everything over Tor and/or a trusted VPN (while still doing the above).
See also: https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF