The intative promises to be privacy-friendly with no tracking. Stating:
Your privacy is important. The WiFi4EU app ensures a private online experience with no tracking or data collection. Simply connect and enjoy free public Wi-Fi without concerns.
Source: https://digital-strategy.ec.europa.eu/en/policies/wifi4eu-citizens
Will be interesting to see how this spans and plays out in reality. Looks promising too, did a quick scan of their builtin permissions and trackers and looks good too. (Scanning tool is called Exodus)
Anyone happens to know if this would be secure? I mean, I’ve heard of being wary connecting to public WiFi. What guarantees someone won’t connect to a WiFi4EU network belonging to Shady McHoodie in the corner of a coffee shop instead of an official network? Do usual security / privacy recommendations apply? Would a VPN be recommended for said network? (I presume VPNs are good for public WiFi. Not sure if that is indeed the case).
Tricky thing is, you may think you’re connecting to a legit network, but anyone can set their network name to a legit-sounding one. Mr. McHoodie could have a WiFi4EU, a Free-Airport-WiFi, a GFOTYBUCKS-WiFi. I assume at least once connected, your device won’t be fooled into auto-connecting to a similarly named network
It’s not really a concern anymore, now that pretty much all a lambda user’s traffic is encrypted. Anyone collecting your wifi traffic only sees garbage.
Websites also can’t be so easily spoofed. The spoofer would need to have a certificate issued by an authority trusted by your device for the spoofed domain, which is highly, highly unlikely to happen as long as your software is up to date, which nowadays is done automatically.
So really, the fear of untrusted public wifi is a thing of the past, and a good marketing lie for VPN companies.
So I don’t need to worry connecting to third-party WiFi, then. Are all WiFi “safe”, then? I mean, besides public WiFi. “Private” WiFi like hotels, houses, etc. Like, could I exploit my own WiFi somehow? Or someone else, with WiFi they set up and control
Do VPNs have any advantage, then, other than location “spoofing”? Or is the sole use to appear to be in a different country? I mean, there is a corporate use of connecting to a company from afar
Once seen a presentation, where I once worked. Feller picked me device on a list on his PC, could see WiFi I had connected to. Presumed, and well, that I took the intercity bus.
No, you don’t really have to worry about connecting to third party WiFi networks anymore. Just make sure that when your browser says “This connection might not be secure” (aka it couldn’t make sure the certificate is legit, or it’s not even encrypted at all), you don’t ignore the warning and click “I dont care, I’ll take the risk”.
Privacy-wise, you can be exposed if the WiFi network is not trusted, as the domains you visit are likely to be visible (DNS resolution encryption is still not widely used). A VPN usually solves that completely.
There is probably other aspects to be wary of that are not on top of my head, but nothing like your credentials being stolen, bank data being stolen, or anything like it, as long as you keep your devices updated (vulnerabilities are still a thing, but are usually fixed quickly enough, and certificate authorities private keys can be leaked/stolen - although that is incredibly rare -, but are also usually removed from the trusted list of browsers quickly enough)
VPNs also encrypt all the non encrypted traffic (so, as I said earlier, DNS resolution, but also potential third party applications that do not encrypt their data, which would be an enormous mistake on their side), but offers no noticeable extra protection when just browsing the web. It basically adds a layer of encryption over already existing encryption, which adds no practical security.
As for the example you gave, I am not familiar anymore with the WiFi protocols, but I wouldn’t be surprised if your device leaks some information about your past connected networks when actively probing for available networks. It is a privacy concern, but not a security one.