I’m sitting here at Moxies in downtown Calgary, and when I fired up my laptop looking for WiFi I spotted an Unsecured network called ShawOpen at full-strength:
When I connected I got prompted with a web page from Shaw saying they had rolled out free WiFi for their customers, all I had to do was login using my @shaw.ca email credentials. More info on this service from Shaw here: http://www.shaw.ca/internet/wifi/
What worries me is how quick I was to simply login to the service. I took a cursory glance at the address bar to ensure I was on a Shaw.ca website, and went ahead and logged in without even really thinking. In this case I was logging into a 100% legit Shaw service, and all is OK (I assume).
But I imagine it would be pretty easy for a malicious party to setup an WiFi network, call it ShawOpen, configure the router to present all users with a page that looks exactly like the Shaw login page (since you control the DHCP and DNS servers, you could even make it appear to be a shaw.ca URL and it would be impossible to tell otherwise AFAIK). Sit back and harvest the Shaw logins. And once you have a users email login, you can use it to reset the password on most of their other sites (FaceBook, Banking, WoW, PayPal, etc).
You could even go so far as to validate the users login against Shaw webmail and give them back accurate login denied/accepted responses. And if they provide the correct login, point their connection at the real internet so they assume they are using the real Shaw service.
Has anybody else considered this? Is there any barrier I’m overlooking that would prevent these type of attacks? As security conscientious user, how can I be certain that I’m really providing my Shaw credentials to Shaw and not a malicious network when trying to use their WiFi service?