We've received some comments and some questions about my previous blog post.
First, let me clarify. Naturally I didn’t solely rely upon the output from my web browser.
I analysed what was happening at network level: the POST information which contained the username and password was being transmitted via plain text using HTTP.
After the inquiries I was particularly interested to see if the situation was still the same following the weekend. After all, what I experienced could have been some glitch.
So yesterday I went to the local station nearby and tried to confirm Friday’s findings. Although the access point was visible, the Internet seemed to be dead - it was impossible to get a response from the access point.
In an effort to solve this puzzle, I rang one of my colleagues to see if he could check his location. Unfortunately he was unable to get an IP address from the hotspot so that attempt failed as well.
We gave up for the day.
I tried again today in the renewed hope of finding something. Once again, at the first station I was unable to get an IP address, which dampened my spirits a bit. However, when I tried the hotspot at the second station it cooperated. Success!
And the outcome? What I found was a completely revised portal on a different webpage, using HTTPS. That's good. Interestingly, the old portal is also still up and running, and still using HTTP.
My educated guess about all this? The Dutch railways announced yesterday that they are going to make Wi-Fi available on all trains. They probably constructed the new portal specifically for this. And probably something has gone wrong with the old portal - we don't know why. This might also be why connecting to the hotspots is such a problem; I was only able to get a connection at the biggest of the three stations I visited today.
It’s an interesting little security puzzle. And it once again highlights that you should always keep your eyes open for anything unusual, no matter what the time or place.