You don’t have to be nervous about using public Wi-Fi
When you are on the move, and especially when traveling, you might feel a little anxious when connecting to a public Wi-Fi network. You might be sitting in an airport waiting for your flight and that Wi-Fi network’s siren call is itching in your ears. You own one of the best laptops you can buy, but you’ve always heard that public Wi-Fi is unsafe or that your job strictly forbids it. So what should a travel technician do? i sat down with Chester wisniewski, principal investigator for Sophos to find out how terrible it was.
Funny story. Turns out it’s not that bad.
Most of what you’ve heard on public Wi-Fi is probably a decade or more away. This is where the terrible reputation comes from. But things have changed, and it’s important to understand the how, and part of the how includes the why. There is a bit of history to go to see how we got here.
“Today, if I go to Starbucks and try to hack you, I don’t get anything. At best, all I’ll see is “Adam is going on Facebook”, but I have no idea what he’s doing on Facebook. I don’t know if he logs in as him, or if he logs in as an alter ego. I have no idea because this is all encrypted and protected at the application layer level rather than the network. “
How we got here
Many moons ago, the Internet was largely insecure. We have relied on our networks to protect our network traffic. As a result, people were vulnerable to attack with cute names like “evil twin” and “man in the middle”. These attacks allowed a hacker to see everything that was happening on the Internet. Type in www.facebook.com and enter your username and password and it was all right there, waiting to be intercepted. But it was cool because the network protected everything.
But just under ten years ago a man named Edward Snowden appeared on the world’s radar and everyone suddenly realized that everything we do on the internet could be watched and / or collected. When it happened, we all panicked. Fortunately, we panicked in a good way; we started to lock everything down as much as possible.
This brings us to where we are today. Wisniewski says, “Today if I go to Starbucks and try to hack you, I don’t get anything. At best, all I’ll see is “Adam is going on Facebook”, but I have no idea what he’s doing on Facebook. I don’t know if he logs in as him, or if he logs in as an alter ego. I have no idea because this is all encrypted and protected at the application layer level rather than the network. Spoiler alert, I wasn’t logging in at all, and in fact, I never go to Facebook, but that’s another post for another time.
How are things today
It took a while for all of this to be put in place, but in 2019 Google reported that almost 92% of all internet traffic was encrypted. Turns out the answer was in our address bar the entire time. The “s” in “https: //” indicates that the traffic you are generating is encrypted. It uses Transport Layer Security (TLS) to encrypt data sent over the Internet at the application level. It should be noted that “app level” refers to both the website, such as facebook.com, and the Facebook app.
The only information that is not encrypted is the DNS lookup information. For example, if you open a browser and go to www.digitaltrends.com, and someone intercepts your signal, they can see that you’ve been to the best tech website ever, but they won’t be able to see what you did when you got there. Even that changes according to Wisniewski. Firefox and Google Chrome both hide DNS lookup information by default, and most other web browsers provide the option to do so. Windows 11 has a system-wide option that you can enable to hide this information in any browser.
So it all comes down to the fact that, for the most part, public Wi-Fi is about as secure as you can reasonably ask for.
Additionally, HTTP Strict Transport Security (HSTS) adds another layer of security. HSTS teaches your computer what a website looks like on your first visit. Each subsequent visit confirms for your browser that you are on the correct one. There’s even an HSTS preloaded list of tens of thousands of domains that your browser knows about even before your first visit. This prevents man-in-the-middle attacks from sending you to the wrong site designed to look like the right site and jeopardizing your traffic.
Exceptions to the rule
So it all comes down to the fact that, for the most part, public Wi-Fi is about as secure as you can reasonably ask for, but there are a few caveats to that. It will look like our smart home hack article from the Scream trailer, but similar circumstances call for caution in this case. If you are the type of person who regularly deals with extremely sensitive information and / or information that other people really want, then you should think twice before connecting to a network that you or your business / agency does. have not configured it yourself. While the encryption we use on a daily basis is strong enough to handle the occasional attacker, if you are manipulating information that others would literally kill for, public Wi-Fi is not for you.
Another big caveat comes in the form of companies whose policies specifically prohibit you from using public Wi-Fi. If you work for such a company or agency, just don’t. In the company’s opinion, there aren’t enough protections in place, and they sign your paychecks, so who are you to talk to? At the end of the day, companies have rules and as an employee it’s your job to follow them, despite what a tech website has to say about them.
Finally, check with your instincts. If you feel uncomfortable logging into your bank from your local airport, then don’t. After all, it’s your data. You can use a banking app to log in from your phone over 5G or LTE, which is about as secure as networks can get.
Other ways to stay safe
Are there ways to make your web traffic even safer? I asked about VPNs for example. One theory is that a VPN is a good way to hide data, and to some extent Wisniewski agrees. But in cases like this, he describes a VPN as a “reassignment of trust.” While most of your traffic is already encrypted, using a VPN moves insecure things (like DNS lookups for example) to the VPN. If you trust your VPN more than Starbucks network engineers, it will help you with the limited amount of data that is not already encrypted.
One of the most important messages Wisniewski left me was a warning against clicking on safety messages. When you visit a website and your browser displays a warning that the site may not be safe, it probably is not. The problem can be as simple as a typo or an expired security certificate, but suffice it to say, if you get a warning, there’s a reason. Check everything and if in doubt ignore it and come back another time.
In general, for most people, public Wi-Fi is safe, and the reason is that as a society we are much more concerned about security than 10 years ago.
Beyond that, password managers are a great tool to use to stay safe on the internet no matter how you log in. Password managers are inherently strict about security and they prevent reuse or oversimplification of passwords. Plus, if a password is breached, it’s fairly straightforward to change.
But the overall message here is that, in general, for most people, public Wi-Fi is safe, and the reason is that as a society we are much more concerned about security than there is. 10 years. As such, we demanded that our information be more secure, and the internet responded. So if you are traveling or just going out, you can probably grab some coffee and enjoy Netflix.