• Is it safe to use free, public WiFi?


    Free public WiFi hotspots are available in most public places, such as the airports, McDonald’s, Starbucks, or your local public library. A lot of security experts or self-claimed experts warn you against connecting to these WiFi networks. They warn you that some bad guy may be operating the WiFi hotspot, in that case they can steer you to fake web sites to steal your information. Or a bad guy sitting next to you, because he’s on the same network as you are, might be snooping on your connection and stealing your passwords, credit card numbers, or your session cookies.

    We agree with them that public, open WiFi networks totally cannot be trusted. However, we’d also say that you are pretty safe. Your passwords, credit card numbers, session cookies are not that easily stolen by a thief sitting next to you. Why? The keyword is HTTPS.

    The HTTPS protocol encrypts messages sent between your device and the server and ensures end-to-end transport security. What that means is that people can look at the messages exchanged between your device and the server, but all they see is random bytes. They cannot extract useful information out of the stream of bytes flowing through.

    How do you know that HTTPS is being used? Check the green lock on the left of the URL address bar.

    Who’s using HTTPS? Google, Facebook, Instagram, your bank, your credit card company, your company’s payroll, your insurance company, your ISP’s web site, even YouTube and Vimeo! Basically, almost every web site that matters.

    So what’s all the fuss about your personal information being stolen? Well, there’s a small possibility that you might have mistyped your bank’s URL, and the mistyped URL happens to be a website created by some bad guy, and it serves a valid SSL certificate that matched the mistyped domain name. There’s also a possibility that a bad guy redirected you to a plain HTTP URL (a technique called sslstrip).

    In summary, you should be pretty safe if you:

    1. Check for the HTTPS green lock icon.
    2. Do not click through when you see a certificate warning.
    3. Make sure you typed in the URL correctly (if you’ve visited the site before, the browser will prepopulate the address bar with the previous address).

     

    You might have seen the suggestion that you should remember to turn off Windows Network Discovery and file sharing when you connect a Windows PC to a public WiFi hotspot. But Windows has that already figured out for you: simply select Public when it asks you whether the connection is Public, Home or Work.

    What about apps on your smart phone? Yeah, there’s no green lock to look at for apps and there’s no sure way to tell if an app is using HTTPS/SSL behind scenes when it communicates to the server. Some people say, do not use apps when you are connected to an open WiFi. But that’s equivalent to never ever connect your smart phone to open WiFi, because apps can connect to backend servers without being launched by you.

    Even so, we speak with high confidence that security sensitive apps (such as your bank’s) will not use insecure communication protocols when talking back to servers. Therefore, you should be safe using your bank’s app, even on an open WiFi connection. Ask the app developer if you wan to be sure.

    If you use the pcWRT router, there’s a simple way to check it out. Here’s how:

    1. Connect the phone to the pcWRT router WiFi. Find it on the Status page and give it a name.
    2. Put the phone in a profile with Access Control turned on.
    3. Use the app you want to check out.
    4. Open the Access Control logs, click on the device name.
    5. Switch to Raw mode.
    6. Click on the links under the Port column to reveal the first 15 bytes sent over the connection.

Leave a Reply