You Need More Than HTTPS To Stay Safe On Public Wifi

You shouldn’t be afraid of using public wifi anymore. Or, at least, you have much less to fear nowadays. While that doesn’t mean that you should blindly connect to “free internet,” “xfinity,” or other random, open hotspots without a little common sense—and some software backups—we’ve come a long way from the days of people using software tools like Firesheep to sniff everything you’re doing on public wifi.

At least, that’s the Electronic Frontier Foundation’s position. The organisation recently published an article claiming that any fears you might have of using public wifi are a bit unfounded: “…due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.”

There’s no doubt that we live in an HTTPS world nowadays. According to Google’s statistics, most connections from Chrome users take place over this secure form of HTTP (93%), and that figure is only growing worldwide. Similarly, 96 of the web’s top 100 sites (that aren’t Google) currently default to using HTTPS, and all of them support HTTPS connections—which is why you should absolutely be using a plugin like HTTPS Everywhere in your browser to force these more-secure connections whenever you can.

When you do, notes the EFF:

“…anyone along the communication path—from your ISP to the Internet backbone provider to the site’s hosting provider—can see their domain names (e.g. wikipedia.org) and when you visit them. But these parties can’t see the pages you visit on those sites (e.g. wikipedia.org/controversial-topic), your login name, or messages you send. They can see the sizes of pages you visit and the sizes of files you download or upload. When you use a public Wi-Fi network, people within range of it could choose to listen in. They’d be able to see that metadata, just as your ISP could see when you browse at home.” 

That’s all well and good, but I wouldn’t start blindly connecting to every public wifi hotspot you see, assuming you’re completely in the clear. First off, it wouldn’t be very hard for someone to set up a dummy public wifi and record the protocols and ports you’re using—just like this. Phishing a login and password, especially if a person isn’t paying attention to what’s appearing in their browser’s address bar, would be similarly trivial. And those who aren’t tech-savvy at all might even be convinced to install a rogue application to enable “free internet access.” Oof.

And remember, writes ZDNet’s David Gewirtz:

“Another thing to consider about https encryption is it only encrypts your web traffic. Any other internet activity is not touched by the https protocol and therefore requires its own encryption. Examples of other activity include web-based video games that might send your account, password, and even credit card information in the clear; an email program; or even a locally run accounting program.”

If you really want to stay safe on public wifi, you need a multi-pronged approach.

Do you really need wifi, or can you tether a mobile connection instead?

Consider whether you really need wireless access, and whether the network is something you can trust (the official wifi network the airport indicates you should use) or something you found that looks tempting and inexpensive (a random “FREE WIFI HERE” SSID). While you’re not out of the woods if you connect to Starbucks’ public wifi and it’s actually not that, you’re at least slightly safer than connecting to an obvious trap.

A great VPN is your new best friend

There are plenty of VPN providers out there that suck and are siphoning your data themselves to sell to third-parties, but if you can find a trusted one—or if you create your own—it’s an excellent way to boost your security when accessing public wifi. Make sure you turn it on before you do anything like, say, submit a login and password to a site or service. And test it for DNS leaks from time to time.

Make sure you’re plugging any other security holes, too

Whether you’re using public wifi or browsing at home, pack your browser and operating system full of helpful tools that can help you avoid problems on the web. Have a strong antivirus and antimalware setup. Use UBlock Origin, Privacy Badger, and HTTPS Everywhere in your browser. Make sure that you aren’t sharing folders on your computer—including the good ol’ Windows public folders. Keep your system and apps updated with the latest security patches. Pay attention to what appears in your browser’s address bar. When you’re done using the public wifi, forget the network so someone can’t spoof it and get your computer or phone to log on again (before you’ve enabled your VPN).

HTTPS is great and important—don’t get me wrong—but it would be similarly wrong to assume that it’s the only thing you need to think about when you’re connecting to public wifi. It helps make you safer; it doesn’t make you safe.

Comments


One response to “You Need More Than HTTPS To Stay Safe On Public Wifi”

Leave a Reply