Editor’s note: This article is one of a three-part series exploring how secure internet users really are in 2021. Other articles in the series are, The state of World Wide Web security in 2021, and Password managers can make your network more secure – but mind the gaps.
The Blue Öyster Cult got a few things right at the height of their fame. As any 1970s band should, their name included an unnecessary umlaut. More importantly, one of the lyrics from their song, Don’t Fear the Reaper said, “(We can be like they are) Come on, baby.” If you’ve ever felt jealous of someone you’ve been with who randomly connects to the public Wi-Fi at the mall, café, hotel, or airport without a care in the world, you should read on.
As many parts of the world appear to be finally getting a grip on the pandemic and more people can consider their approach to getting back into the world, we are suddenly out and about much more than before. This inevitably leads to needing internet access as we travel, shop and socialize again. Almost 10 years after Edward Snowden told us we were being spied upon online, is it finally safe to just “connect?”
As my paper, The state of Web security in 2021 shows, we’ve made great progress in improving the baseline of security by making changes behind the scenes to how encryption is implemented to ensure our communications remain private.
Let’s evaluate the risks still present in the use of public Wi-Fi considering the improvements to the fundamental security protocols used for modern websites and phone applications.
The Wi-Fi attack checklist
Most public Wi-Fi is unencrypted, that is to say anyone within radio range (up to 100 meters or 300 feet) can see the information you send over the connection. This was problematic in the past as it offered many opportunities for spying on or hijacking your communications.
The first requirement for an attacker then is to be within radio range and do one of the following:
- Operate an “evil twin” Wi-Fi point with the same name that has a stronger signal that you connect to instead of the real one
- Trick you into using the attacker for name lookups (DNS) so they can redirect your requests to fake pages or through proxies
- Simply observe your communications to intercept any unprotected data between you and your intended destination
This isn’t too hard, but the physical aspect of this makes it impractical. Attackers must put themselves physically close to their victims, limiting potential victims to people in their immediate area. This isn’t a crime they can easily perform from Moldova anonymously over Tor.
Next attackers need to predict which sites their victims might want to visit and whether these sites are protected by HSTS. If they are attackers will be unable to intercept the traffic without convincing a certificate authority to issue them a valid one for the protected domain.
Of course, attackers could just snoop on unencrypted traffic and hope for the best. As my research showed, less than approximately 5% of connections are unencrypted and the vast majority of those are marketing and ad trackers. None of the most popular destinations that lacked encryption accepted usernames and passwords, making this observation of limited use to criminals.
Wi-Fi based attacks are a very low-yield crime with a very high likelihood of arrest, if cybercriminals are detected. If there is anything I have learned over the years is that criminals are usually lazy and reach for the lowest hanging fruit. The risk of attacks like this will vary though, based on your risk profile. More on that later.
Encrypted websites aren’t immune to being hijacked though. A website that doesn’t utilize HSTS can be “downgraded” by an adversary to use an unencrypted connection allowing them to tamper with or intercept your information.
In my research this was most of the sites surveyed, 61.03%. That sounds scary, but remember they need to be nearby and either target specific destinations ahead of time or downgrade only the sites without HSTS to HTTP, a difficult, if not impossible feat. None of the sites without HSTS protection were in categories where the types of information criminals often value are transmitted. This includes social media, web-based email providers, office applications, financial institutions, or dating sites.
While a few of these sites were high profile, they typically don’t offer login pages and aren’t easy for a crook to monetize the stolen data.
Risk level for most people
So where does that leave us? In two words? Largely safe. Everything most of us use from our mobiles or while traveling on our laptops in public places is protected at a level that is incredibly hard to compromise.
Does that mean it is impossible? Clearly not. There are always risks and concerns that you may decide that it isn’t right for you, so let’s investigate reasons not to trust public Wi-Fi and what alternatives you might use to lower the risks.
Risk level for sensitive targets
Are you a high-profile target? Are you a journalist, politician, celebrity or possibly even a spy? Public Wi-Fi might just be too risky a gambit for you. In many countries mobile phone data is affordable enough to just get by without bothering to connect to Wi-Fi anyhow.
The issue can be more complicated though, what if it is the government itself you are worried could be trying to compromise your communications? You could consider a VPN, but that is complicated in and of itself. Personally, for those who need more security for their communications, whether using Wi-Fi or mobile phones I recommend the use of Tor (The onion router).
Tor is a privacy and security enhanced browser to lock out anyone who may be snooping on the wire. It can be a bit slow occasionally, but if you have reason to believe you may have advanced adversaries messing with you, Tor is the best thing we have to defend against them.
There are a few things privacy conscious people can do to make it a little safer though, and this applies to any network you might use:
- Use a password manager. Long, strong and unique passwords are essential. They also protect against phishing and machine-in-the-middle (MiTM) interception attacks
- Use DNS over HTTPS.
- In Firefox: Go to Settings -> Network Settings -> Settings -> Enable DNS over HTTPS
- In Chrome: Go to Settings -> Privacy and Security -> Security -> Use Secure DNS -> With:
- In Edge: Go to Settings -> Privacy, Search and Services -> Settings -> Use Secure DNS -> Choose a Provider
- MacOS and iOS users can use the app DNSecure
- If you are concerned about mobile banking or other sensitive information, switch over to your mobile phone data plan
Bottom line? For most people, most of the time Wi-Fi is perfectly fine. Opportunistic criminals have far better ways to compromise victims without the physical risks of having to be within shouting distance of their crimes.
Have fun. Browse Facebook, Twitter and check your Gmail all you want. Take advantage of all those online Black Friday and Cyber Monday sales while you’re on the go, you’ll be fine. And if you’re a bit more paranoid like me? Take the advice above to be a step ahead of the rest.