Is public wifi safe to use?
They are everywhere: cafés, bars, train stations, hotels and sometimes even the beach or a ski resort. Public wifi is an increasingly popular necessity for our lives.
But is it safe to connect to public wifi? Is my data protected? Will I be more susceptible to hacking and phishing attacks? I will try to answer these questions for you, first briefly, followed by a more detailed explanation. You can explore this privacy subject depending on your personal preference. Get curious and read on!
Briefly: Yes, you can be safe on public wifi
Before we consider risks and protective factors, let’s see what we consider as “unsafe” or “insecure”. Your most prevalent fears might be that your data will be stolen or accessed by others. Data in this case refers to the data saved on your device (laptop or phone) or the data that is transmitted via the public wifi as you access online content.
The data saved on your device is very safe. As long as you install system updates frequently, it is almost impossible for someone on the same network – private or public – to access data on your device.
When it comes to transferring data, the best way to stay secure is to make sure your connections to websites and apps are encrypted. Fortunately most websites and services make sure any data transfers are secured by encryption automatically. You can confirm that your connection is encrypted by checking that the website's connection is secure and that the certificate is valid.
You can identify that by checking that the URL starts with https:// (note the ‘s’) or by viewing the website information next to the browser URL:
Stay safe on public wifi:
- double check that you are on the correct and official website
(look for small typos and mixups, e.g., bank.co.com instead of bank.com) - confirm that the website is starting with https:// (in contrast to the insecure http://)
(you can configure most browsers to always use secure connections) - never accept insecure connections if your browser shows a warning
- never install additional software to connect to a network (For example, sometimes a public wifi network wants you to install “special” software, like a login tool. But do not install, it might be malicious!)
Diving into the details
The protocol that enables the automated encryption of information passed between your device and the websites you are accessing is called Transport Layer Security, also referred to as SSL/TLS. As long as you are sure that you are communicating with the correct and trusted server, you can be sure that nobody can decrypt and read the contents of your networking traffic.
But how can we be sure that nobody faked the website and redirected us to a malicious server? The mechanism that enables this trust is called certificates. Websites use certificates to prove that the server that you reached is actually the trustworthy endpoint of the requested connection. In practice, the website owner is requesting a certificate for her domain, for example “datacurious.com”. After confirming the ownership, the certificate is issued by an authority. Via a sophisticated system, everyone can now test and check the owned certificate, without copying or faking it.
You may have seen a “this connection might not be secure” warning from your browser. This warning was likely caused by a failed certificate check. Unless you are 100% sure that you are communicating with the correct server, never bypass these warnings!
There is very little difference between public wifi networks being open or using a password to connect. The encryption that keeps you safe is the SSL/TLS protocol from your browser or apps to the website. Although it might be easier for malicious users to connect to an open network, asking for the wifi password at a public café is not exactly challenging. Devices on a network that are not using SSL/TLS or similar encryption are vulnerable when a malicious user gains access to the network.
For advanced protection, like accessing sensitive data from banking websites or similar, it is still advisable to use a VPN tunnel as an additional layer of protection. When using a VPN, all networking traffic is routed through an encrypted tunnel, independent from the SSL/TLS encryption, where contents are additionally protected. Make sure to choose a trusted service provider when opting for a VPN connection.
Expert knowledge
The mentioned certificate check is done in the TLS-handshake at the very beginning of any secure connection. Your phone or computer performs hundreds of these exchanges every day.
Computers are using very clever public/private key cryptography to make sure that the identity of the server can be validated and not faked. In the first step, our client device requests a secure connection to the server, which is sending over its certificate and a public key. The certificate is signed with the private key that only the trusted website owns. Devices have a list of trusted certificates and only if the website's certificate is authentic (this is checked via the public key) and signed by a trusted authority, it is accepted.
For this whole process, the signing authority does not need to be contacted directly, only the pre-installed root-certificates are utilized. This makes sure that the authenticity check cannot be intercepted and manipulated.
After this handshake, a session key is generated that encrypts the transmitted data via a symmetric key algorithm.
Additionally to securing network traffic, as an expert you should make sure that your firewall is enabled and configured correctly. If for example you are developing a local application, opened local ports might be accessible by anyone in the public network. Make sure to close these ports when using an untrusted network or configure a firewall rule.
Conclusion
To summarize, we can use public and untrusted networks as long as we make sure to have some protections in place. The most important ones are using encrypted connections via https:// only, never accepting untrusted certificates and installing security updates regularly.
A VPN can be used if additional security is desired or very sensitive data is transferred.
Thanks to Miho Nakayama, Tye Rattenbury, and Jessica Traynor
Resources
- https://consumer.ftc.gov/articles/are-public-wi-fi-networks-safe-what-you-need-know
- https://www.reddit.com/r/techsupport/comments/s3sqa6/how_safe_is_public_wifi_and_how_should_i_protect
- https://support.google.com/chrome/answer/10468685
- https://en.wikipedia.org/wiki/Transport_Layer_Security
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://en.wikipedia.org/wiki/Root_certificate
- https://proton.me/blog/tls-ssl-certificate
- https://en.wikipedia.org/wiki/Symmetric-key_algorithm
What do you want to know about data, privacy, or technology?
Data Curious is a public resource supported by Good Research LLC in collaboration with the Center for Digital Civil Society at University of San Diego.
To contact us, send us an email at hello@datacurious.org.