Exactly how secure is public WiFi?

By Alex Nuttgens on 2nd Aug 2017

Here in Team Digital we recently had a discussion about exactly how secure public WiFi is (life in Digital can get pretty intense!). The debate centered around whether a public, but trusted, WiFi provider was essentially secure if you were only accessing sites with HTTPS enabled. The answer is, as with so many things, both “yes and no”…

First up, make sure you’re using HTTPS

HTTPS is a secure encrypted language your computer uses to communicate over the internet. When a site has ‘https://’ in its address, it means your data is encrypted, and that only you and the server you’re talking to across the internet can read it. HTTP on the other hand is the same language, but without any security. On a ‘http://’ site, everything you’re sending over the internet is in plain text and readable by anyone who can pick it up. Over wired internet, this is insecure, as every router/device the message passes through across the internet can potentially read private messages. Over public WiFi it’s particularly terrible, because every single other device on the network is listening for WiFi signals, and is thus capable of reading what you’ve typed.

Wait a minute, isn’t the traffic between my PC and the WiFi encrypted anyway if there’s a WiFi password?

It is, but it doesn’t provide that much protection. If a hacker is listening to all communication between your phone and a public router, their machine can catch the messages your laptop/phone and the WiFi router use to set up the encryption, and get round it. A developer I know set out to prove this. They set their laptop to scan the public WiFi on a train, and encountered one user who sent his work email and password across HTTP in plain text. At that point, my colleague could have had complete access to everything the user had access to, which very likely included private info. Using HTTPS would have completely protected this data.

Let’s say you were attached to public WiFi in Starbucks. As long as you know you’re linked to a respectable provider’s public WiFi, and you’re using HTTPS, you’re reasonably secure.There’s a problem though – how can you be certain who you’re connected to? It’s very easy to set up a WiFi network which looks exactly like a legit network, so what you think is Starbucks could be a random hacker a couple of tables over seeing what they can get out of customers. Scary stuff. (If you’re trying to sign in to your work’s office WiFi, and there seems to be a suspect looking network option, or too many versions of an existing one, it is possible that someone (perhaps in a nearby building) has set up a spoof WiFi account, so it’s worth reporting it to IT if you see anything suspicious).

Doesn’t HTTPS protect me anyway?

Well, if a hacker has gone to the trouble of pretending to be the Starbucks network, and you’re connected to them, their fake network is the only thing which is telling your computer what it sees on the Internet, so they can pretend to be the site you’re talking to. They read the information from the real site, and then pass content on to you, pretending to be that site. You set up the secure HTTPS communication, however you’re now communicating securely with the hacker, not the site you were trying to talk to, and they can read everything you send. Not ideal!

Checking that your secure information is on an HTTPS site might be a bit hard to remember, so here’s a browser addon to help! Https Everywhere from the very well regarded Electronic Freedom Foundation, forces your browser into HTTPS mode, and warns you if the site you’re at can’t provide it (thanks to Matt for the link!).

Our advice

Don’t send highly sensitive information over publicly accessible networks, and don’t send anything over a WiFi network without password protection on first sign-up. They’re rare these days, but they’re incredibly insecure to the point that you should be immediately suspicious of them. Also, if you’re dealing with sensitive information, always make sure you’re browsing a site which displays ‘https://’ in the web address bar and not ‘http://’. Most browsers also show a padlock, and/or the word “Secure” next to it if this is true. If your browser complains that an HTTPS site’s “certificate is invalid”, do not trust that site.

For semi-private stuff like Facebook and Twitter, you’re probably okay using password protected public WiFi, as long as you’re as certain as you can be that you’re signed into a real network, and you’re browsing an HTTPS site. Coffee shops where you trust the owners, where you have checked you’re on the right network, and your phone/laptop now auto-connects to are a good example of these somewhat secure providers. Finally, don’t forget, your network security can be as strong as you like, but if you’ve written a password down somewhere others can see it, or someone can see over your shoulder, you’re still not secure.