Open Public Wi-Fi: How To Stay Safe - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
Commentary
2/28/2013
10:48 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Open Public Wi-Fi: How To Stay Safe

Open public Wi-Fi networks are still very common in coffee shops like Starbucks, public libraries and other common areas, yet using them can compromise the confidentiality of your communications. We do have many ways for you to protect yourself, some stronger than others.

Using open public Wi-Fi networks is dangerous business; if you're not careful, your communications are open to everyone else on the network. But there are ways to protect yourself. If you have the option, you should use an encrypted network. In the alternative, if you use an open, unencrypted network, use a virtual private network to protect your communications. Failing even that, be sure to use only HTTPS sessions.

Beware those without the lock icon (click image for larger version)
When you look at a list of available Wi-Fi networks, like the one nearby, there are basically two types: those that are encrypted (with the lock icon) and those that are unencrypted.

If you connect to an unencrypted network all of your traffic is open for all the world to see, unless you take other measures to encrypt it. On such a network, all users can see all other users' traffic. Worse still, other users can hijack your session and communicate with the website you were on as if they were you, or redirect your computer to a site you didn't intend to visit. These attacks, while not strictly new at the time, were made widely known by the release of Firesheep, which made it easy to do.

Even if you are forced to log in to a web page or check a box after you connect to an open network, your traffic is not being encrypted. The login merely controls your access outside the wireless gateway to the Internet.

There are three main encryption standards supported by the networks with the lock icon: WEP, WPA and WPA2. WEP is an old and broken protocol, easily cracked. WPA is strong, but WPA2 is the state of the art. A properly-implemented WPA2 network gives you protection strong enough for all but secret agent work.

But even more important, both WPA and WPA2 support session isolation. Other users on the network can't see your traffic. For this reason it's better to offer a WPA2-protected network and publicize the password, perhaps with a big sign on the wall, than to offer open Wi-Fi. Another possibility is to include the password in the SSID, such as "WiFi-pw-is-ChakaKhan."

What if encrypted Wi-Fi isn't available? Your best option is to use a VPN or Virtual Private Network. Most users who have a VPN get access to it through their business, but there are private VPNs for individuals, too. Many are free or low cost. I use HMA! Pro VPN (HMA stands for Hide My Ass). It has a free web proxy and there are free VPNs, but I pay for the Pro version of HMA because I like the fact that it protects my entire network stream. Any application I use that communicates on the Internet uses strong encryption talking out to its network, at which point it is proxy-ed out to its final destination. The site I'm talking to doesn't know who or what I am based on network traffic; it only sees HMA's network, so I'm also anonymous to these other parties.

The other option you have on an otherwise open network is to make sure to use HTTPS websites only. When you use HTTPS, all communications are encrypted using TLS/SSL. Well, almost all. Sometimes a site will say HTTPS and you'll get the lock icon, possibly even an EV-SSL site with the green address bar, but some elements on the page, such as some graphics, are transported on HTTP. This is an opening for an attacker.

Back when Firesheep came out, many large and popular websites like Facebook and Twitter offered HTTPS, but didn't force it on users. Since then both have changed to switch the user to an HTTPS session if they attempt to connect to HTTP.

After Firesheep, a standard was also developed for web servers to force clients to interact with them only over HTTPS.HSTS (HTTP Strict Transport Security) is implemented through the HTTP header "Strict-Transport-Security," but I can't find any good numbers on how widely it is implemented. The Qualys SSL Server Test allows you to test an HTTPS server for many characteristics, including support for Strict Transport Security.

So you have many ways to ensure that when you are surfing in dangerous waters the sharks don't see you. One day our systems will be built to default always to secure configurations, but we're not there yet. We do know how we can protect ourselves and it's our job to do it.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll