Hotel, pub, library, airport, train, city center – in all these places we can find free wireless internet access. Will it be safe to use such a service? Will someone break into our bank account, Facebook, e-mail? Won’t he steal photos or text messages from the phone?
Is public Wi-Fi safe?
It is difficult to answer this question in an explicit way. Nevertheless, If we had to answer this question based on a case study of the average internet user, the best answer would be “no, it is not safe” or at least not safe enough for us to use it in a careless way.
It is worth mentioning, that nowadays lots of IT guys would sometimes have a different opinion. Usually, it is said that all traffic goes over HTTPS, so it is encrypted and impossible to overhear or manipulate. However, there are several aspects to consider when discussing the security of public Wi-Fi networks worth dealing with them in this text.
(In) security of public Wi-Fi networks and HTTPS encryption
The fact that today all traffic is encrypted using the HTTPS protocol is still a strong generalization. Perhaps this is mainly the point of view of security professionals who cannot imagine it being otherwise. However, it is important to keep in mind that the configuration of network services is not always done by security experts. If you want to try, in one moment you could find a lot of login forms available over HTTP on the Internet. According to our research, in this group representatives of smaller and larger businesses, e-commerce, health care, and education can be found. Both domestic and foreign websites.
Users of all these systems might feel disappointed after using the public network, hearing that it is secure.
Internet is not only “WWW”
Let’s assume, that our user is a bit smarter and knows that he should not log on to the site without the “padlock”. Can we then assume that the public Wi-Fi network will be safe? Unfortunately not. We should remember that the Internet is also a whole bunch of network services and protocols other than www. Some of them we are not even aware of. Our computers and smartphones have a lot of services and applications installed in the background that communicate with the cloud, synchronize, make backups, etc. Can the average computer or phone user declare with confidence that all these services communicate in a safe way? Definitely not.
It is not public networks that pose a threat, but the intruders appearing there
Of course, the web will not hurt us by itself. But remember that Wi-Fi is a medium that can be accessed by anyone within its range. And even if it is not an open network, the fact that it will be password-protected does not change much in terms of security. After all, if it’s a public network, the password will be shared somewhere.
So if such a network can be accessed by someone with malicious intent, which we cannot exclude, then we must also take into account the popular attacks that he may use. And here intruders have a lot of room to show off. Even an amateur hacker will be able to launch a man-in-the-middle attack by poisoning the ARP tables of network users or by using the WPAD mechanism.
Okay, how someone could capture encrypted traffic?
It depends on his creativity and knowledge of the characteristics of various protocols. Perhaps one of the victims will use the STARTTLS method to connect to the mail server (after all, it’s a secure, encrypted connection). If so, it’s 1-0 for the intruder, because STARTTLS is not as safe as it might seem.
With a bit of luck, there will probably be a percentage of users who will accept the left-swapped certificate (because the admin in the company showed how to add an exception by connecting to some local system).
Another risk that should be taken into account is the possibility of spoofing responses from DNS servers. The intruder can redirect us to a fake Faecbook, Gmial or a fake bank. There will even be a padlock in the browser bar because probably some people did not notice the typos in the words Facebook and Gmail in the previous sentence.
Also, what if we connect to the public network a device that for some reason did not have any of the critical updates applied? It was defended by a firewall at the company, but in a coffee shop where someone conducts security tests, things can get complicated.
Public networks that require registration
Many public wireless networks do not open to the Internet right away but need to be logged in first. Windows knows this because after establishing communication, it tries to find the address dns.msftncsi.com in DNS and check the content of the page http://www.msftncsi.com/ncsi.txt (HTTP protocol is used on purpose). Different from the expected IP number or different from the expected content of the site almost always involves the necessity to click through some form.
As long as it is a statement that you will be using the Internet in accordance with the law and you promise not to disturb others, that’s OK. Asking for an e-mail? It will almost never be checked, any way you can provide any address from the temporary e-mail service.
Worse, when you deal with paid Internet access – often the only method of payment is a payment card. The commonly used fast transfers are out of the question because… they require internet access for which you are just planning to pay.
Tip: if you use paid public networks and their providers do not inspire your trust, use the service of single-use virtual cards powered by small amounts. If the provider publishes an instruction on how to add a security exception to open an untrusted website – run away without paying.
If you are more interested, in how to do your best in order to stay safe in public Wifi, follow us, soon new advice will be posted.