1HTTP & HTTPS
Many VPN companies will try to convince you that public WiFi networks are always dangerous. Thanks to something called HTTPS, this isn’t exactly true.
HTTPS stands for Hypertext Transfer Protocol Secure. It is an encrypted extension of the HTTP protocol, a basic internet standard that allows web pages to be requested and loaded.
On top of the basic functions of HTTP, HTTPS is designed to protect the privacy and security of data in transit.
HTTPS provides encryption via TLS (Transport Layer Security), which secures the connection between a client (e.g. a web browser) and a server (e.g. example.org). This means any connection to a HTTPS website is encrypted, authenticated, and regularly checked for integrity.
HTTPS makes it much harder for an attacker to intercept communications between your browser and the website you are visiting because the data is no longer in plain text.
To check if the website you’re visiting is encrypted with HTTPS, just check the URL in the address bar. If it’s HTTPS-enabled, you’ll see a padlock in the top left hand corner.
If you connect to a website on public WiFi that doesn’t secure itself with HTTPS, you leave yourself wide open to attack. Any third party can monitor your browsing activity, see what URLs you’re loading, and capture the data you’re submitting.
Fortunately, up to 94% of traffic across Google Services is now encrypted with HTTPS. That means the majority of websites you visit will be protected.
You can find a list of websites that are non-compliant with HTTPS here, many of which you’ll be familiar with.
2Man-in-the-Middle (MitM) Attacks
The prevalence of HTTPS doesn’t make public WiFi completely safe. Most importantly, it won’t protect your DNS queries.
If you connect to an unsafe WiFi network it is possible for an attacker to intercept your DNS requests and send you to an alternative server under their control. This is known as a Man-in-the-Middle (MitM) attack.
Technically, a Man-in-the-Middle (MitM) attack refers to any scenario in which a third-party interrupts or alters the communication between two systems.
When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to. According to a threat intelligence report by IBM, 35% of all malicious online activity begins with a MitM attack.
Man-in-the-Middle attacks can come in many forms, including:
On an unsecure network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.
An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.
Hackers can fool people to reveal or change their passwords, exposing highly personal information.
MitM attacks are popular because they are cheap, easy, and effective. All a hacker needs is a device like the $99 WiFi Pineapple — a pocket-sized device that looks like a cross between a USB flash drive and a WiFi router.
The $99 WiFi Pineapple allows virtually anyone to exploit public networks to collect personal data.
These simple devices enable virtually anyone to create a fake WiFi access point and carry out a MitM attack. They are commercially available and sold as standard in most computer hardware stores.
The Pineapple was first developed by Hak5 as a tool for penetration testers. Pentesters are hired by companies to test or attack their own network in order to highlight any vulnerabilities.
The WiFi Pineapple is able to interface with hundreds of devices at a time. Security researchers can use it to execute multiple attacks on public WiFi networks to see how they work and how to safeguard against them.
The developers even provide comprehensive guides to carrying out such attacks, and forums to help if you get stuck.
While this makes it a valuable tool for researchers, it is also a dangerous tool in the wrong hands. Attackers can easily use the Pineapple to gather sensitive personal data from unwitting public Wi-Fi users.
Hackernoon conducted an experiment using a WiFi Pineapple and found that 49 devices connected in a single afternoon.
You can learn more about protecting against MitM attacks in the next chapter of this guide.
DNS Spoofing or “DNS cache poisoning” is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.
DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain (e.g. example.com) you’re looking for.
DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for “example.com”, any user trying to access that website would be sent to a different IP address specified by the hacker.
There are two main reasons why an attacker might do this:
To launch a “denial of service” (DDoS) attack. An attacker could alter the IP address listed for a common domain like Google.com in order to divert a huge amount of traffic to another server. If the alternative server is incapable of handling such high volumes it can often slow down or even stop. This kind of DDoS attack can take down entire websites.
Redirection. Corrupted DNS entries can be used to divert victims to fraudulent websites. Attackers use this to send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.
Most attackers will choose to configure their own malicious DNS nameserver. They can then use several strategies to distribute DNS changer malware to a user’s computer, smartphone, or WiFi router.
DNS changer malware changes your device’s settings to point DNS queries to the hacker’s malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.
The code for DNS changer malware is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code.
Aside from your device itself, attackers can also target routers with the same DNS changing malware. Routers can override a device’s DNS settings, which is a particular threat for users connected to public WiFi networks.
4Fake Hotspots & Evil Twin Attacks
Fake hotspots or “Evil Twin attacks” are amongst the most common and most dangerous threats on public WiFi connections.
An attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect.
Less sophisticated hackers may even choose names like “FREE INTERNET” in an attempt to entice people. An Evil Twin attack is very easy to pull off — you can see this seven year-old doing it in 11 minutes.
WiFi Pineapples even include the native capacity to actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks, and can be easily copied by malicious third parties.
This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a familiar network that they’ve previously connected to.
It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to dangerous free WiFi networks because they had targeted names like “I Vote Trump! Free Internet. ” This cost them their sensitive data, emails, and messages.
In fact, 68% of users at the convention exposed their identities through public WiFi in some way. These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.
Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious.
Session hijacking is a type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts.
Attackers can use this technique to take over the connection between your device and another machine. This could be a web server, an application, or a website with a login form.
“Sessions” are temporary states established between two communicating devices. The session serves to authenticate the two parties and allows details about their communication to be tracked and stored.
Sessions are established using various authentication protocols that ensure the two parties know who each other are. This includes an HTTP “session cookie” — a file containing details about your interaction with the web server.
When you log onto a website you are assigned a session cookie. As you browse the website, the server will continue to ask your machine to authenticate itself by resending this cookie.
Session hijacking exploits these cookies. The web server you’re interacting with relies on the session cookie to identify and authenticate your device — if it is stolen, the thief can also steal your identity.
The most valuable session cookies are those sent to users logging in to highly secure sites.
Armed with this information, an attacker could:
- Purchase goods in your name
- Move money between accounts
- Change your login details
- Lock you out of your accounts
Hackers can steal session cookies in various ways. Typically, they will infect a user’s device with malicious software that records their session information and sends the relevant cookies to the attacker.
On an unsecured network, attackers can also use specialized software called ‘session sniffers’ to identify and intercept your session token.
Software for sniffing is incredibly easy to access despite the fact that it is illegal to use it for eavesdropping and data snooping. Popular sniffing software from the past include Ethereal, FaceNiff, and Firesheep.
The most effective way to protect yourself against session hijacking is to avoid unsecured WiFi networks. You are a much more vulnerable to hijacking if you are sending all of your session cookies unencrypted across a free network.
Generally speaking, session hijacking should not be possible if you’re connecting to a website using an HTTPS connection, because your cookies will be protected by a layer of encryption.
That said, clever hackers can trick your browser into visiting an HTTP version of a website in a process called HTTP spoofing, and then launch an attack via conventional methods.