How to Use Public WiFi Securely

Public WiFi is safer than ever due to HTTPS encryption and encrypted hotspots, making data interception more difficult. However, risks persist:

• Compromised hotspots may expose web activity or enable device hacking.
• Hacked routers can divert traffic to malicious website clones, stealing login details.
• WiFi operators may monitor and share your browsing history with third parties.

To learn about these and other public WiFi risks in more detail, jump ahead to the section about the real dangers of these networks.

How a VPN Provides Extra Security on Public WiFi

A VPN protects you on public WiFi by encrypting all your internet traffic. Anyone trying to monitor your browsing activity or intercept your data while your VPN is connected will only be able to see streams of meaningless combinations of letters and numbers.

VPNs can also defend against WiFi vulnerabilities, such as the recently-discovered SSID Confusion attack and other WiFi software flaws, thanks to the additional encryption they provide.

There are several steps you can take to protect your data and device on public WiFi networks, such as using a VPN to encrypt your web traffic, changing your browsing behavior, and tweaking your device settings for better security.

1. Use a Virtual Private Network (VPN)

A VPN is the most effective security measure for regular public WiFi users.

It encrypts your internet traffic, routes it through a secure tunnel, and masks your IP address, protecting against common threats.

VPNs create an encrypted tunnel between your device and a private server, preventing WiFi operators and attackers from monitoring or manipulating your traffic.

And thanks to first-party DNS servers, some VPNs also protect against DNS spoofing.

While not infallible, as VPNs can potentially be hacked, they remain an essential tool for security-conscious users on public WiFi networks.

2. Change Your Browsing Behavior

Some online activities are best avoided on unfamiliar networks, especially without a VPN. Minimizing data exposure reduces theft risk.

3. Change Your Device Settings

The following tweaks to your settings will make your devices far less susceptible to attacks:

Turn Off Automatic WiFi Connection

Stop your device from connecting to random hotspots by turning off the automatic WiFi connect feature and manually verify networks instead before joining them.

To turn off automatic WiFi connections on Windows:

1. Navigate to the Settings menu.
2. Click Network & Internet > Wi-Fi > Manage Known Networks.
3. Select any network you don’t want to automatically connect to.
4. Uncheck ‘Connect Automatically When in Range’.

To turn off automatic WiFi connections on a Mac:

1. Navigate to System Preferences.
2. Select Network.
3. Select any network you don’t want to automatically connect to.
4. Toggle off ‘Ask to Join Networks’.

To turn off automatic WiFi connections on an iPhone or Android device

1. Navigate to Settings.
2. Tap on WiFi.
3. Select any network you don’t want to automatically connect to.
4. Toggle off ‘Auto-Join’ on iPhone or ‘Auto reconnect’ on Android.

Enable Your Firewall

A firewall monitors network traffic, allowing or blocking it based on security rules to prevent unauthorized access.

Most modern computers have built-in firewalls; check to make sure that yours is active.

To enable the firewall on Windows:

1. Start > Settings.
2. Choose Privacy & Security.
3. Select Windows Security > Firewall & Network Protection.
4. Make sure the firewall is on.

To enable the firewall on a Mac:

1. Open System Preferences.
2. Navigate to Security & Privacy > Firewall.
3. Unlock the window by clicking the lock in the bottom-left corner.
4. Click ‘Turn On Firewall’.

Software Updates

Keep your devices up-to-date. Most software updates are automatic and include security patches to protect against known vulnerabilities.

However, never download updates over public WiFi, as these can be fake. Instead, check for updates on a secure, private connection.

Disable Sharing

Turn off file sharing, Bluetooth and AirDrop on your device unless you intend to use them. Having them on all the time only increases the risk of malware-infected files finding their way onto your system.

Enable HTTPS-Only In Your Browser

Modern browsers include HTTPS-Only mode, which automatically moves you to the secure HTTPS version of a website if you find yourself on the unencrypted HTTP version.

If you were previously using the HTTPS Everywhere browser extension to do this, it’s now deprecated and mostly redundant.

To enable HTTPS-Only mode in Firefox:

1. Navigate to Settings from the browser menu.
2. Select Privacy & Security.
3. Find ‘HTTPS-Only Mode’.
4. Select ‘Enable HTTPS-Only Mode in all windows’.

To enable HTTPS-Only mode in Chrome:

1. Navigate to Settings from the browser menu.
2. Select Privacy & Security.
3. Select Security.
4. Find ‘Always Use Secure Connections’ and toggle it on.

To enable HTTPS-Only mode in Edge:

1. Go to edge://flags/#edge-automatic-https
2. Enable ‘Automatic HTTPS’
3. Restart browser (tabs will be preserved)
4. Navigate to edge://settings/privacy
5. Find ‘Automatically Switch To More Secure Connections With Automatic HTTPS’
6. Select ‘Always Switch From HTTP To HTTPS (Connection Errors Might Occur More Often)’

Edge only offers HTTPS-Only as a developer feature for now. Hopefully it will become easier to use in the future.

To enable HTTPS-Only mode in Safari, simply upgrade your browser to Safari 15 or later for macOS Big Sur and macOS Catalina. The browser automatically enables its HTTPS Upgrade feature.

Enable DNS over HTTPS

As DNS resolutions happen before the HTTPS connection is established, your DNS requests remain exposed despite the additional security provided by the protocol.

DNS over HTTPS (DoH) is a technology designed to patch this security hole by encrypting your DNS queries. However, it only works if you’re using a compatible DNS server, such as Google Public DNS or Cloudflare.

In Firefox, you can enable DNS over HTTPS in the browser’s Network settings.

In Chrome, DNS over HTTPS is called Secure DNS and is enabled via Settings > Privacy & Security > Security.

In Edge, find the option in Settings > Privacy, Search and Services > Security > Use Secure DNS.

4. Enable Two-Factor Authentication

Enabling two-factor authentication (2FA) on your online accounts is very effective in protecting you against data theft.

With 2FA enabled, even if a hacker manages to get hold of your usernames and passwords, they won’t be able to log in to your accounts without additional verification codes.

Free WiFi still poses risks despite improved security. Understanding these risks helps you take necessary precautions.

Unencrypted WiFi Networks

Most public WiFi networks are password-protected and encrypted. However, free WiFi without a password is unsecured, allowing anyone within range of the network to intercept your online activity.

Even on password-protected networks, risks include:

1. Network owners can see visited websites, even with HTTPS.
2. Traffic interception and decryption remains possible, depending on security.

WEP networks use shared passwords, enabling easy decryption. WPA/WPA2-PSK networks use individual keys derived from shared passwords, improving but not eliminating risks.

WPA/WPA2-Enterprise networks generate unique per-client, per-session keys, preventing traffic decoding between users. Here, attackers would need to create fake hotspots to access data.

Although many public hotspots still use WPA2, the latest WPA3 security protocol significantly improves security on public networks through a feature called Opportunistic Wireless Encryption (OWE).

Unlike WPA2, WPA3 encrypts individual connections even on networks that don’t require a password. This prevents other users using the same WiFi from “sniffing” your data packets. Crucially, both the WiFi router and your device must support WPA3.

HTTPS vs HTTP Websites

Most websites use HTTPS, an encrypted connection that secures information between your device and web servers using TLS (Transport Layer Security).

HTTPS is an encrypted version of HTTP, which is the basic internet standard for accessing web pages, that:

1. Prevents most third parties from viewing your website activity.
2. Blocks insertion of malicious code into your web traffic.

HTTPS-enabled websites display a padlock in your browser’s address bar. While HTTPS improves public WiFi safety, it doesn’t guarantee complete protection. Vulnerabilities remain to certain Man-in-the-Middle attacks, phishing, certificate authority issues, and SSL/TLS vulnerabilities.

Importantly, HTTPS doesn’t protect DNS queries, which can be intercepted and manipulated. For comprehensive protection, we recommend using HTTPS in combination with a VPN.

HTTPS prevents WiFi providers from seeing individual pages visited, but domain names remain visible.

Most popular websites use HTTPS, but be cautious of those that don’t. Unencrypted (HTTP) traffic can be:

• Monitored by attackers
• Injected with malicious code
• Logged by WiFi providers

Based on Google’s reports, there is still a small percentage of websites that don’t default to HTTPS. For these, you should use a VPN (either an app or a browser extension) to force HTTPS.

Man-in-the-Middle (MitM) Attacks

A Man-in-the-Middle (MitM) attack occurs when a malicious third party interrupts or alters the communication between two systems.

On public WiFi, MitM attacks target the connection between your computer and the web server.

On unsecured networks, attackers can:

• Alter network traffic
• Redirect traffic
• Inject malicious content

Hackers can display fake websites, replace links, add images, and trick users into revealing personal information.

MitM attacks are popular because they’re cheap, easy, and effective. All a hacker needs is a device like the WiFi Pineapple.

These devices allow anyone to create fake WiFi access points for MitM attacks. They’re commercially available in computer hardware stores.

The WiFi Pineapple is a useful tool for researchers to test the security of WiFi networks but is very dangerous in the wrong hands. The device can:

• Interface with hundreds of devices simultaneously
• Gather sensitive data from public WiFi users
• Run SSLstrip software to convert HTTPS requests to insecure HTTP

Web servers can instruct modern browsers to use HTTPS, but this protection only activates on your second site visit.

Fake Hotspots & Evil Twin Attacks

Fake hotspots or ‘Even a 7-year old can set one up in a handful of minutes.

WiFi Pineapples can scan for SSID signals, impersonating known WiFi networks and tricking devices into connecting automatically.

WiFi Pineapples can scan for the SSID signals used by device to find and connect to known WiFi networks, then impersonate them in order to trick devices into connecting automatically.

For instance, at the 2016 US Republican Convention, over 1,200 people connected to fake networks with names like ‘I Vote Republican! Free Internet’ that were set up by Avast in a stunt to demonstrate the dangers of free WiFi. 68% of users exposed their identities as a result.

Be cautious of auto-connecting to networks, especially if the name or location seems suspicious.

DNS Spoofing

DNS Spoofing or ‘DNS cache poisoning’ is a MitM attack that diverts traffic from legitimate servers to fake ones, often exploiting unprotected public WiFi networks.

When you enter a URL, your device contacts a DNS nameserver to find the matching IP address.

DNS spoofing occurs when an attacker changes the entries in a nameserver’s resolver cache, redirecting users to a different IP address.

This allows attackers to send users to phishing sites mimicking legitimate websites, designed to capture sensitive data like usernames and passwords.

Public WiFi hotspots can be vulnerable as they are often managed by small businesses lacking the technical knowledge to maintain adequate security measures, such as changing default passwords and updating firmware.

Hackers can exploit these weaknesses to install malware on routers, redirecting DNS queries to malicious servers, enabling them to divert traffic.

Session Hijacking

Session hijacking is another MitM attack that grants attackers full control of your online accounts. The risk has decreased with the widespread adoption of HTTPS.

‘Sessions’ are temporary states between communicating devices, such as your device and a web server, established using authentication protocols.

When logging onto a website, you’re assigned a session cookie containing details about your interaction with the web server. As you browse, the server requests this cookie for authentication.

Session hijacking copies these cookies to impersonate your device and steal your identity, targeting valuable cookies from secure websites like banking or shopping platforms.

On unsecured networks, attackers use ‘session sniffers’ to intercept session cookies. This software is easily accessible, despite being illegal for eavesdropping and data snooping.