SECURITY: How secure are Public WiFi hotspots?

One question that keeps coming up on public forums, and which people are commonly confused is “How secure are public WiFi Hotspots?”.  In other words – if you are out and about and can get unsecured WiFi access, how safe is it?

Secure / Unsecure WiFi

Part of the confusion is the terminology in use – such as “Secure Wifi” and “Unsecure Wifi”.  These terms do not necessarily relate to if the use of the wifi is secure or not – only if the connection TO the WiFi network is secured or not.

Secured Wifi, this simply means you can access the WiFi network only if you have the correct password (key) and that all data transfer between your laptop and the WiFi access point is encrypted

Unsecured WiFi, this simply means the connection between your laptop and the access point can be made without a key and the data transfer between your laptop and the WiFi access point is not encrypted.

Now on the face of it, “unsecured” looks dangerous to use.  However in reality only the data communication between your laptop and the access point differs, and really this bit doesn’t really matter.  The chances of someone sitting near you scanning the WiFi and trying to get your data is really very low as they have to be within range of the same access point.  If the access point owner was the hacker, then they could easily access all data sent between your laptop and the access point anyway.

Eh!?  Sounds unsafe!?

Not really!  If you for instance go to your On-line Banking site, then the your Internet Browser will establish a HTTPS secure and encrypted link between YOUR LAPTOP and the ONLINE BANK.  (This is shown by a picture of a PADLOCK on your browser).

Thus all data transfer between your LAPTOP and the WEBSITE (including to/from the  WIFI ACCESS POINT) is encrypted regardless of a “secure wifi” or “unsecured wifi” connection and thus even if someone intercepts all data then they still can’t access the data.

So as long as you are over an HTTPS link then any WiFi is safe to use

Is everything safe?  Like eMail?

That depends.  If you access your eMail via your web browser (like googlemail) – then you can make sure you go to which is their secure site and in the same way as the bank, then yes everyting is secure.

If you however use Outlook or Windows Mail on your computer to allow you to “Send & Receive” and keep emails locally, then it depends on how its set up.  If you are simply using POP3 then NO – it is not secure as POP3 is an unsecured protocol and sends data in clear text.  If you have POP3 over TLS (as per picture) then yes the eMail is secured as the “TLS” encrypts it.  Most home eMail setups are not secured and transmit the eMail password and emails in “clear text” that can, theoretically, be read by anyone listenning in.  That said I’m not aware of anyone being exploited by this even though its easy to do if you are on the same network.

So personally I’d not worry much, but I would always recommend using POP3 over TLS just to negate the risk at home or on a wifi connection.

Other protocols, such as FTP for updating websites, also send their username/password in clear text and is easily readable by any “scanners”.  You should therefore switch to secure FTP or just be aware that this could happen and restrict the FTP account to basic access rights.

Finally, any usernames/passwords you enter in normal websites such as Forums etc may also be sent in clear text – thus it is CRITICAL you do not use the same passwords for both secure systems (e.g. banks) and insecure systems (e.g. chat forums)

What about Internet Cafes?

In internet cafes I would always try and use my personal laptop on their connection.  Most are fine with this.

If you have to use THEIR computers, I’d recommend NEVER to access secure sites such as banking sites.  It is a TRIVIAL matter for the owner of the Internet Cafe or a previous customer to install something that records your keystrokes and even record your entire session, and thus may be able to access anything you accessed once you’ve left. 

So my recomnmendation is Internet Cafes are fine for light and general internet use, but do not use them for anything you consider secure if at all possible, and never for Internet banking.

Make sure Firewall is on!

All this advice is based on the firewall being on!  This is essential otherwise your computer could be at risk.  See this article to see how to check if your firewall is on or not.