TL;DR

• Public Wi-Fi networks have been labeled as a security and privacy danger for a long time

• If not used carefully, the risk of getting your data compromised is real

• A lot has changed since the old WEP times and today, not because of Wi-Fi but how internet has evolved, using public Wi-Fi networks is a lot less risky

• Public Wi-Fi shaming comes from the VPN companies themselves, looking to add fear to the user

• Modern public Wi-Fi networks use systems to increase security such as network isolation. You can also take measures to improve your security

• If you have good 4G (with enough data), it’s better to use it anyway

First of all, what can happen?

Below a non-exhaustive list of the most common attacks that can happen on a public Wi-Fi:

• Man-in-the-middle- the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other (can also include a more specific attack, called a Replay attack)

• Packet sniffing - data flowing across the network is detected and observed

• DNS lookup hijacking - the attacker changes the config of the DNS lookup address in the network and you’re redirected to another website

• Port scanning / direct attacks: attackers in the same network try to see which ports are open on your device and try to connect (Remote desktop, ssh, etc.)

Are all public Wi-Fi networks inherently dangerous?

No, not really and the main reason is that nowadays, places like airports and coffee shops (Starbucks and alike) use modern technologies that isolate every device in the network and prevent attacks coming from network sniffing. This means that if an attacker is connected to the same public network as you, it would not be possible to reach your machine.

This means that well done, professional Wi-Fi networks would be able to mitigate a good part of the risks above, but it doesn’t mean you don’t have to take measures.

So the networks are supposed to be better, but the risks are still there, what measures can I take?

Let’s look again at the risks and try to find some solutions:

• Man-in-the-middle: mitigated by the certificate authority by the browser or in mobile apps. Browser will issue a warning if not valid.

• Replay attacks: typically addressed to login systems such as OAuth, however tokens expire and good sites will use nonces

• Packet sniffing on open networks - mitigated by HTTPS

• DNS lookups are plain text but it's possible to activate DNS over HTTPS

• Port scanning / direct attacks: device firewalls lock ports by default; patched machines help prevent this

• Email (SMTP) and other protocols are encrypted as well to prevent snooping

A word of advice regarding emails:

Make sure your Mail client is configured using encryption, otherwise it will fetch email unencrypted. This would make the emails readable in a network sniffing scenario.

General recommendations

• Activate MAC randomization (Windows documentation)

• Enable DNS over HTTPS

• Enable HTTPS only (HSTS check) in your Browser (how-to Chrome here, Firefox here). You’ll be surprised to see how many websites get this wrong.

• Make sure a firewall is enabled

• Make sure all OS patches are installed (good advice for everyone, nothing to do with public Wi-Fi itself)

What about the VPN Companies?

Most of the "shame on public WiFi" comes from marketing stunts from VPN companies. Sure HTTPS and DNS over HTTPS is not enabled everywhere, but it's not clear that routing all your traffic to a VPN provider (specially if free) is better than not having it. It just moves the threat model from the public Wi-Fi to the VPN provider

Moreover, it’s not uncommon that even the VPN providers are involved in data leaks and privacy issues. Recently, a number of providers had issues with HTTPS certificates. At the end of the day, when you use a VPN, you’re just transferring your risks from your Wi-Fi, to the VPN provider. The question is turned to: which one do you trust most?

This is not a yes/no answer

One can argue the majority of these measures can be circumvented, but that would either require a lot more elaborate attacks or changes on things you can’t control. For example:

• Not every internet protocol is encrypted by default (some websites are still HTTP only)

• Your email client may be using unencrypted POP/IMAP

• Software on your computer could be opening TCP sockets without your knowledge

• Network isolation doesn’t prevent packet sniffing

If you're visiting HTTP sites, if your Operating System doesn't use DNS over HTTPS, if you have un-patched vulnerabilities exploitable by same subnet attackers, and if you question the quality of the Wi-Fi installation, then yes, it is dangerous. Now, is it dangerous enough to:

• Use a VPN? Yes, if the VPN is free, trustworthy, and and allowed in the public Wi-Fi (some airports don’t allow this)

• Not use the Wi-Fi, and instead pay for data/roaming? Sometimes you don’t have a choice.

Topics covered:

• Public Wi-Fi

• HTTPS, DNS Over HTTPS

• DNS resolution

PS This report is part of my personal research. If you think something is wrong or could be improved, send me a Tweet.