āSome believe that simply ensuring the use of HTTPS while searching websites, especially for public Wi-Fi, ensures complete safety from hackers who might steal banking information, passwords, and personal data. Isnāt public Wi-Fi hacking a concern of the past?ā - Anon
Thoughtsā¦ š
Maybe youāve thought about this, maybe you havenāt.
To answer the question in short, no public Wi-Fi is not āsafeā, regardless of whether itās a secured or unsecured network.
The potential dangers of using public Wi-Fi, such as the risk of having your banking information, passwords, and personal data stolen, should be a cause for concern. You may not have suffered any breaches (to your knowledge), but that cannot be any reasonable personās yardstick for safety.
I know people who often drive without a seatbelt and have not yet suffered any accidentsā¦ Do you see where Iām going here?
Most public Wi-Fi networks don't require a password or use weak encryption, making it easy for cybercriminals to intercept your data through man-in-the-middle attacks (MitM).
On a Saturday a few years ago, I was sitting in Starbucks waiting for a friend when I glanced over my shoulder to see a 20-something-year-old man performing some bash scripting on Kali Linux ā I have no idea what he was doing, but I do know that Starbucks had public Wi-Fi.
Even with a password, older encryption protocols like WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) have known vulnerabilities that can be exploited. To be honest, you shouldnāt even be using these anymoreāIād stick to WPA2 (Wi-Fi Protected Access 2).
Having said that, in 2017, a vulnerability called KRACK (Key Reinstallation Attack) allowed hackers to exploit the four-way handshake WPA2 encryption uses to establish an encrypted connection.
The preferred option, however, is WPA3, where itās available.
Session hijacking (or cookie hijacking) is another popular activity hackers love to do where they can, and public Wi-Fi will always be a prime location for carrying out black hat activities. The myth of HTTPS as a silver bullet to protect from all attacks is nothing but laughable to a skilled hacker.
Sure, HTTPS is great for encrypting data in transit, among a couple of other things. But it canāt protect against malware being injected into the website or transmitted through the connection. It canāt protect against server-side vulnerabilities like SQL injection or cross-site scripting (XSS). It canāt protect against DNS attacks like DNS spoofing. It canāt even fully protect against MitM attacks! It just makes it more difficult.
How can we improve our security posture when weāre out and about?
The concept of Defence-in-Depth springs to mind! Implement as many as possible to reduce the attack surface.
Use a VPN: These make it even harder for a āmanā to be in the middle of your communications with the server.
Avoid Sensitive Activities: Think. It may not be a good idea to be accessing sensitive information from a public Wi-Fi connection?
Use Secure Connections: HTTPS-only connections. I know Iāve just criticised them, perhaps harshly, but they are still strong for Encryption, Authentication, and Integrity.
Software Updates: Donāt ignore the notifications; it could cost you. Update your operating system, browser, and antivirus software if you have this.
Multi-Factor Authentication (MFA): Wherever possible, enable MFA to add an additional layer of security.
Have Wits: Simply, if a public Wi-Fi network seems suspicious to you or has weak security, move on.
In the end, it's not about whether public Wi-Fi is safe or not. It's about understanding the risks and taking proactive measures to protect yourself because the convenience of public Wi-Fi comes with a priceāyour security.