Last week, Jeremy Wheeler blogged about the perils of public charging stations. This got me thinking about some of the other ills of convenient, public life. One glaring convenient evil jumped out at me — public WiFi.
We have all been there. You’re on your laptop or tablet, and you have to get some work done. Or you desperately need to set your fantasy football lineup. Or you need to get an e-mail out. Whatever the circumstance, your only choice for connectivity seems to be the coffee shop’s free public connection. So you do what’s natural – you connect, get the task finished and move on with your day.
So what’s wrong with that?
When you connect to someone else’s Internet connection, you’re not just connecting to the Internet – you’re connecting to someone’s network who has been kind enough to route your requests to the rest of the world. But what’s to say they’re not inspecting your traffic on the way? What’s to say they’re not capturing your e-mail traffic? What about your web browsing habits and history?
What’s worse is that the connection you’re using may be an explicitly malicious connection. There are inexpensive devices which can mimic the name of any network the owner chooses. These devices with a clever owner can trick you into connecting to them. They can also present malicious pages to you, with the intent of capturing your passwords. They can even decrypt some of your encrypted network traffic with a certificate “man-in-the-middle,” if you’re foolish enough to click through some annoying pages in your browser. Or they can slurp your e-mail traffic, even capture your e-mail password. As a security professional, these devices are critical tools of the trade that I can use to help find vulnerabilities in a security plan. But not everyone is as benevolent as I am.
But I have to get my job done. What can I do instead?
I can sit back all day and pontificate about never connecting anywhere, ever. But that’s not realistic. Here are a few simple steps that can keep you safe(r).
- Connect to your phone. If your mobile device can support it (which most can now), use your purchased network to eliminate the man-in-the-middle. The downside here is that you’re consuming the ever-precious metered network traffic from your provider, and it can get pricey.
- Encrypt traffic wherever possible. This includes ensuring that the critical pages that you visit, especially ones that require a password, start with “https://”. If your e-mail provider supports it, encrypt your traffic to them as well. This is becoming a more prevalent option than in the past. Hopefully your provider is keeping up. If not, don’t check your e-mail over a public WiFi connection. Use your non-WiFi connected phone.
- Don’t click through those browser certificate errors! If your browser is saying that “The site’s security certificate is not trusted!,” trust that the browser is looking out for your best interests. Don’t add an exception unless you understand that this means your traffic will no longer be encrypted. Anyone can get it with a little know-how, including the benevolent owner of that wireless access point you’re connected to.
- If you’re doing company business and if your company offers it, make sure you connect via VPN before you do anything important. This will create an encrypted connection for your traffic back to the company’s protective border. If your company doesn’t have a VPN or a protective border, send a link to this blog over to your IT department and have them click on the “Contact Us” link above. We like new business.
The bottom line is – if you don’t own the network, you cannot trust, encrypt or evade it. Those are your only options. It adds some annoyance, but it’s well worth it. Surf safely, my friends.