Thursday, February 28, 2013

Open WiFi Networks and (Lack Of) Security

I get asked about open WiFi hotspots and if they are secure lots these days. Examples would be certain hotels, restaurants, etc. My short answer - these days many are not secure and.... regardless.... you should always avoid using them. Here's why. 

Most public WiFi hotspots do not encrypt information going back and forth in the air and are not secure. There's lots of free hacking tools that just about anybody can quickly learn to use to get any information you send back and forth when connected to these networks. Here's some good guidelines originally published by the Federal Trade Commission:
Use these tips to tell if a Wi-Fi network is secure:
  • If a hotspot doesn’t require a password, it’s not secure.
  • If a hotspot asks for a password through the browser simply to grant access, or asks for a password for WEP (wired equivalent privacy) encryption, it’s best to proceed as if it were unsecured.
  • A hotspot is secure only if it asks the user to provide a WPA (wifi protected access) password. WPA2 is even more secure than WPA.
Use these tips for a safer Wi-Fi experience:
  • When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. The entire visit to each site should be encrypted – from log in until log out. 
  • To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in.
  • If you think you’re logged in to an encrypted site but find yourself on an unencrypted page, log out right away.
  • Don’t stay permanently signed in to accounts. After using an account, log out.
  • Do not use the same password on different websites. It could give someone who gains access to one account access to many accounts.
As a general rule of thumb, an encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. 

How do you get around the connectivity problem? I recommend using a personal WiFi hotspot with security implemented. You can get yourself a dedicated device like the one I have or most smartphones can be used as a hotspot if you pay an additional monthly fee. Here's more information from AT&T on different personal WiFi hotspot options.

No comments: