Public Wi-Fi is secure. So stop worrying about the connection.


From discovered webcams to reused passwords, it’s hard to know just how much of a risk our daily digital activities really pose.

Take WiFi networks in airports and cafes. They are part of life for anyone traveling or working remotely. They also have a reputation for cybersecurity risks. Do they still deserve it?

To see what would-be hackers might see on a shared network, we invited professionals from cybersecurity firm Avast to “compromise” my home network (all with my consent). We connected to the same network at the same time, like we would in a cafe, to see how much data a bad actor with a few free tools could learn about a modest WiFi user.

What we found could be a relief for the cafe crowd.

After a few minutes of clicking through my finance, work, streaming and social media accounts, the Avast team was able to see the sites I had visited (but not what I had done there), the time of day and the specific device I was using (in this case, a MacBook Pro). It’s not nothing, but it wouldn’t do hackers any good if they were trying to rip me off. It’s also relatively unwise for hackers to sit around messing with public networks, said Chester Wisniewski, a senior researcher at security firm Sophos.

“This kind of data is not just low reward, it’s high risk,” he said. “If I can phish your password from my chair in Moldova and have no risk of going to jail, why should I get on a plane and go to your local Starbucks?”

Tech writer Tatum Hunter gets hacked on purpose to figure out what hackers can see and what they can’t. (Video: Monica Rodman/The Washington Post)

In the early days of the Internet, the vast majority of web traffic was unencrypted, which meant that anyone knowledgeable enough to eavesdrop on a network could see anything you type on a website. By 2017, the balance had shifted, with more than half of all web traffic using the encrypted “HTTPS” protocol that you can recognize from the top of your browser, according to data pulled from the Firefox browser. Today, few legitimate sites remain unencrypted, with more than 90% of web pages loaded in the United States hidden from prying eyes, according to Firefox data. (If you’re curious if a given site is encrypted, look for “HTTPS” in the URL or site address. Pages with “HTTP” are not encrypted. Unfortunately, there’s no way to tell at a glance if a mobile app is encrypting its traffic.)

That means even if someone were to use a public network to spy on you, what they find probably wouldn’t be of much value, Wisniewski said.

Government employees, dissidents and anyone else dealing with sensitive data can use a trusted virtual private network (VPN) to conceal their activities, said Russ Housley, founder of cybersecurity consultancy Vigil Security. Since VPNs hide your IP address and web activity from everyone but the VPN provider, they help protect against hacking and invasive advertising. Keep in mind that not all VPNs are reliable, and many fail to protect you from government surveillance if you’re traveling overseas, Housley noted.

Your VPN can be snake oil. These three are trustworthy.

Still, for the rest of us, public WiFi networks aren’t entirely free of threats. Mom-and-pop stores are unlikely to keep up with necessary WiFi maintenance, such as firmware updates and strong passwords, said Aaron Rinehart, the company’s co-founder and chief technology officer. Verica cybersecurity. A truly committed criminal could impersonate a public network or website in an attempt to steal credentials, he said.

But it’s much less likely that someone will take advantage of, say, your reused passwords or outdated software. Focus your energies on the cybersecurity tasks within your control — such as setting strong passwords, saying “yes” to software updates, and learning the signs of a scam — and don’t sweat public WiFi too much.

“Generally, using public WiFi is safe as long as your computer is up to date and you encrypt all your data,” said Eric Rescorla, chief technology officer at Mozilla, the maker of Firefox.

If a site, link, or app seems sketchy, avoid it. And check out our cybersecurity reset guide for more tips on avoiding hackers and malware.


About Author

Comments are closed.