As you travel this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.
This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)
But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.
“A lot of the former risks, the reasons we used to warn people, those things are gone now,” says Chet Wisniewski, principle researcher at security firm Sophos. “It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel.”
In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off.
All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.
HTTPS All Over
Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED’s servers to your browser and back. That encryption is enabled by what’s knowns as Hypertext Transfer Protocol, with the ‘S’ standing for Secure. The most important thing to know about HTTPS, though, is that it obviates most of the attacks that (rightly) scared you off of public Wi-Fi in the first place.
“If you’re in the US, the web is pretty well encrypted. It’s unusual to go to a website that matters and it’s not HTTPS,” says Tod Beardsley, director of research at security firm Rapid7. “Because of that, the threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped.”
"A lot of the former risks, the reasons we used to warn people, those things are gone now."
Chet Wisniewski, Sophos
Just how dramatically? Consider that as recently as March 2016, only 21 of the web’s top 100 sites used HTTPS by default. Today, that number has flipped. Seventy of the top 100 sites have HTTPS switched on by default, with nine more offering HTTPS compatibility. Many of the holdouts are based in China. As of January 2017, more than half of the web was encrypted. Today, about 84 percent of websites loaded through Firefox have HTTPS enabled. And yes, that includes porn.
HTTPS has some arguable drawbacks. Mainly, there’s virtually no barrier to getting HTTPS certification, which has made it attractive for criminal groups hoping to add an air of authenticity to bogus sites. That little green padlock guarantees that you’re sending data encrypted, but not that the person on the receiving end has scruples.
But that has nothing to do with hotel or airport Wi-Fi. You can fall for those scams no matter how you’ve connected to the internet. And using that approach to target those specific locations hardly seems worth it in practice.
“You’d have to get a soundalike domain name, register that, then get an encryption certificate, then get someone to go to your site,” says Beardsley. “I don’t know how successful an attack would be to set up my rogue Wi-Fi, wait for people to mistype a URL, and come to my fake bank site. I’m not super sure that’s a very valuable attack. You’re going to be waiting a long time for that typo.” Especially given another, slightly less recent change in how we use the web: So few people actively type URLS that Google has considered doing away with them altogether.
It helps to think through how other attacks might play out in practice as well, especially as caveats come into play. In addition to phony sites, there’s the concern that someone else on your network might be “sniffing” your browsing activity, the internet version of eavesdropping. They can still try, but HTTPS means that they can’t see what individual pages you’re visiting, just the domains. Someone could figure out you’re on Netflix, in other words, but not which movie you’re watching. Or they might know you’re on Bank of America’s site, but wouldn’t be able to see any of your identifying details. It’s the difference between observing a conversation from far across the street, and having it bugged.
You can easily imagine cases where that’s not still ideal. You may not want anyone to know that you’re visiting sites of a sensitive nature, regardless of what specifically you’re looking at while you’re there. And if you visit a site that has no HTTPS, all of those protections go out the window. But criminals have much more lucrative methods of attack these days—you don’t need hotel or airport Wi-Fi for searphishing or cryptomining—making hotels and airports that much less appealing of a target.
“I’m telling people to enjoy public Wi-Fi, whether they’re at Macy’s for Christmas shopping or at the Hilton,” says Wisniewski. “What’s in it for the adversary? Why would you choose monkeying with the Wi-Fi at the airport or the hotel over some other attack method? When you look at the profitability and the risk, it just doesn’t make sense other than an amateur to be doing it for giggles.”
It’s totally understandable if you still have concerns. Maybe you visit a lot of unencrypted sites, or don’t want a hotel chain to have even domain-level insight into your browsing. Or maybe you’re a journalist, or an aerospace executive, or a politician, or someone else the GRU or Chinese intelligence agencies might put in their crosshairs. Or maybe you’ve just got a vestigial mistrust that you can’t shake.
"The threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped."
Tod Beardsley, Rapid7
That’s fine! Whatever the case, there are plenty of things you can do to protect yourself, starting with using a virtual private network. A VPN sends all of your traffic through an encrypted connection, meaning that the hotel or anyone else can’t see where you’ve been or what you’re doing. Well, almost anyone else; the VPN provider potentially could, so use one you trust.
Even better than a VPN, especially if you have an unlimited data plan: Use your smartphone as a hotspot. “There aren’t any published exploits that are useful over LTE. If you’re really worried about it, tether up your phone,” says Beardsley. “That’ll get you a long way.”
But if those don’t apply to you; if you’re just hopping on Facebook and Amazon, or looking up good nearby restaurants on Yelp? Use the Wi-Fi at the hotel. It might not have your security interests at heart, but more than ever, the web itself does.
- The DIY tinkerers harnessing the power of AI
- Intricate maps reveal what public transit gets wrong
- A stupid simple wonderful way to make Google Docs
- An aging marathoner tries to run fast after 40
- PHOTOS: A Blade Runner -esque vision of Tokyo
- Hungry for even more deep dives on your next favorite topic? Sign up for the Backchannel newsletter