Public Wifi Paranoia
December 23, 2009 10:20 PM   Subscribe

I need a list of things that are safe/not safe to do online in a public wifi environment.

I've recently found myself in a situation where I have a few hours to kill, several times weekly, in a town away from home. So far I've spent most of my free time hanging out in a coffee shop. They offer public wifi and I've been debating about bringing in my laptop, but I've never accessed public wifi before and I'm feeling a little paranoid.

So, talk to me like I'm a kindergartener. What kind of online things are safe (logging into Metafilter, email, etc.)? And what kinds of things are complete no-nos (shopping, checking bank balance, etc.) in this environment?
posted by amyms to Computers & Internet (27 answers total) 35 users marked this as a favorite
Response by poster: ...but if you're going to be afraid of that, you might as well not bother, because you can be hacked a lot of ways no matter how you access the Internet.

I guess I'm paranoid about the fact that whomever is offering the wifi connection might be able to see what's happening on their network (I don't even know if I'm using the right terminology here). For instance, if the coffee shop is managing the network, can their employees "see" what I'm doing (e.g. can they see me typing in my various passwords, etc.)?
posted by amyms at 10:38 PM on December 23, 2009

Response by poster: Okay, that makes sense, floam, thanks. So, if I'm not on an https URL they could conceivably usurp my login info?
posted by amyms at 10:50 PM on December 23, 2009

amyms wrote:Okay, that makes sense, floam, thanks. So, if I'm not on an https URL they could conceivably usurp my login info?

That's true whether you're at a coffee shop or on your internet at home, too.
posted by maniactown at 10:53 PM on December 23, 2009

Response by poster: Okay. So, basically, they could "see" what I'm doing (if they were sophisticated and cared to do so) but it's generally not in the realm of something I need to worry about?
posted by amyms at 10:55 PM on December 23, 2009

Best answer: Also it's not just Creepy Coffee Shop guy but anyone in the neighborhood right around there.

The main problem areas I would look at are: (1) POP/SMTP (old fashioned) e-mail, (2) IM, (3) FTP and Telnet, like for website maintenance, and (4) shared hard drives on your laptop you might have forgot about. And it's not just logins that could be compromised... the actual content, if seen by others, might prove embarrassing or present privacy/identity theft issues.

Considering the widespread availability of sniffer programs like Ethereal, I think you are very smart to look for a little caution in your WiFi'ing. A few years ago I left Ethereal running on my laptop for an hour at a professional conference... holy cow, let's just say that kick-started me into being much more cautious on public hot spots.
posted by crapmatic at 11:02 PM on December 23, 2009 [1 favorite]

Best answer: Okay. So, basically, they could "see" what I'm doing (if they were sophisticated and cared to do so) but it's generally not in the realm of something I need to worry about?

Yep. If you're dealing with sensitive information, make sure the site is using ssl (https). As always, make sure your computer is virus/spyware free. As a general rule, don't install anything special to use an internet connection.

Yeah, but I think we trust AT&T or somebody just a little bit more than we do Guy That Has A Coffee shop. Plus with wifi the other coffee shop patrons could also be watching the traffic if they are clever enough.

True enough, but internet packets are routed all over the place and there's nothing stopping somebody from logging plain-text data that passes through their router. Not something to stress about, but certainly just as possible from home as from a random hotspot.
posted by maniactown at 11:03 PM on December 23, 2009 [1 favorite]

Best answer: I use public wifi all the time, and I do all the things you mention and more.

From time to time I've heard various people advise others not to do online banking from public wifi. I guess I can see why some people feel it necessary to give this advice, when aimed at a general audience rife with morons who are likely to click on any certificate warning that pops up. (So, general point being: don't be a moron and click through any certificate warnings unthinkingly. Read and understand things before you click and dismiss them. If you suddenly start seeing warnings that you've never seen before ... that's a red flag. Slow down, and if it's your bank, call their help line.) But I don't think it's really correct or justified.

Scaring people away from public wifi is silly. You should be cautious using just about any Internet connection. Even when you're plugged into broadband in your house, you (generally) have no idea where that traffic is going on the way to its destination, and who might be logging it along the way. You have to be smart when you're transmitting any sort of personally-identifying or financial information over the Internet, no matter where you're plugged in.

In general:
  • Connect to banks, webmail (e.g. Gmail), and other sites with sensitive information over HTTPS, not HTTP. If the address begins with http://, this is typically not encrypted. If it begins with https://, then it is.* Double-check by looking for the locked-padlock icon down in the bottom of the browser window.
  • It is still possible for unencrypted (non-HTTPS) pages to selectively encrypt small elements, like passwords, during submission. It can be difficult to tell from the perspective of a typical user whether or not the site is doing this properly. For this reason, you really should not use the same password for multiple sites.
  • You should especially not use the same password for multiple sites with the same login name. E.g., if you are amyms on MetaFilter and on (say) Slashdot, you should not use the same password for the MetaFilter and Slashdot accounts. This is because if one site or the other gets hacked and your password recovered (due to poor site security), you don't want the attacker being able to hijack all your accounts.
  • You should really, for the love of all that's good in the world not use the same password for low-security sites (e.g. online forums) that you use for online banking, or for any merchant that stores your credit-card number (like Amazon). Any account that could cost you money if compromised should get its own, suitably complex, password. Even if you have to write it down on an (otherwise unmarked) scrap of paper in your wallet or something.
  • Keep the email addresses in the profiles of your accounts current. If you can't get into an account and think there's any chance it might have been compromised, immediately do a password-recovery/change and try to change the password. In a surprising number of cases, accounts will get hacked but the attacker won't change the profile email, so it's possible to do a password-change and lock them back out. But this only works if you've kept the backup email address up-to-date. If the recovery procedure doesn't work, you're SOL.
  • The safest thing to do is to avoid clicking on links from email. Instead, if you need to do something in response to a message from your bank, open a clean browser window and type their URL ( in manually, and navigate in through the site by browsing or using the site search feature. It can be difficult even for savvy users to tell the difference between a phishing site and the real thing (and internationalized domain names will probably make this worse). Typing in by hand is the safest route.
Those are the things that I think get most people in trouble. (I'm setting aside the truly obvious: never use IE, keep your OS and browser updated, don't download and install anything you're not 100% sure of the provenance of.)

* In general, HTTPS = secure. It is possible, however, for an HTTPS page to contain unencrypted elements, though. (Google does this frequently on some sites, like Google Wave; they encrypt the text content but send some page elements, like images, unencrypted to save effort.) Most browsers will warn about this in some way. If you see this, it becomes a question of whether you trust the site's designers.
posted by Kadin2048 at 11:04 PM on December 23, 2009 [9 favorites]

Response by poster: Yeah, but I think we trust AT&T or somebody just a little bit more than we do Guy That Has A Coffee shop.'s a judgement only you could make, depending on how creepy the coffee shop people are and how sensitive the stuff you're up to is (and what fractions of it are covered by SSL).

Hmm, well, leaving aside the whole AT&T/NSA/spying on innocent people controversy, the woman who owns the coffee shop doesn't even know how to make a vanilla latte properly so I'm not so worried about her, but she has a couple of teen/college employees who seem like they'd know how to tap into patrons' business if they wanted to. But, I gather from the answers here that as long as I'm just doing my normal surfing (and making sure that login screens on are https URLS) I'm pretty much okay. *fingers crossed*
posted by amyms at 11:09 PM on December 23, 2009

It's really a pain in the ass to play the man-in-the-middle attack necessary to spoof the encryption on https sites. Doable, but a pain in the ass. And not really viable on more than about three or four models of consumer-grade (coffee shop-grade) wifi routers.

And if you've been to those encrypted sites before on that computer, your browser will tell you that the cert has changed if somebody's making that attack.

Let me put it this way: I'm a libertarian, conspiracy-suspicious programmer. And I don't modify my browsing habits one whit on public (privately-provided) wifi. Municipal wifi, however, I censor myself on.
posted by Netzapper at 11:34 PM on December 23, 2009

One thing to keep in mind, if you use Gmail, you can access everything over HTTPS, not just the logon.

just go to "" rather then "" and gmail will stay in https mode the whole time.

You can also adjust encryption by a setting under settings/general/"Browser connection" and configure it to always or never use https, so you don't have to remember to type in https every time or use a different bookmark.
posted by delmoi at 11:42 PM on December 23, 2009 [1 favorite]

When you go to a SSL site, make sure that https:// is visible in the address bar even if you're navigating there through a bank site.

For example, DON'T type '' into your address bar then click on 'secure login'. Type in the entire, or keep the https:// URL as a bookmark.

The reason for this is sslstrip, which will transparently change the https to http in the non-secure page you're served. It'll even replace out the favicon with a padlock - sure, it's in the wrong place, but that doesn't help if you're not paying attention.
posted by xiw at 11:46 PM on December 23, 2009

And if you've been to those encrypted sites before on that computer, your browser will tell you that the cert has changed if somebody's making that attack.

Not true, you don't have to have any previous contact with the site in order for your browser to warn you that the imposter certificate either doesn't match the site's address or isn't signed by a trusted CA. SSL's trust management would be useless if it did not have this capability.

The only way to pull off a SSL MITM attack and not have the browser warn the user is to surreptitiously install your own CA into the user's browser's list of trusted certificate authorities, and then sign the imposter cert with that CA.
posted by Rhomboid at 12:57 AM on December 24, 2009

I used to think you were right, Rhomboid. But actually, SSL has been broken in such a way that a seamless MITM attack can be made if previous contact hasn't been made with the website. It still requires a sophisticated attacker running your traffic through a non-consumer router.

OP, you might want to read that whole thread. But also keep in mind, you could also get carjacked. Risk, and managing it, is part of living.
posted by Netzapper at 1:13 AM on December 24, 2009

There are some very well expressed answers to the original question already here.

To answer a question that wasn't asked but that might catch a less savvy reader: everything above applies to using your own computer. If you sit at a publicly accessible computer in a coffee shop, you should assume that every single key you press is being recorded by someone for nefarious purposes. Put another way, someone else's computer is completely untrustworthy.
posted by fydfyd at 1:23 AM on December 24, 2009

I think it's incorrect to say that SSL has been broken. It would be more correct to say that a weakness of MD5 was exploited. If browsers were to simply stop recognizing certs signed with the MD5 hash, then the vulnerability no longer exists. Developers of Chrome and Firefox ran the numbers shortly after news of the MD5 cert vulnerability became public and they estimated that the affected users of such a change would be a small minority, so I expect that they will make that change before too long if not already.
posted by Rhomboid at 1:48 AM on December 24, 2009 [1 favorite]

(Not to mention that it takes only a few seconds to bring up the certificate properties in the browser and verify that it's not a MD5 cert. Although admittedly this cannot be expected from the type of user that would ignore an invalid certificate warning, it is nonetheless easy to verify if you want to be paranoid.)
posted by Rhomboid at 1:52 AM on December 24, 2009

It is absolutely incorrect to say that SSL has been broken. The MD5 vulnerability was in a small number of certs issued by a small number of vendors and is no longer relevant.

Source: The new MD5/SSL exploit is NOT the end of civilization as we know it
posted by zain at 1:57 AM on December 24, 2009 [2 favorites]

The main problem areas I would look at are: (1) POP/SMTP (old fashioned) e-mail

Webmail can be sent via ssl; my host has this setup, so not only my login, but every mail I read via the web interface, is ssl encrypted.
posted by orthogonality at 4:34 AM on December 24, 2009

If I'm using a vpn, is that safe?
posted by semacd at 5:44 AM on December 24, 2009

FWIW, I'd also be concerned about your local security. If you've set up password-free file sharing on your laptop, then anyone on the local coffeeshop's network can look into that directory and grab a copy of whatever they find. This isn't a terribly common issue, but sometimes folks set it up this way to make it easier to share info between their laptop and home desktop machines- if you did, simply turn it off before wandering onto a public LAN.
posted by jenkinsEar at 6:00 AM on December 24, 2009 [1 favorite]

You should only ever access your e-mail over a secure link, even if you don't think there is anything there that needs security. Remember that many web sites will allow you to change your password by sending the new one to you over e-mail, so an attacker can easily create some security-requiring goodies in your inbox without you knowing about it.
posted by grouse at 6:46 AM on December 24, 2009

you should assume that every single key you press is being recorded by someone for nefarious purposes

Yes, recorded. But we're talking millions of keystrokes passing through any given server -- is anybody actually going to the trouble to analyze this data? Is it even possible for random Bad Guy to translate a stream of keystrokes into useful information?
posted by Rash at 7:17 AM on December 24, 2009

Best answer: There are some Personal VPN products that you may find useful.

Pay attention to https:// and the padlock icon.

Read up on certificates. If someone tries a man-in-the-middle attack, your browser will complain, but you have to recognize what it's trying to tell you. Don't use IE; it's still not secure enough. For sites where you must use IE, update it to 7 or later. Keep MS/Windows, Firefox, Java, Flash, etc., updated. Disable Filesharing, and don't make your laptop a wireless access point. Disable Windows Messenger. Severely limit the things that can run at boot. Read Bruce Schneier on security - interesting and practical.

Run anti-virus software, update it regularly, don't download random stuff, etc. Enable the Windows firewall.

Be cautious about who's paying attention to you. Passwords get hacked by people looking over shoulders. And get a laptop lock to fit the lock port. Lock it to the table or something unwieldy. You might get up to grab a napkin, and a thief will have your laptop in 10 seconds. Laptops locks are flimsy and crappy, but may buy you 30 seconds. A thief has to be prepared with a cutter for the cable, and most laptops get stolen because it's so incredibly easy.

The most important security rule is: Back Up Your Data.
posted by theora55 at 8:37 AM on December 24, 2009 [2 favorites]

You can get something like SwissVPN, which uses standards-compliant VPN that does not require any additional software, for $5/month if you are paranoid.
posted by thewalrus at 10:39 AM on December 24, 2009

Do you have a computer at home in addition to your laptop?

Install LogMeIn ( on both machines, connect from your laptop while you're out, and do all the work on your home computer. Strong encryption, and nothing visible on the laptop end of the network.

(many other products do this as well, GoToMyPc, etc. You can even roll your own if you're technical enough).
posted by blue_beetle at 10:51 AM on December 24, 2009

Actually, there's a small reason to not trust public WiFi that I've not yet seen mentioned. When you connect to public wifi, you computer is given a set of information, including (but not limited to):
* an IP address
* a gateway IP to direct internet traffic to
* a DNS IP to direct DNS queries to

When you type into your browser, your computer first looks up in the DNS database. The DNS database you use is by default the one assigned by the wifi router. A fairly evil person could set up a public wifi hotspot and offer you a corrupt DNS database that directs traffic to their servers instead. There's also some tactics to defeat SSL when you control DNS, I'm not up to date on how that's been addressed. One way off the top of my head to mitigate this is to use a trustworthy DNS server like openDNS instead of whatever the wifi network offers. Another might be the widespread adoption of DNSSEC.

As far as I know, there are two general theories about wifi held by security experts. The first says that most security online is crap, and while banks and whatnot are required to be secure and have standards and audits to meet, these standards are always playing catch up to newer attacks, so one shouldn't trust such things to public wifi. They also point out that you're only as secure as your email access, given the massive dependence on email password recovery and account management. Banks only send you messages stating you have a message and don't allow online password management, but online retailers may not be as careful with your money.

The other theory says this overstates the actual risk of being snooped. If you're a start up executive for Twitter, maybe your gmail account is an attack vector. But from a rational economic action standpoint, you only need to be more secure than the target next to you. They point out that it takes a lot more effort to install an evil DNS spoofing router than to just snoop traffic, and that it's easier to detect than a silent listener.
posted by pwnguin at 11:32 AM on December 28, 2009

A fairly evil person could set up a public wifi hotspot and offer you a corrupt DNS database that directs traffic to their servers instead.

This is true. You can provide some protection against this by manually specifying a DNS server — Google Public DNS would be my recommendation — and forgoing use of whatever DNS server gets supplied by DHCP.

It's still possible for an attacker to intercept DNS requests bound for external servers and spoof them with their own, but this is a bit more complex than just setting up a resolver with a bad database and telling the access point to hand out that server's IP as the preferred DNS for the hotspot.

Not a perfect solution by a long shot (the real solution will come when secure DNS is implemented), but it will cut down on amateur honeypotting.
posted by Kadin2048 at 2:03 PM on December 28, 2009

« Older How would you make the most of 3.5 days in Patong...   |   Headset For WoW Newer »
This thread is closed to new comments.