Is Public Wi-Fi a good thing?

The short answer is yes.  While I have a mobile 3G hotspot which I take around with me, you can’t always get a good signal and it can be very slow.  I use free and pay for access Wi-Fi all the time, I am just careful what I do and don’t do on it.  Catching up on sports news – yes, on-line banking – no thanks (some people will argue it’s fine to use your on-line bank, I’d rather not take the risk).  If you or your staff are road warriors and often out of the office, then Internet access is essential in order to keep in touch with customers and suppliers.  Increasingly we are moving applications and data to the cloud making the need for a usable Internet all that more important.

What’s the risk?

Wi-Fi is a broadcast medium so anyone else connected to it with the right tools can see exactly what you are doing.  It does take a little bit of skill to do this, but with the correct knowledge and the right tools a Public Wi-Fi network can make for rich pickings.  You might not think that logging into your favourite forum in plain text is much of a risk but most of these services ask for personal details about yourself when signing up.  It’s unfortunately very common for people to use the same username and password for everything so catching basic information and a password could open the door to a lot more services.

Firesheep was a simple FireFox add-on released in 2010 to perform “sidejacking”.  This tool took advantage of cookies.  Even if the login process was encrypted not all services would maintain that encrypted session.  This tool caught unencrypted cookies thus allowing them access to a website bypassing the authentication process.  The only solution to this is full session encryption; see the precautions later is the post.

Surely it’s no worse than being directly on the Internet at home / office?

Using an insecure login process is never a good thing anywhere on the Internet. When directly connected to the Internet it is a lot harder for an attacker to intercept your traffic.  They would need physical access to a point in the Internet between you and the service you are trying to access or the ability to redirect traffic at some point via a device they control.  It’s not impossible but more difficult and an attacker will always go for the easiest option.

What precautions should you take?

Always check that the location where you are trying to access an open Wi-Fi network is actually providing one.  Many devices actively seek out open networks; malicious users know this and can setup an access point or an ad-hoc connection to try and encourage you to connect thereby targeting you, your accounts or your machine.

Also remember that devices can store details of networks you have previously connected too and will automatically connect to them again If it is not a place you visit regularly remember to delete them from your list of wireless networks so that your machine doesn’t automatically connect to that SSID again or simply don’t select the connect automatically box before you connect.

The main thing to do is think about what you are accessing.   Always look for the padlock symbol or the HTTPS prefix in the address bar, while not a guarantee it’s a good start.  If it’s not there have a quick look around the site and see if there is an obvious SSL option, if not best leave it until you have another connection option.

Many popular services such as Gmail, Facebook, Twitter etc. offer the option to use HTTPS for all communication and not just login.  For example, under the Settings section of Twitter you can enable SSL:

Or Gmail:

Google Chrome and Firefox both support HTTP Strict Transport Security (HSTS).  This is a draft standard that uses an HTTP header sent from the server to the client telling it to use HTTPS for all communication.  Good, but still not widely supported enough.

There are various add-ons for browsers that force secure connections where available, such as HTTPS-Everywhere for Firefox.  Supporting more than a 1000 sites this rewrites all requests to support sites to use HTTPS.

But HTTPS has its limitations.  What is and isn’t encrypted is largely down to the website and how well it has been implemented.  Be careful to only login to known services such as the company SSL VPN and your cloud based service etc.

Alternatively if your company deploys an IPSec based remote access VPN use that instead.  This type of VPN typically tunnels all traffic through to the corporate network.  When accessing Internet based services users will then have the same level of protection as office based staff.

Further measures can be taken using one time passwords, so that even if someone managed to intercept the password you entered it will be useless to them after a few minutes.

If you or your staff are using a company device try to avoid accessing personal social networking accounts.  I realise this will always be difficult when someone is sitting in a hotel room on their own with nothing to do.  If your policy allows this, ensure staff do not use company based email addresses to access these services and educate them about the dangers of using the same password for multiple services.

Without exception you need to make sure that all of your devices that can have anti-virus installed and a personal firewall are patched and up to date. Also, consider whether you need a separate policy for company issued smart devices (phones and tablets).  Malware targeting these devices is on the rise but the ability to protect and control what users can and can’t do on these devices is still quite limited, though something I am sure will improve in the next year or so.

Finally of course, if you don’t want to be connected to the Internet while using your laptop / smart device just switch the wireless service off, easy enough to do on most devices.