Free Wifi…at what cost?

So, many of us have done it, we go into a coffee shop or other public place offering free Wi-Fi and we log-on and typically start using the internet or fire up our email software.

“It’s only browsing”, or “I’m just checking some emails” I hear you say, but what you may be doing is providing key information to other people in the vicinity who are seeking more than an extra hot skinny macchiato – they may have just placed an order for your personal data, or worse, your company’s data.

 How do they do it

Well let’s first explain what your device is doing when you log onto Wi-Fi.  Typically, the Wi-Fi service will be provided by either a wireless access point, in larger organisations, which is then connected to a router, or provided by the router itself.  Now the routers job is to direct your requests you make to the internet, then feed those “answers” back to your device.  Broadly speaking, other than where you want to send data (the destination address) and where the “other end” wants to send the data back (the address of your device), a router doesn’t really care about what the data is.  So far so good….

Well not really, in what is called a Man-in-the-Middle attack (MitM), a third-party can jump into the same wireless network and “listen” to the traffic.  With little effort, they can jump in the middle between your device and the router and under certain circumstances “see/hear” your data.

The implications of this are reasonably obvious, particularly if you were logging onto your company’s servers, logging onto your social media accounts or even your internet banking.

HTTP vs. HTTPS

HTTP – HyperText Transfer Protocol – is the standard mechanism internet pages are received and associated responses sent to/from the internet to your device.  It’s the equivalent of sending a postcard, where the to/from address is clearly readable, as is the content of the communication.

HTTPS – HyperText Transfer Protocol Secure – is the same format as HTTP, but with the added advantage of encrypting the request from and the response back to your computer.  The equivalent of putting it in an envelope and having it couriered to the recipient and their response being treated in the same way.  This in theory provides a layer of browsing security preventing basic eavesdropping on your browsing activity.

The HTTPS connection in your browser is only effective for as long as your device is using a HTTPS connection.  Many sites allow a fall back to standard HTTP, which is exactly what these individuals are relying on.  It’s the same as starting a private conversation in a tiny office, then continuing it walking through the middle of the office!  People may not have heard the start, but they will certainly have gotten the gist of the conversation.

What can you do to prevent it?

Well the obvious ultimate protection is don’t log onto public Wi-Fi networks, but let’s assume you really need to, what else can you do.

So here are a few tips which you or your organisation should consider following;

1. Wherever possible, use a Virtual Private Network (VPN), when connection from ANY external location back into your office (including your home).  Whilst this doesn’t absolutely guarantee protection, it makes it significantly more difficult for third parties who may be “listening”.
2. Ensure that the sites you use, and your business site, uses HTTPS connections when using their internet based services.
3. Ensure that your company is enforcing HTTPS throughout the session – if the session starts with HTTPS.
4. Consider having your site registered as HSTS (HTTP Strict Transport Security) – this tells your browser to enforce an HTTPS connection for a certain period of time, this would prevent a redirection to a HTTP connection. Clearly, the first page you visit needs to tell your machine this, so it’s no good having it on the home page, if you directly connect to the “About Us” page first.
5. Considering registering with the Chromium project – which is the source for the Chrome Browser.  This project allows sites to be registered to force all connections, made within Chrome, to only be allowed/maintained under HTTPS conditions.
6. Ensure your Anti-Virus and software updates are kept current.

None of these suggestions will provide a 100% secure browsing experience, as expressed before, 100% can only be established if you do not connect your machine to the internet! However, the dangers can be significantly reduced/mitigated.