The Complete, Endless, Ridiculous List of Everything You Need to Be Safe on Public Wi-Fi

Wi-Fi networks we access, websites we visit, and protocols we use fail to keep us safe online. As a result, it’s up to every individual to build piecemeal defenses. Here, I list the basic principles for using the Internet safely.

This is Part 3 of my series on the insecurity of public Wi-Fi networks today.

Previously, Part 1 looked at the hacking dangers of public Wi-Fi, followed by a deep-dive into why we’re where we are today in Part 2.

1. Start with a known-secure state

First, in order to be safe on public Wi-Fi, you need to be safe on the Internet, in general.

You need to minimally:

1. Have online accounts that you know aren’t already compromised
2. Utilize strong passwords that are never used more than once (a good password manager will help with this)
3. Implement two-factor authentication on all accounts

Since text messages can easily be rerouted to an attacker’s phone, your accounts should never use two-factor authentication over SMS.

It wouldn’t hurt to have extra precautions like login alerts enabled for your financial accounts, either.

With many applications installed comes multiplied risk, as you trust even more developers and code practices

2. Stay up to date

Web browser bugs, TLS/SSL vulnerabilities, Wi-Fi authentication protocol vulnerabilities, and application and OS vulnerabilities should be patched before roaming onto others’ networks.

This means that you need to keep your various device OSes and apps up-to-date, but you also should keep all your other devices, like home routers, printers, and smart devices up-to-date as well, as these can become vectors of attack for other devices and/or online accounts.

After updates are installed, it’s often necessary to restart applications like web browsers (or, in the case of OS updates, even the entire computer) to actually apply those updates.

An unnecessarily-exposed attack surface can result in your devices and apps being bombarded by threats

3. Cover your attack surface

Prior to even thinking about connecting to a public network, you first need to think about how you will protect your computer from attack.

You need to ensure no spurious network-accessible services or file shares are running on your computer and that a firewall is installed and properly configured.

Limiting the number of applications installed and uninstalling no-longer-used applications is a great additional step to reduce attack surface. Another best practice is to keep an (offline) list of all accounts you do have, so that you do not forget about them or information that is associated with them, and to periodically review the list for accounts you no longer use and deactivate unnecessary accounts.

A typical hacker, or privacy advocate, or both, or neither — who knows what’s beneath that mask

4. Prevent interception

Prior to connecting to a public network, you need to arrive with countermeasures in place to prevent application data from being intercepted.

This requires finding a trustworthy VPN solution, installing it, and configuring it properly so that it can be started immediately and it doesn’t leak any protocols’ packets (e.g. DNS requests).

The VPN solution must be downloaded before connecting to a public network, because a public network cannot be trusted to provide the ability to download software free of malware.

5. Connect to a suitable network

Many public Wi-Fi networks utilize a captive portal containing terms of use or that collect information about their users.

Unfortunately, if a VPN solution is capturing all traffic, many times it must be disabled in order to click through the captive portal and access the Internet.

Captive portals can at least temporarily circumvent the benefits of a VPN, not to mention have potential tracking implications if cookies are set in the process.

Wi-Fi pineapple routers promise hospitality, but with a catch —undesirable security and privacy implications

6. Avoid pineapples

Wi-Fi Pineapples are routers that offer hospitality, but the catch is that they are malicious hacking tools disguised as benign networks.

If a firewall and a VPN solution are both working perfectly, a pineapple should have little to attack; but, as stated before, risk can be exacerbated by captive portals, not to mention leaky VPN configurations.

The truth is that a malicious network can easily be disguised as a legitimate one, but even a legitimate public network can have malicious actors connected to it.

7. Use browser plugins to patch the Web’s security holes

Let’s face it: Out of the box, 25% of websites are visited without the use of encryption, and websites everywhere are tracking you and your family.

The web browser extensions HTTPS Everywhere and Privacy Badger will help you browse the Wild Web. Container extensions also exist to better isolate websites/tabs and their data from each other, which also can effectively block certain online trackers. I cannot recommend highly enough the use of these extensions along with web browser containers for all websites you visit.

If you are a member of an at-risk group, such as an activist, reporter, or billionaire, you would benefit from stronger physical isolation between different types of online activities by utilizing separate, dedicated devices for sensitive activities. No level of virtual containment is as good as physical separation.

8. Understand and optimize your threat model

Each person has a different threat model defined by different circumstances:

1. Where are my high-value assets?
2. Where am I most vulnerable to attack?
3. What are my most likely threats?

Continuously ask yourself: What can I do to reduce threats and live a life more aware of security and privacy?

Also ask yourself: Do I have unique circumstances (e.g. a reporter who needs anonymity, or a billionaire CEO that has access to some hefty bank accounts)? If so, familiarize yourself with EFF’s Surveillance Self-Defense resources and, if needed, anonymity tools as well.

Staying safe on public networks and the Internet requires awareness and taking action.

Conclusion

Minimally, you should use a trustworthy VPN, use two-factor authentication everywhere (but not over SMS), install the HTTPS Everywhere browser plugin, and keep your system up-to-date. If you are not, you probably should reconsider your security posture entirely.

If this all seems ad-hoc, clunky, and unlikely to perfectly protect you online, let alone in a way with a reasonably good user experience, then you’re, unfortunately, absolutely correct.

Over at my day job, Magic, we’re actively working on solving these problems by implementing VPN-like functionality and capabilities-based security for the Internet by default, with great UX in mind.

To learn more and join the conversation on how to build a safer, more performant Internet, check out magic.co or https://github.com/magic-network

But, for now, your run-of-the-mill shared networks and public Wi-Fi cannot be trusted, popular websites and protocols fail to do their part to adequately protect us, and consumers have to navigate the rough seas of Internet security largely on their own.