How to Use Public Wi-Fi Without Compromising Your Security
A deal-breaker for me when choosing a place to stay away from home is the lack of free Wi-Fi. I’m kind of a tech-junkie. Yeah, I know, you’re totally caught off-guard with that admission. Being able to connect to the Internet is important to me, unless I’m on a mission to specifically not connect. However, I do check the security before I connect. Free is good, free and secure is better. If the Wi-Fi connection isn’t secure, someone can intercept your Internet traffic.
Nearly every restaurant now has free Wi-Fi, and all they want from you is your email address. That’s not necessarily a horrible thing, there’s nothing about it that violates security. They tell you in advance that they’re going to be sending you advertising materials. I kind of like knowing that our date night can be at that steak house that just sent me a promotion for a free dessert. Cafes, airports, even WalMart offers free Wi-Fi, and I’m not afraid to use it – for certain things, but not for others. These places tell you upfront that it’s not a secure connection, and that you shouldn’t use it for sensitive transmissions.
Secured vs. Unsecured – How Can You Tell?
A secured Wi-Fi connection will require some sort of password, and it uses an encrypted connection. The encryption will scramble the data transmission between your device and the Wi-Fi access point. If anyone were to intercept the data between your laptop and the access point, they wouldn’t be able to read any of it. A padlock next to the network’s name indicates a secured Wi-Fi connection . When your device joins the network, part of the process is that the two devices do sort of “handshake.” They agree on the kind of encryption and the keys to encrypt and decrypt the data.
An unsecured Wi-Fi connection is an open network. Anyone can join, no password is required, but no encryption is provided, so if the traffic is intercepted, the interceptor can be read it just like you’re reading this. Unsecured networks show no padlock by the name. When we talk about “public Wi-Fi,” this is what we mean – an open Wi-Fi connection that just anyone can connect to and use.
You’ll almost always see the Wi-Fi networks at vacation rentals are secure, but surprisingly few hotel networks are secure. They may require a password, but that’s just to make sure that only guests can use them. So, next time you check in and they tell you the hotel Wi-Fi password, ask the desk clerk if it’s secure. “Yes” isn’t necessarily the whole story, the clerk may think that having a password means it’s secure, but, as I explained above, it doesn’t necessarily mean that. Check for that padlock.
HTTPS: A Shield for Browsing
A few years ago, the companies that produce our web browsers (Google, Edge, Firefox, Safari, etc.) put gentle but persistent pressure on website owners to implement HTTPS on all pages of their websites. For sites like mine, it was a trivial undertaking, but for large sites like Amazon, it was probably a pretty heavy lift at first. The good thing is that once it was done, it was done.
We were all willing to do it, though, because HTTPS is a super-secure way of sending information over the Internet. When you see “HTTPS” at the beginning of a web address, the “S” stands for “secure.”
Here’s how it works:
- Encryption: HTTPS encrypts the data between your device and the website. Remember when you see the word encryption that it means that if someone tries to intercept any of your data, all they’ll see is a bunch of scrambled characters.
- Verification: HTTPS makes sure you’re communicating with the website you intended to go to. It uses certificates to verify the identity of the site, so you know it’s the actual site and not an impostor site.
Here’s an analogy:
Imagine you’re sending a letter to a friend, and it’s got some sensitive stuff in it, a declaration of your adoration for someone you both know. HTTP, without the “S”, is like putting the letter into a regular envelope. Someone without scruples can just open it and read it, change it, make copies of it, distribute it. That encryption makes it like putting the letter into a lockbox that only you and your friend have keys to.
Here’s where it’s not an ironclad guarantee against all the ills of the world
- It doesn’t protect against everything. It protects data in transit, but once the data gets there, HTTPS’s job is done. If there’s a compromise at the actual website, HTTPS doesn’t have any role in protecting you from data breaches or from malware infecting site users.
- It carries a performance overhead, which means that it can slow down site loading times. It’s not usually even noticeable, but for huge sites or sites that have a lot of visitors, you might notice a bit of a lag.
- It might give users a greater sense of security than actually exists. The data in transit is encrypted, but the site itself may not be trustworthy. You can visit a phishing site that looks legitimate, and HTTPS will trust it because it has a valid certificate.
- Websites need to maintain or renew their certificates to use HTTPS. If a certificate expires, users will receive warnings that might drive them away from the site.
If HTTPS has all those problems, why are we saying it’s secure? It’s secure in what it does, but it’s not secure in what it’s not designed to do. HTTPS is designed to provide a layer of encryption around information going across the Internet. That’s all, nothing else. It’s not malware protection, it’s not data breach protection, it’s not phishing protection.
How to check for HTTPS at a website
In the browser address bar, look for one of these at the far left edge (apologies for the pixelation):
Whichever one you see, if you click on it, you’ll get information on why it’s secure or not secure, but the real information you want is found either by clicking on the certificate icon or the arrow that shows “show certificate information” when you hover over it. It will tell you who issued the certificate. Now, if you look at mine, it shows “Let’s Encrypt” as the certificate issuer. Let’s Encrypt was born of an effort to get the whole web to use encryption, and a Let’s Encrypt certificate is a valid certificate. It’s also free to use, which is why I’m using it. I’m not collecting any of your credit card information, either, because you’re not buying anything here. At any of the sites where I collect any sensitive information, those certificates are more comprehensive in what they require. As a result, someone like Amazon shouldn’t be using a Let’s Encrypt certificate — and they’re not. Their certificate is from DigiCert, a large certificate authority. Sectigo and GlobalSign are two other large authorities used by larger organizations.
Mobile devices too
On your phone, you can check a site’s certificate on your phone as well. On an iPhone, it’s pretty easy if you’re using Chrome. At the bottom of the screen, click the three dots, and in the pop-up, select Site Information. Using Firefox, you can actually touch the padlock, and you can see “Connection is secure,” but you won’t find any actual certificate information. That can make it hard to find out if a site calling itself by a very familiar name is using a Let’s Encrypt certificate. If you’re clicking a link from a social media site, planning to buy something, you might want to be using a different browser. Using Safari, you’ll see the padlock, but there’s no way to get any more information. Chrome and Firefox on Android work the same way as for iPhone.
Best Practices for Using Public Wi-Fi
You don’t need to completely avoid public Wi-Fi, thanks to HTTPS, but there are still some things you should do to be safe. The most important thing is to only use public Wi-Fi for things that don’t matter much. In other words, non-sensitive activities are fine, like movies, casual browsing, and stuff like that. Don’t go to a site where you have to enter sensitive information using public Wi-Fi. No online banking, shopping, or logging into sites.
If you know that you want to use public Wi-Fi and you still need to do those sensitive things, you need to get and use a Virtual Private Network (VPN). A VPN provides encryption between your device and a VPN endpoint, where it sends the data out to the Internet to its final destination. That encryption layer makes it safe to send sensitive information.
When you’re back on your own turf, go into your Wi-Fi networks and tell your device to forget that network.
Additional Safety Tips
As always, make sure to update your devices and applications with the current security patches. Don’t allow automatic connection to open networks. Whenever possible use that inconvenient two-factor or multifactor authentication. Don’t respond to pop-ups or click on unknown links. These are kind of universal, but they apply more firmly when you’re on open Wi-Fi.
Your Turn
You can use public Wi-Fi, but now you know how to use it more safely. Have questions about staying secure online? Leave a comment, and let’s discuss!
My photography shops are https://www.oakwoodfineartphotography.com/ and https://oakwoodfineart.etsy.com, my merch shops are https://www.zazzle.com/store/south_fried_shop and https://society6.com/southernfriedyanqui.
Check out my New and Featured page – the latest photos and merch I’ve added to my shops! https://oakwoodexperience.com/new-and-featured/
Curious about safeguarding your digital life without getting lost in the technical weeds? Check out ‘Your Data, Your Devices, and You’—a straightforward guide to understanding and protecting your online presence. Perfect for those who love tech but not the jargon. Available now on Amazon:
https://www.amazon.com/Your-Data-Devices-Easy-Follow-ebook/dp/B0D5287NR3