Blog
Security has come a long way since the Firesheep days.
Do you have a lot of fear, uncertainty, and doubt (FUD) about using public Wi-Fi? This is mostly unfounded. Everyone believes public Wi-Fi is dangerous, but there aren’t good technical explanations.
It’s time to challenge that assumption. The reality is, you’ll find Wi-Fi carries about the same risk as other technologies without a high degree of concern.
In this webinar, Enough FUD, Public Wi-Fi Is Safe, you’ll learn why public Wi-Fi doesn’t have to be dangerous anymore.
Ground rules
To approach public Wi-Fi use safely, it’s important to follow some basic rules, including:
- Follow your company policy. If your policy is not to connect to public Wi-Fi with your work-issued devices, you should listen to the people who employ you.
- Obey local laws. Different countries have different regulations about public Wi-Fi that may require you to hand over your identification or other information to connect to the network.
- Think for yourself. Your circumstances are unique, and you should make up your own mind.
The concerns about public Wi-Fi
There are two main concerns when discussing public Wi-Fi:
- Security
- Privacy
While they’re different, they really are related.
Security
This refers to the potential exposure to malicious actors and vulnerability to attacks from hackers and scammers. Protecting against these threats is important because sensitive information, such as passwords and financial details, can be stolen if transmitted over unsecured public Wi-Fi networks.
Privacy
Users want control of their data to ensure that personal information is not exposed to others. This includes messages sent via instant messaging apps and other online communication methods. By understanding these concerns, users can take steps to protect their privacy and avoid any potential data breaches.
A brief history lesson is needed to fully appreciate the risks associated with public Wi-Fi and IT security.
History of public Wi-Fi
Public Wi-Fi does has a troubling past. In 2010, Firesheep was released. This made it very simple to do HTTP session hijacking and credential theft with passive OTA sniffing. Users’ accounts and browsing sessions were vulnerable to hijackers just by sitting in the same coffee shop or the parking lot outside. Anyone could use those individuals’ browsing sessions and thus their identity simply by passively sniffing the data from this public Wi-Fi network.
This was a seminal moment in information security and why a lot of the advice about public Wi-Fi is based on the Firesheep days when people could sniff traffic passively, with no “man-in-the-middle” necessary, and take over people’s web browsing sessions.
Several factors made the Firesheep attack possible. Public Wi-Fi networks were and still are, for the most part, unencrypted. This means that no encryption is added by the Wi-Fi network when users connect to it, leaving transmitted data vulnerable to interception. In 2010, most web browsing was unencrypted, with users sending clear text traffic to web applications via HTTP. Overall, there was a general lack of awareness of information security.
Today, public Wi-Fi networks have improved, with some offering encryption and authentication at the Wi-Fi network layer. However, the risks associated with public Wi-Fi usage still exist. The United States Federal Trade Commission (FTC) warns users that public Wi-Fi networks are not secure, especially if they log into unencrypted sites or sites that use encryption only on the sign-in page. Despite the changes and improvements, there is still a need for caution and vigilance when using public Wi-Fi networks.
It is important to note that the information on the FTC site refers to unencrypted websites and a 12-year-old hacking tool. That’s just not the reality of the web today.
.png?width=849&height=531&name=image3%20(2).png)
In 2010, public Wi-Fi networks could apply some security measures at layer two in the networking model, but most of the time, they still didn’t use these measures. At layer seven, the application layer where HTTP resides, most of our traffic was unencrypted, too.
The result was no security anywhere in the stack, which made public Wi-Fi networks particularly dangerous, especially when using a wireless medium – you could just sniff those packets out of the air and inspect their contents.
End-to-end security
.png?width=1166&height=513&name=image2%20(2).png)
With so much focus on Wi-Fi security, end-to-end connectivity remains vulnerable. Wi-Fi security only applies to connections between devices and the AP or the controller, leaving traffic unencrypted across various networks to access cloud services. A VPN is an option for additional security, but personal VPNs only redirect traffic to another network and do not provide complete security.
It’s important to realize that only focusing on Wi-Fi security lacks a huge element of network connectivity use. Do not assume that a WPA3 enterprise network is secure just because the over-the-air connectivity is secure. The rest of the connectivity needs other forms of security to handle that.
Necessary changes and encryption
.png?width=1083&height=570&name=image5%20(2).png)
A lot has changed since those Firesheep days and unencrypted HTTP’s dominance. Due to the Snowden revelations, HTTPS usage has increased significantly since 2013-2014. Now, top 100 non-Google websites and 97% of them default to HTTPS.
.png?width=1031&height=385&name=image4%20(2).png)
HTTPS has become more secure with features like HTTP Strict Transport Security (HSTS), which adds a tag to the HTTP header telling the browser to only use HTTPS with the domain, and HTTPS-only modes in web browsers.
Additionally, HSTS is set with a timeout, usually lasting over a year. Two-thirds of the top 1000 websites in the world use HSTS, a promising indication of the widespread adoption of HTTPS.
Web browsers now actively warn users when browsing on HTTP sites, putting up a banner that says “Not Secure.” Browsers like Chrome and Firefox have HTTPS-only modes, where the browser simply won’t load any HTTP sites without the user first clicking through a warning. The evolution of browser security towards HTTPS-only browsing indicates a growing commitment to online security and privacy.
While public Wi-Fi has come a long way since the days of Firesheep, there are still risks associated with its use. Security and privacy remain top concerns, and users must be aware of the potential dangers and how to protect themselves. By following basic rules and precautions, users can minimize their risks.
Contact 7SIGNAL to learn more
7SIGNAL has developed Mobile Eye® and Sapphire Eye® sensors to help engineers design better Wi-Fi networks using real-time, accurate information. Contact us to learn more about our wireless experience monitoring platform.
7SIGNAL® is the leader in wireless experience monitoring, providing insight into wireless networks and control over Wi-Fi performance so businesses and organizations can thrive. Our cloud-based wireless network monitoring platform continually tests and measures Wi-Fi performance at the edges of the network, enabling fast solutions to digital experience issues and stronger connections for mission-critical users, devices, and applications. Learn more at www.7signal.com.