Picking the right web browser and add-ons is fine if you’re on a desktop or a laptop at home, but are you still protected if you’re using some public wifi network at coffee shop or a hotel? Or what about when you’re using 3G or 4G wireless broadband on a tablet or phone? And while we’re on the subject, is a wired connection really safer than wireless?
The most prevalent threat when using any network is eavesdropping, where an attacker can basically seeing the raw data that is being exchanged by the client (your laptop, desktop, phone, tablet, etc.) and the server you are connecting to. This is shockingly easy to do – regardless of whether you are on a wired or wireless connection, and even so-called “secure” wireless connections still leave you vulnerable to eavesdropping.
Fortunately, there is a solution and it’s been around since 1999: secure websites. These are websites that have https:// in front of them. What makes them so secure?
- Secure websites use a certificate – sort of like a government-issued ID but for the Internet – that you can examine to ensure that the website is legitimate and authentic.
- The same certificate that identifies and authenticates the website can also be used to encrypt the data that is passed back and forth between you and the site. Encryption scrambles the data to protect it from eavesdroppers and secure websites use some very clever math that makes the encryption practically impossible to reverse.
Starting around 2010, secure websites became a lot more common on the Internet after the release of FireSheep, a tool that made hijacking unsecure website sessions so trivially easy that web service providers were basically shamed into providing secure versions of their websites. Some companies, notably Google and Facebook, made a big push to use secure versions of their website by default. Others may make secure versions available but not enable it by default.
So if you are connected on an untrusted network and are concerned about the security of your data, the advice will boil down to:
- Use a web browser to access the services you need and make sure to request the secure version of the website by typing in https://. The previously mentioned HTTPS Everywhere plugin can help to automate this process. If a site doesn’t offer a secure version, try not to use it on an untrusted network (or, if you must, use it but don’t submit any login or form data).
- Take certificate warnings seriously when on an untrusted network. While it may be normal for some sites to show a certificate error, this is also a sign that someone is attempting to hijack the connection. In addition to the browser warnings, the previously mentioned Netcraft Toolbar can also give you a visual “risk rating” bar as well.
- Use Private Browsing mode if your browser supports it (most should). The tricky bit here is that Private Browsing mode isn’t inherently more secure. So what’s the point? A lot of web services save a logged in session using an authentication cookie. If an attacker steals these cookies, they can impersonate you (this is how the aforementioned Firesheep tool worked). Private browsing mode prevents existing authentication cookies from getting sent to websites and puts you back in control over what services you use and don’t use.
- If you can, explicitly log off from the services you access. For the same reason as above, if an attacker does manage to snag an authentication cookie while you’re on an untrusted network, using the log off option invalidates that cookie and makes it useless to the attacker from that point on.
- If you’re using a mobile device, try to avoid using an app and use the website instead. Most web services will have a mobile version of a website that can usually be accessed with https://m.service.com – e.g., https://m.gmail.com/ for Gmail. Why not use the app? Even though mobile apps can use a secure connection to encrypt their data, a lot of them don’t. Even when they do, some apps don’t even bother checking the secure site’s certificate.
All of this may sound like a big pain to go through and for most people, you may probably be right. The actual practical risk is probably low but only you can decide whether the inconvenience is worth the increase in privacy.
A more complicated solution is to use a VPN service. Since this post is getting a bit long, I’ll leave this for another post but if you are interested in learning more about a VPN option, please leave a comment below.