Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Do I Use an Open Wi-Fi Hotspot Safely?

//

I’ve returned to the same coffee shop where I was a few months ago, where I noticed my email had been hijacked/hacked. This time, I’m using my phone, but the last time, when I noticed the hack, I was using my computer and doing email over an open-internet, free Wi-Fi network.

Do you think that could be the source of the problem or just a coincidence? I’m still afraid to do email from here.

It definitely could have been. Unfortunately, it’s hard to say for sure; it could have been something else unrelated.

As we can’t really diagnose the past, let’s look ahead instead.

It can be absolutely safe to send and receive email from a coffee shop or any other location that provides unsecured or “open” Wi-Fi. In fact, I do it all the time.

But to ensure your safety, you do have to follow some very important practices.

Become a Patron of Ask Leo! and go ad-free!

Turn on the firewall

Fortunately, firewalls are “on” by default in most operating systems.

However, when you’re at home, you may use your router as your firewall, and keep any software firewall on your machine disabled. That works well, as the router stops network-based attacks before they ever reach your computer… while you’re at home.

When you’re on an open Wi-Fi hotspot, or connected directly to the internet via other means, that software firewall isn’t redundant. In fact, it’s critical.

Make sure your firewall is enabled before connecting to an open Wi-Fi hotspot. Various network-based threats could be present on an untrusted connection, and it’s the firewall’s job to protect you from that.

The open Wi-Fi problem

The problem with open Wi-Fi hotspots is that the wireless radio connection between your computer and the wireless access point nearby is not encrypted. That means any data you don’t actively encrypt some other way is transmitted in the clear, and anyone within range can eavesdrop and see it. Encryption, using WPA2, prevents that.

An interstitial page is not encryption. If you connect to a hotspot and the operating system on your machine requires a password for it to work, that’s not an open Wi-Fi hotspot, and you may be OK. On the other hand, if you can connect, and when you fire up your browser it first takes you to a webpage that says “enter a password” (as in a hotel) or “check to accept our terms” (as in most other open hotspots) that is not encrypted, and it is not secure. It is an open Wi-Fi hotspot.

Secure your desktop email program

If you use a desktop email program, such as Outlook, Windows Live Mail, Thunderbird, or others, you must make certain it is configured to use SSL/secure connections for sending and downloading email.

Typically, that means that when you configure each email account in your email program, you need to:

  • Configure your POP3 or IMAP server for accessing your email using SSL, TLS, or SSL/TLS security options, and usually a different port number.
  • Configure your SMTP server for sending email using SSL, TLS, or SSL/TLS security options, and usually a different port number, such as 26, 465, or 587 (instead of the default 25).

How you configure these settings, of course, depends on the email program you use; you’ll need to check with them to determine the correct settings.

With these settings, you can feel secure downloading and sending mail using an open Wi-Fi hotspot.

Secure your web-based email

If you use a web-based email service like Gmail, Outlook.com, Yahoo, or others via your browser, you must make sure it uses an httpS connection and that it keeps on using that httpS connection throughout your email session.

Fortunately, most of the major email services have adopted https as the standard (and sometimes the only) connection method.

Accessing email using a plain http connection might well be the source of many open Wi-Fi-related hacks. I expect that people simply log in to their web-based email service without thinking about security; as a result, their username and password are visible to any hackers in range who care to look.

Be careful. Some services use https only for your login, which is insufficient, as your email conversations thereafter could be viewed by others. Other services may “fall out” of https, reverting to unsecure http without warning.

Coffee and a LaptopSecure all your other online accounts

Any and all web-based (aka “cloud”) services that require you to log in with a username and password should either be used only with https from start to finish or be avoided completely while you’re using an open Wi-Fi hotspot.

With more and more services being provided online, this is getting to be a larger problem.

Using the cloud is a great way to manage your digital life from wherever you may be, but security remains a key problem. Using https is critical to that security when you’re out and about.

Use a VPN

This one’s for the road warriors. You know them: the folks who are always traveling and online the entire time, often hopping from coffee shop to coffee shop in search of an internet connection as they go.

A VPN, or Virtual Private Network, is a service that sets up a securely encrypted ‘tunnel’ to the internet and routes all of your internet traffic through it. Https or not, SSL/secure email configuration or not, all of your traffic is securely tunneled, and no one sharing that open Wi-Fi hotspot can see a thing.

This service typically involves a recurring fee. As I said, they’re great for road warriors, but probably overkill for the rest of us, as long as we follow the other security steps described above.

Use different passwords

Finally, it’s important to keep your account passwords different from each other and, of course, secure.

That way, should one account be compromised by some stroke of misfortune, the hackers won’t automatically gain access to your other accounts. Remember, even when you use an open Wi-Fi hotspot properly, a hacker can still see the sites you’re visiting, even though they cannot see what you are sending to and from that site. That means they’ll know exactly what sites to target.

Consider not using free Wi-Fi at all

As I said, it can be safe to use open Wi-Fi, but it’s also easy for it to become unsafe.

The solution you used at that same coffee shop (and asked me about in this question) is a very common and solid one: use your phone instead.

While it is technically possible, a mobile/cellular network connection is significantly less likely to be hacked. In fact, I use this solution heavily when I travel.

Most mobile carriers offer one or more of the following options:

  • Use your mobile device. Many phones or other mobile devices, such as iPhones, iPads, Android-based phones, and others are quite capable email and web-surfing devices, and typically do so via the mobile network. (Some also use Wi-Fi, so be certain you’re using the mobile broadband connection for this option to avoid the very security issues we’re discussing.)
  • Tether your phone. Tethering means you connect your phone to your computer — usually by a USB cable, but in some cases, via a Bluetooth connection — and the phone acts as a modem, providing a mobile broadband internet connection.
  • Use a dedicated mobile modem. Occasionally referred to as “air cards”, these are USB devices that attach to your computer and act as a modem, providing a mobile broadband internet connection, much like tethering your phone.
  • Use a mobile hotspot. In lieu of tethering, many phones now have the ability to act as a Wi-Fi hotspot themselves. There are also dedicated devices, such as the MiFi, that are simple dedicated hotspots. Either way, the device connects to the mobile broadband network and provides a Wi-Fi hotspot accessible to one or more devices within range. When used in this manner, these devices act as routers and must be configured securely, including a WPA2 password, so as not to be simply another open Wi-Fi hotspot susceptible to hacking.

I travel with a MiFi, and also have a phone capable of acting as a hotspot as a backup. I find this to be the most flexible option for the way I travel and use my computer.

Don’t forget physical security

Laptops are convenient because they’re portable. And because they’re portable, laptops are also easily stolen.

Unfortunately, it only takes a few seconds for an unattended laptop to disappear. That’s one reason I never leave mine alone: even if I need to make a quick trip to the restroom, the laptop comes with me. There’s just no way of knowing that everyone around me is completely trustworthy.

In that same vein, I also prepare somewhat in case my laptop does get swiped. Specifically, that means:

  • My hard drive is encrypted.
  • My sensitive data is stored in folders that are encrypted using BoxCryptor. Those folders are not mounted unless I need something.
  • LastPass is set to require a password re-prompt after a certain amount of inactivity.
  • I have two-factor authentication enabled on as many accounts as support it, including LastPass.
  • I have tracking/remote wiping software installed.

Computer theft and recovery is a larger topic that’s only tangential to using open Wi-Fi hotspots. Clearly, though, if you are a frequent user of assorted open hotspots in your community or when you travel, a little attention to theft prevention and recovery is worth it as well.

Security and convenience are always at odds

As you can see, it’s easy to get this stuff wrong, since doing it securely takes a little planning and forethought.

But it’s important. If you’re not doing things securely, that guy in the corner with his laptop open could be watching all your internet traffic on the Wi-Fi connection, including your account username and password as they fly by.

And when that happens, you can get hacked.

Fortunately, with a little knowledge and preparation, it’s also relatively easy to be safe.

Podcast audio

Play

71 comments on “How Do I Use an Open Wi-Fi Hotspot Safely?”

  1. Re: Use a VPN
    I’ve been using a free service called Hotspot Shield. Two minor irritants. First, using any VPN will be noticeably slower than not using it but that’s the price you pay for security. Second, HSS puts a large advertising banner across the top of your screen. You can collapse the banner but it will reappear at each new site you visit.

    http://hotspotshield.com/

  2. Re: Using a VPN
    On a recent trip I downloaded and used Security Kiss VPN. It was a free service, with some download limits (that I never maxed out on), but it worked very well. I did not feel too constrained with speed, etc. – http://www.securitykiss.com

  3. LEO please try log me in (logmein.com) it’s Free, it’s fast and does SSL with 256k encription. It allows you to connect to your home/work computer from there you can access the internet securely or anything on your computer just like you were sitting in front of it.

  4. I believe there is no real safety in using WiFi hotspots but as a comment if you have to go, get off as quickly as you can.Do not stay connected

  5. Re Secure Your Desktop Email Program:
    I found Thunderbird does not allow me to use these settings for my ISP (even though Outlook does). Others have found this too as a search of the WWW shows. It seems to be an issue with Thunderbird and it has persisted over several versions.

    Re “If you use a web-based email service like Gmail, … via your browser, you must … make sure that it uses an httpS connection. How do I do that?

    There’s a setting in Gmail’s options. More to the point: after setting that setting in any email service make sure that the URL remains httpS in the address bar.

    Oh, and for the record: I use Thunderbird with secure settings.

    Leo
    12-Apr-2011

  6. One comment about securing your POP3 and SMTP servers with SSL, etc. Apparently some antivirus programs object to doing that because SSL protected e-mail cannot be scanned by the AV program. I found this out after turning on SSL in Windows Live Mail and subsequently received an “advice” message from Avast! saying in effect “turn SSL off”!

    • I see enough problems with anti-malware tools trying to scan email as it arrives that I often recommend turning that “feature” off.

  7. If you’re not doing a ton of heavy downloading, there are some good free vpn services available that should be more than adequate for light surfing and e-mail.

  8. I understand that this article is about OPEN WiFi spots. I do however have a question that is relevant.

    If a business replaced the “open” as in unencrypted with “WPA/WPA2 encrypted with publicly known password”, would we then be safer?

    E.g. you have the router, with WPA encryption, and above it you have “the password for this is 123456789FREEWPA”. Does that prevents others who know the password from seeing what I am surfing at the moment or is “known password” as good as “no password”? I’m quite sure there are at least two persons I can convince to switch to the second option if it will improve things.

  9. I’m surprised and maybe learning something. I thought that all data sent from an open wifi hotspot was viewable and vulnerable unless a vpn is used. Is it true that when banking (since they keep https enabled) at an open wifi hotspot I am safe? Can I really do this without a vpn? More technically asked; when using https in an open wifi hotspot, is the wireless leg of the communication really encrypted and safe and, therefore, no other safety component is needed?

    I am really interested in understanding this and/or getting a vpn recommendation.

  10. Very informative. You mentioned using your phone as a hotspot by connecting to the mobile broadband signal. Can we connect our phone to the open wifi at the business, then have our phone create another wifi that we secure, and our laptop connects to the phone wifi? I’m doubting this is possible since everything I read is about using the mobile broadband, but it’s worth asking:-)

  11. @Daniel
    As far as I know, it’s not possible to use your phone hotspot function when you are connected via Wi-Fi. But it really wouldn’t serve much purpose doing that anyway, as you could simply use the Wi-Fi directly from your computer.

  12. If you enter your e-mail username via a history list rather than typing it and have set the account to remember a password, would a hacker still be able to gain access to them?

  13. I carry a small Zuni router with me to use in hotels and other questionable WiFi hotspots. It’s cheap, about the size of a pack of cigarettes, and provides a single wired connection or a new WiFi hotspot. I connect my gadgets to the secure Zuni network, not the open WiFi network, so I’m insulated somewhat by the router’s NAT. It’s probably not foolproof, but it makes me feel better.

  14. I use an iPod touch when traveling – WiFi only – It has no firewall as far as I know. Am I safe on httpS sites eg American Express? Any other advice specific to iPods?

  15. Apropos my question above on iPods. I just looked at the AmEx app and it points out that to get to Amex you have to enter your password. Does this mean it can be seen by a hacker? If so, doesn’t this apply to all secure websites? You are not secure while you are getting there?

  16. @Bill
    A well designed web site will have a secure connection to protect the login information by encrypting it. I looked at the Amex page, and their login page is a secure encrypted page, as are most if not all banks. Just check for the https: in the address bar on your browser and the lock icon to confirm that it is, in fact, encrypted.

  17. I was looking forward to usingWIFI with my Blackberry playbook rather than lugging my computer into wifi spots this winter while in the US.
    Does this article mean that I would be taking risks to do so as I do not believe their is any . firewall or virus protection on it. Many thanks. Great article.

  18. Does this mean that if I just work on a Word file without trying to send it anywhere, it’s not able to be hacked? That’s mostly what I use when I use a WiFi. Also, the one I use is at work. Is that likely to be an open WiFi? Sorry if I’m asking elementary questions, but I’m not terribly computer savvy.

    • Make sure your computer is properly protected with a firewall, and you should be fine. Better yet, turn off wireless, you shouldn’t need it to run Word. When you hover the mouse over the connection icon in the taskbar it should show you the connection type; “open” or “wep” is bad, “WPA” better, “WPA2” is great.

  19. tnx for your info.
    You mentioned that if we use a saved password or history, we are unsafe yet. But what about the cookies? Most login forms have a “remember me” check box. If we logged in to them from a secure internet with this checkbox enabled, then we won’t need to login again when we’re on an open network. Is it dangerous too?

    • There’s no blanket answer to this one. Different services use cookies in different ways to provide this functionality, and thus the security implications differ widely. For example some will prompt you to re-login anyway, since at a different network you’d be on a different IP address. My general approach is not to use “remember me” on any portable computer that I plan to take to or use at open WiFi hotspots. A tool like LastPass handles automatically logging me in as needed in those cases, and even there I have LastPass set to log me out after a while. But then one master password to LastPass later and everything else just works.

  20. I initially just need to know if i use my data plan and open my online banking website will harm my iPad. It turns out I learnt more from your article. Please correct me if I got it wrong.
    1. All https website cannot be sniffed if you are logged into it using your data plan or wiFi connection.
    2. VPN encrypt all information in and out of your device into nonreadable information even if you are hacked ( doesn’t hackers have their special software for this?)
    3. WPA/ WPA2 secure information from fellow wiFi users that connected to the same connection. WEP doesn’t. (I have business premis that provide wiFi…very useful for me to change it to WPA/ WPA2)
    Thank you so much!

    • !. Yes
      2: Yes – except if your computer is hacked they may can get your typed keystrokes and other information before it is encrypted or after it is decrypted on your machine.
      3. Yes – but WPA2 is much more secure than WPA which is not so hard to crack.

    • That FBI warning isn’t from the FBI. I the FBI doesn’t operate that way. It’s more likely that you got hit with malware which locked your phone and put up that message.

  21. Free Wi-Fi spots are very dangerous. 60% of all free Wi-Fi spots are exposed to hacking.
    I always connect to {URL removed} VPN on my desktop or moble device. I don’t want to give someone an access to my personal photos, videos, conversations, credit card data if my shop online, passwords, accounts.
    I have a rule not to process any money transactions using free Wi-Fi.

  22. My car has wifi and a simple password. I don’t think I can change any settings – other than maybe the password. Is this safe to use with an iphone? Are the apps intrinsically safe eg for banks and credit cards and things like Vanguard.

    Exact same question for open wifi spots where I use wifi because I have a skimpy broadband plan?

    • With respect to your car the fact that it has a password at all is a good thing. That probably means that it’s using WPA or WPA2 encryption. That the password is simple only means is theoretically possible for someone else to guess it and begin using the Internet through your car’s WiFi. That can be corrected by changing the password to a stronger one.

      Unfortunately it’s unclear what technology apps on mobile devices actually use. One would hope that they you use encrypted connections. And to be honest I believe that they do. But if you’re at all uncertain then I would avoid using those apps on open Wi-Fi connections.

  23. Thanks for the reply, Leo. It did occur to me that because the car is normally moving, it would be a difficult target for a hacker. After reading your reply I wondered if there is a way to tell what encryption you have on an iphone. (You have an article on this for Windows). I found an app eWiFi on an OLD ipod that detects all local wifis and lists the encryption type. I don’t think it’s available for newer ipods or iphones – Note it is not the same App as “ewifi – Etisalat eWiFi”. Anyway I can’t find a new version but the old one works fine. It detects all wifi in range and lists the encryption type. My car is indeed encrypted: WPA2

  24. Sir!! I am 100% sure, some one in my house in monitoring my internet access, my emailing, my search. I want to end this up. He did not install any thing on my laptop, I checked the firewall as it is recommended by many sites to check my fire wall for window but it’s just OK. please help me for stop being monitoring. Sir, please advice me some thing that is useful. Thanks!

    • It’s not the cable that determines the speed – it’s the configuration of the ethernet ports at either end. 10mbps, for example, is a common ethernet speed that is slower than modern WiFi.

  25. A couple of other good things to do when using public Wi-Fi:

    1. If there is more than one connection option – BobsBurgers_NY and BobsBurgers_NewYork, say – ask a member of staff to confirm which network to use prior to connecting.
    2. Avoid completing financial transactions. HTTPS is very secure, but it’s better to be safe than sorry.

    • No. Products like this – which are actually quite pointless, IMO – work by encrypting inputs at the Windows kernel’s keyboard input stack and then decrypting them as they reach the intended app. In other words, other locally installed apps are prevented from reading the inputs (or that’s the theory, at least). Such apps do not, however, encrypt web traffic and, consequently, passwords are sent in unencrypted form, -which is obviously necessary in order for the website to be able to authenticate you (unless the website uses HTTPS, of course, in which case encryption is used anyway).

  26. On encrypting the disk, this is a two-edged sword. As you say, Leo, it is the best, and in fact, the only protection that really works if your computer gets stolen. But on the other hand, with an encrypted disk, if your system gets messed up for one or another reason, it usually gives rise to a hopeless mess from which it is hard or impossible to recover.
    So unless you do very sensitive things, isn’t it probably a better idea to only encrypt those few things you really don’t want the thief to be able to see, and still be able to intervene on the machine when something goes totally wrong, rather than being locked out of your own computer and not be able to boot from an external device and repair what went wrong ?

    • Yeah, encryption is a very easy way to permanently and irrevocably lose access to data and too many people make excessive/unnecessary use of it. “Can you help me decrypt my data?” is a question that data recovery companies get asked every day – and, of course, the answer is always no, they cannot.

      I think that, for the average home user, the risks associated with encryption are greater than the risks associated with non-encryption: in other words, there’s a greater chance of them losing access to their encrypted data than of their unencrypted data being improperly accessed. And this is especially true when it comes to data stored on non-mobile devices. I actually know a couple of people who lost access to encrypted data – and the crazy thing is that neither of them had stuff and their devices that was really worthy of being encrypted.

      People often say, “You can never have too much security.” It’s wrong. You can.

    • Actually I disagree. There are so many things – sensitive things even – that might be stored in areas we wouldn’t choose to encrypt (cache, temp files, etc.) that encrypting the entire disk is the ONLY safe solution. Couple that with appropriate (and appropriately secure) backups, and even a messed up system can be just an annoyance rather than a disaster.

      • Encryption programs can be both confusing and intimidating to some people: Lions and PIMs and AES, oh my! I suspect there are a considerable number of people for who encryption would be a recipe for disaster – a category into which my in-laws certainly fall (“Hi Ray, I’ve forgotten my email password again. Yes, I know you’ve told me a hundred times before how to reset it, but I can’t remember what I need to do. Can you help me fix it? Oh, and my Facebook isn’t working either. Can you help me fix that too?”). I really don’t think encryption would be in their best interests.

        If you’re packing a laptop or hard drives that contains genuinely sensitive information, then encryption is a must. But I don’t think it’s something that should recommended to all and sundry.

  27. After logging off your e-mail, log back on.

    See something strange – your e-mail address automatically displayed!

    ALWAYS, after logging off, log on with garbage so you true address is no loner the default.

  28. lap tops are down in price. $200 so get one, or cheaper, and when at coffee or other freebie use your lap top to hearts content
    but do so off line, then when you go home either hook laptop to broadcast or use table top already always on net, and then
    take all offline and one at a time shove onto online and send, but check and try first see if works as hack.block by your server

  29. Most BIOS allow you to create and use a password to start your computer. Would such prevent a thief from accessing it if the computer is stolen?

    • BIOS passwords can be easily bypassed, so are pretty thin security. That said, in order to reset some BIOS passwords, it’s necessary to open the machine up and this could slow somebody down – which could give you enough time to change your banking passwords, etc., etc.

    • No. All they need do is remove the hard disk and place that hard disk in a different computer (or even just an external USB enclosure).

      • Yeah, and it’s also worth nothing that, while BIOS passwords don’t provide much in the way of security, it can nonetheless be quite tricky to get your system back to a useable state if you forget the password – especially if it’s a newer laptop.

  30. I have been using “HotSpot VPN” app for my Android smartphone. It is free, requires no personal info. It has encryption and it has no restrictions with respect to usage and bandwidth (as far as I know. It is very easy to use. It requires a one click to use it once the app is opened and you don’t need to know anything about VPNs to use it. Check it out on http://vpn-hotspot.com/.

    I am still looking for something for my notebook.

    • As always, research the provider. I know absolutely nothing about this provider. When it comes to VPNs “fast” and “free” are at odds with each other, so I am skeptical.

  31. What if you are using an Android tablet (Nexus 7 w/Marshmallow) that only connects via WiFi? Do all the things you wrote about apply?

  32. Hi Leo
    Is there a hard firewall dongle that can be used in hot spots?
    This would surely be the ultimate protection in open hot spots!

    • I don’t know if those exist or not, but a VPN will accomplish that and more. For occasional users, some providers such as HotSpot Shield have free versions.

  33. if my email program uses ssl, can a man in the middle attack still be effective?

    how can i tell if my android email app uses ssl?

    • There are no absolutes, so I have to say “yes”, but difficult and unlikely.

      Depends on the app, and how it is configured for yoru specific email account. Typically it should reference SSL or TLS in the POP3, IMAP and/or SMTP settings section.

  34. Hi Leo, I have recently switched from IE to Chrome (Yeah, I know I am slow to change). When I log in to a portal, Chrome is always asking if I want it to “remember” my login information. If I say YES, the next time I visit that portal, the login user name and password boxes are already populated with my information, so I just click SUBMIT. Makes it easy. I was thinking, if I were using an open WiFi (coffee shop or library), and use this Chrome feature to log in, then there are no actual keystrokes for someone to see…or are there. Are the keystrokes still detectable by a local hacker?

  35. If you use a VPN service in a public WiFi setting, are you not exposing the UserID and Password you must enter to gain access to your VPN account?

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.