Donât make this mistake yourself
Absolutely not.
This is a critically important distinction to make, and itâs one Iâm afraid many people misunderstand.
Become a Patron of Ask Leo! and go ad-free!
Wi-Fi security happens between your computer and the Wi-Fi access point. Open Wi-Fi hotpots have no security. If you need a password just to connect to the network, itâs likely a secured connection, but your computer canât tell you for certain. Webpages asking for log-in or acceptance of terms of service have nothing to do with security.
Wi-Fi security
When it comes to âopenâ Wi-Fi, security (or lack thereof) exists in the wireless connection between your laptop and the Wi-Fi access point.
An open Wi-Fi hotspot is an internet access point which requires no password to connect.
It is not secure, period.
It doesnât matter what happens after you connect.
The Rule: if you didnât have to enter a password in Windows or on your device simply to connect to the network, you are not on a secure network.
If you donât need to tell your device the network security key â often referred to as the Wi-Fi password â and youâve never connected to that network before, then youâre probably connecting to an open Wi-Fi hotspot. And again, an open Wi-Fi hotspot is not secure, period.
Which is which?
Almost all Wi-Fi enabled devices show you which networks are open and which are secure.
The presence of the padlock means the Wi-Fi network is secure and requires a password or network security key in order to connect. Your connection is encrypted.
The absence of a padlock means the Wi-Fi network is open, and anyone can connect. The connection is not encrypted, and unless you take additional steps, anyone nearby can see what you send and receive.
To add to confusion Windows will for some reason display an exclamation or shield for open Wi-Fi, and nothing for secure. In any case, the word âsecureâ is present for your connection if it is indeed secure.
The open Wi-Fi login
If the first thing you see in your browser is a log-in or Terms of Service page, you are connected to the network. The network is displaying that page. Youâve connected to the network, and probably the router; itâs just not letting you get any further until you log in or accept those terms.
If you can connect without giving Windows1 a Wi-Fi password, and you can see anything in your web browser â even that log-in page â then itâs an open Wi-Fi hotspot, and it is not secure.
If, for example, the coffee shop tells you a password to use, then:
- If you need to give it to Windows or your device so you can connect at all, thatâs a secure connection
- If you need to enter it into a page within your browser, thatâs an open connection, and it is not secure.
It doesnât protect you; it protects them
If the connection isnât secure, whatâs that log-in page or âterms of serviceâ all about?
What youâre seeing is called an âinterstitialâ page, which has nothing to do with technology and nothing to do with security. Itâs about liability.
Technically, itâs called a âcaptive portalâ, as it âcapturesâ your connection and forces you to read and respond to that intermediate page before youâre allowed further.
Take a close read of the words on that log-in page. Chances are, all youâre doing is agreeing to the terms of service. The wording and specifics vary, of course, but in general, by clicking on âI Agreeâ (or whatever the button says), you are stating that you:
- Wonât download porn.
- Wonât use it for anything illegal, like downloading copyrighted material (such as movies).
- Wonât use it to stream âtoo muchâ information, flood the network, or adversely impact other network users.
- Wonât use it ⊠well, in whatever ways the network provider doesnât want you to use it.
Obviously, they canât prevent you from doing that kind of stuff. But it does allow them to kick you off, and potentially even prosecute you, if you donât follow the terms of service you agreed to.
So they force you to agree to those terms of service if you want to use their open Wi-Fi hotspot.
Thatâs all it is. It doesnât protect you. It protects them.
Protecting yourself
So, if this log-in or accept-the-terms page has nothing to do with your security, how do you protect yourself?
Simple. Take all of the usual steps to use an open Wi-Fi hotspot safely.
Or donât use the open Wi-Fi hotspot at all. Instead, provide your own, more secure alternative.2
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
If the connection is made over a secure link (https://âŠ), the WiFi link may be open, with no risk of somebody reading the data in transit.
Hi,
I think TrueCrypt is gone now. There are many alternatives.
I use SafeHouse Explorer. I also never have certain info on my laptop when I travel, encrypted or not.
Customs and TSA, and their counterparts in other countries may ask you to open encrypted volumes for them, and if you donât, they can and will confiscate the equipment. Further, if they suspect you of wrongdoing, you could end up in situations you wonât want to experience.
If youâre worried about that, there are a couple of ways around that. Keep any sensitive files on a Veracrypt (the replacement for Truecrypt) volume a Boxcryptor folder online but not on your computer. Boxcryptor is probably better because you donât have to download the whole volume to access one of a few files.
If you keep a Veracrypt volume on your machine, you can set up a hidden volume so you can give them the password to the innocuous data volume.
So would the connection be any more secure if the connection password was visible for everyone to see?
In a venue quite local to me, they have a wifi access, but the access key is printed on a sheet of paper and hung up for everyone to see. Meaning anyone in the room could connect to it.
Is that connection any more secure than if it had been completely âopenâ?
When you log in to the network with a password, the communication between the devices and the router are encrypted. You still wouldnât be able simply sniff the data transmitted between the devices and the router. A hacker who understands how the packets are encrypted and decrypted might be able to use the password to decode the sniffed data, but thatâs probably a rare scenario.
Actually thatâs not true. With WPA2 the encryption key thatâs actually used is unique to each connection, as I understand it. So with a WPA2 connection you still donât run the risk of wireless packet sniffing.
IF (and only if) thatâs the password you need to specify to Windows to establish the Wi-Fi connection, then yes. You are NOT using an âopenâ Wi-Fi, itâs actually protected by WPA2 and your data cannot be sniffed.
Ont the other hand, if you can connect to the hotspot, and it brings up some kind of web page into which you must type that password, then NO, itâs still an âopenâ wifi hotspot.
Thank you, Leo. I appreciate the info. A few years ago, I set up my friendâs restaurant router so that her access was password protected, while her customers did not need a password.
Based on what you say, I will suggest to her that we do the following:
1) Leave her network with her password (for her peace of mind)
2) Add a simple password for the customer network name, such as the ownerâs first name.
3) Add a third network named: âMR Password = owner first nameâ or similar hint.
That way, even though itâs probably safe to let people use the main ID, she can feel safer, but meanwhile, the customers will definitely be safer. Thanks, again.
John
Thank you Mark!
I had steered away from connecting to it, âjust incaseâ, but will consider it as somewhat more secure than any completely open options.
Answers it perfectly! Thanks again.
Thomas.
Is there a device that I could get that would connect to the open WiFi network but create a second network that is protected.
My smartphones are both on plans that are severely data limited (one is 1 gig per month, the other is 200-300 meg per month) so Iâd rather use such a device that would create a secure way to use a public network.
The link to the open WiFi would remain unsecured, so ⊠no.
A VPN along with a firewall and antimalware should protect you on public networks. https://askleo.com/how_do_i_use_an_open_wifi_hotspot_safely/
I carry a small travel router that connects between my device(s) and the open WiFi. It uses WPS2. When I get to my room, I set it up a Nam ready to go.
The problem with that is the connection between the pocket WiFi router and the open WiFi is unencrypted. It does offer the protection of a hardware firewall, though.
Leo:
â[I]n general, by clicking on âI Agreeâ (or whatever the button says), you are stating that you:
* Wonât download porn
* Wonât use it for anything illegal, like downloading copyrighted material (such as movies)
*âWonât use it to stream âtoo muchâ information, flood the network, or adversely impact other network users
* Wonât use it ⊠well, in whatever ways the network provider doesnât want you to use it.â
AND thereâs a better than even chance that thereâs also boilerplate in there, granting them full permission and authority to monitor and capture every single bit (literally) of information you send or receive over their network, to use that data in any manner whatsoever that they see fit, AND completely and totally absolving them of any and all possible liability for any misuse of that data, intentional or otherwise.
Personally, I think Faust got the better deal.
One thing I notice about âfreeâ wi-fi from some business places is that they want me to enter contact information first before I can get on. Then afterwards I find Iâve just become part of their marketing pool. Guaranteed to get emails or text messages about every new product or service theyâre offering.
I just give them either a fake email address or I use my throwaway address.
âIf you need to enter it [i.e. login credentials] into a page within your browser, thatâs an open connection, and it is not secure.â
Technically thatâs not necessarily always true. The web page could be served by a local network router or server, similar to the intrAnet in your company, or your routerâs setup login page. I suppose Leo is talking about public venues which are not likely to have an internal (local network) gatekeeper.
Of course, Iâve also seen stupid network designs where the intranet (company services) is accessed via the public internet within the company!
Has nothing to do with corporate or other networking details. The only thing that matter here is: is the Wi-Fi connection encrypted (by WPA2 or similar). If not, itâs open and not secure. A login page doesnât impact that.
I was just referring to your bullet statement under âThe open Wi-Fi loginâ.
I am using Private Internet Access on all of my computers whether traveling or at home. I understand that the ENCRYPED data between my computer and the Internet could be seen in an open Wi-Fi. Does this reliably prevent anyone from seeing the unencrypted data I send and receive?
Yes, a VPN is absolutely one way to deal with using an open Wi-Fi connection safely.