I bet you are exactly like me.
Every time you come into a cafe or a restaurant, the first thing you ask even before the menu is “Can I have your Wi-Fi hotspot password?”
Wi-Fi Hotspot has become such a convenience these days that every hotel, cafe or restaurant needs to have one.
If you do not offer a Wi-Fi hotspot for your customers, you may lose some of them. The time when people go to the cyber-coffee is long gone. Nowadays, we want to access Internet anywhere anytime.
And even though we are all connected to a mobile data network, it can quickly become expensive.
Wi-Fi hotspots are usually free or inexpensive. They are a new service commodity that we take for granted.
If there is one place where you should have your VPN activated all the time, it is definitely on a Wi-Fi hotspot.
A Public Wi-Fi Hotspot is just like a dirty toilet seat…
When you are in the comfort of your home and you need to use the toilet, you just go there, sit, do what you have to do, wash your hands (hopefully) and leave.
But if you happen to use a public toilet, you are probably more cautious about what you touch, where you sit, you will probably use a toilet seat cover if available to make sure you don’t get any germs. You will definitely wash your hands and maybe twice.
These reflexes are natural to you in a public toilet. Well, think of a public Wi-Fi hotspot as the dirtiest toilet seat you have ever had to sit on.
I hope you get the picture printed in the back of your head now.
What are the risks of using a public Wi-Fi hotspot?
Business owners want to increase their profit
When you connect to a public hotspot, you will be redirected to a captive portal. This captive portal will ask you for personal information before you can get access to the Internet.
In some countries, hotspot providers are liable for any illegal activity that takes place on their Wi-Fi network. They may be requested by the government to provide the logs of each user browsing activity associated with their personal information.
But sincerely, who does that?
Hotspot providers can also use the personal data collected on your behalf to push segmented ads to you on the very same captive portal that bounce back every time you connect to the Wi-Fi.
You don’t know who is sitting next to you
Wi-Fi is by definition Wireless. No Shit Sherlock.
Because it is wireless, there is no way you can be sure that someone is not trying to intercept your communications.
This is called Rogue AP.
Wi-Fi is a very flexible technology. To extend your coverage, you can have multiple access points all over your cafe that will boost and repeat the signal. They all share the same Wi-Fi SSID, which ensures you can roam around without any disconnect. The Wi-Fi network itself will make sure you jump from one access point to the other seamlessly.
That also means that nothing prevents me from bringing a rogue Wi-Fi Access Point to a cafe, turning it on and configuring the very same Wi-Fi SSID that the cafe is using. If my router is closer to you than the cafe Wi-Fi access point, your computer will try to attach to my rogue AP for performance purposes.
If I am smart enough, I will bridge my rogue Wi-Fi access point with the legit Wi-Fi access point from the cafe so you don’t notice anything.
You will get the same captive portal and the very same browsing experience except that all your data will flow through my rogue access point before hitting the legit access point.
This technique is called man-in-the-middle attack, it can be performed with a $30 wireless access point or even with your own laptop configured as a wireless bridge.
Thankfully, the larger adoption of HTTPS (Hyper Text Transfer Protocol Secure) and more in-browser warnings have reduced the potential threat of man-in-the-middle attacks.
By using HTTPS, all the traffic between your computer and the website you are trying to access is encrypted with SSL.
SSL uses encryption algorithms to scramble data in transit, preventing cyber-criminals from accessing it if they manage to sit in the middle.
Since July 2018, Chrome marks all the sites that do not use HTTPS as not secure.
HTTPS shows up in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, are readily accessible by clicking on the lock symbol on the browser bar.
Even if the website you are trying to access is using HTTPS, it is very important to verify that the SSL certificate was issued by a certificate authority.
Have you seen something like this in the past? If you do and you are sitting in a Wi-Fi hotspot, don’t go further.
This message means that the remote site has requested an HTTPS connection but does not own a certificate issued by a trust authority.
“In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.” Wikipedia
This issue typically happens when one of the network elements between you and the website you intend to reach tries to break the secured communication channel established over HTTPS.
In simple words? Bad stuff is happening. Just shut down your laptop and drink your coffee.
In a MoM attack, the cybercriminal will attempt to stand between your laptop and the website to capture the communication. But as long as this communication is in HTTPS, it won’t be able to decrypt it.
However, he will be able to capture the DNS requests which give him a hint about your browsing activity. So he can find out for instance when you are visiting your bank portal and could try to redirect you to a non-secured page.
The hacker challenge is to manage to break the chain of trust by redirecting your browser to a web page that looks just like your bank portal except that this porta is sitting on the hacker server.
The main problem with this technique is that the hacker cannot obviously possess a SSL certificate signed by a certification authority for this particular website. Hence the browser warning.
Take no risk, use a personal VPN
Whenever you are connected to a Public Wi-Fi hotspot, don’t take any risk, just activate your personal VPN.
Your personal VPN will make sure all your data communication is encrypted from your computer to the remote VPN server. Therefore, neither the hotspot business owner nor your neighbor will be able to intercept your communications.
I personally recommend three VPN solutions that I find excellent:
Which one is for me? The Geek, the Paranoid and the Noob.
- The Geek, I need awesome speed and I am going to setup this VPN on my toaster:
- The Paranoid: I am obsessed by security and need the highest level of protection:
- The Noob: I just want a simple solution and I don’t need much customization