Advice to avoid using public wi-fi is largely out of date, with widespread use of HTTPS encryption protecting the content of your communications. However, the metadata is still visible to anyone along the communication path - from your ISP to the site’s hosting provider.
This statement was originally published on eff.org on 29 January 2020.
If you follow security on the Internet, you may have seen articles warning you to “beware of public Wi-Fi networks” in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.
The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communications – for instance by sniffing packets from unencrypted Wi-Fi or by being the NSA – they could read your email. They could also steal your passwords or your login cookies and impersonate you on your favorite sites. This was widely accepted as a risk of using the Internet. Sites that used HTTPS on all pages were safe, but such sites were vanishingly rare.
However, starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of “sniffing” insecure HTTP to take over people’s accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.
However, practical deployment of HTTPS across the whole web took a long time. One big obstacle was the difficulty for webmasters and site administrators of buying and installing a certificate (a small file required in order to set up HTTPS). EFF helped launch Let’s Encrypt, which makes certificates available for free, and we wrote Certbot, the easiest way to get a free certificate from Let’s Encrypt and install it.
Meanwhile, lots of site owners were changing their software and HTML in order to make the switch to HTTPS. There’s been tremendous progress, and now 92% of web page loads from the United States use HTTPS. In other countries the percentage is somewhat lower – 80% in India, for example – but HTTPS still protects the large majority of pages visited. Sites with logins or sensitive data have been among the first to upgrade, so the vast majority of commercial, social networking, and other popular websites are now protected with HTTPS.
There are still a few small information leaks: HTTPS protects the content of your communications, but not the metadata. So when you visit HTTPS sites, anyone along the communication path – from your ISP to the Internet backbone provider to the site’s hosting provider – can see their domain names (e.g. wikipedia.org) and when you visit them. But these parties can’t see the pages you visit on those sites (e.g. wikipedia.org/controversial-topic), your login name, or messages you send. They can see the sizes of pages you visit and the sizes of files you download or upload. When you use a public Wi-Fi network, people within range of it could choose to listen in. They’d be able to see that metadata, just as your ISP could see when you browse at home. If this is an acceptable risk for you, then you shouldn’t worry about using public Wi-Fi.
Similarly, if there is software with known security bugs on your computer or phone, and those bugs are specifically exploitable only on the local network, you might be at somewhat increased risk. The best defense is to always keep your software up-to-date so it has the latest bug fixes.
What about the risk of governments scooping up signals from “open” public Wi-Fi that has no password? Governments that surveil people on the Internet often do it by listening in on upstream data, at the core routers of broadband providers and mobile phone companies. If that’s the case, it means the same information is commonly visible to the government whether they sniff it from the air or from the wires.
In general, using public Wi-Fi is a lot safer than it was in the early days of the Internet. With the widespread adoption of HTTPS, most major websites will be protected by the same encryption regardless of how you connect to them.
There are plenty of things in life to worry about. You can cross “public Wi-Fi” off your list.