November 28, 2018

You Know What? Go Ahead and Use the Hotel Wi-Fi

As you travel this holiday season, bouncing from airport to airplane to hotel, you'll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.

This advice comes with plenty of qualifiers. If you're planning to commit crimes online at the Holiday Inn Express, or to visit websites that you'd rather people not know you frequented, you need to take precautionary steps that we'll get to in a minute. Likewise, if you're a high-value target of a sophisticated nation state - look at you! - stay off of public Wi-Fi at all costs. (Also, you've probably already been hacked some other way, sorry.)

But for the rest of us? You're probably OK. That's not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

"A lot of the former risks, the reasons we used to warn people, those things are gone now," says Chet Wisniewski, principle researcher at security firm Sophos. "It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel."

In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off.

All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.

HTTPS All Over

Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED's servers to your browser and back. That encryption is enabled by whatÕs knowns as Hypertext Transfer Protocol, with the 'S' standing for Secure. The most important thing to know about HTTPS, though, is that it obviates most of the attacks that (rightly) scared you off of public Wi-Fi in the first place.

"If you're in the US, the web is pretty well encrypted. It's unusual to go to a website that matters and it's not HTTPS," says Tod Beardsley, director of research at security firm Rapid7. "Because of that, the threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped."

Just how dramatically? Consider that as recently as March 2016, only 21 of the web's top 100 sites used HTTPS by default. Today, that number has flipped. Seventy of the top 100 sites have HTTPS switched on by default, with nine more offering HTTPS compatibility. Many of the holdouts are based in China. As of January 2017, more than half of the web was encrypted. Today, about 84 percent of websites loaded through Firefox have HTTPS enabled. And yes, that includes porn.

HTTPS has some arguable drawbacks. Mainly, there's virtually no barrier to getting HTTPS certification, which has made it attractive for criminal groups hoping to add an air of authenticity to bogus sites. That little green padlock guarantees that you're sending data encrypted, but not that the person on the receiving end has scruples.

But that has nothing to do with hotel or airport Wi-Fi. You can fall for those scams no matter how you've connected to the internet. And using that approach to target those specific locations hardly seems worth it in practice.

"You'd have to get a soundalike domain name, register that, then get an encryption certificate, then get someone to go to your site," says Beardsley. "I donÕt know how successful an attack would be to set up my rogue Wi-Fi, wait for people to mistype a URL, and come to my fake bank site. I'm not super sure that's a very valuable attack. YouÕre going to be waiting a long time for that typo." Especially given another, slightly less recent change in how we use the web: So few people actively type URLs that Google has considered doing away with them altogether.

It helps to think through how other attacks might play out in practice as well, especially as caveats come into play. In addition to phony sites, thereÕs the concern that someone else on your network might be "sniffing" your browsing activity, the internet version of eavesdropping. They can still try, but HTTPS means that they canÕt see what individual pages youÕre visiting, just the domains. Someone could figure out youÕre on Netflix, in other words, but not which movie youÕre watching. Or they might know youÕre on Bank of AmericaÕs site, but wouldnÕt be able to see any of your identifying details. ItÕs the difference between observing a conversation from far across the street, and having it bugged.

You can easily imagine cases where thatÕs not still ideal. You may not want anyone to know that you're visiting sites of a sensitive nature, regardless of what specifically youÕre looking at while youÕre there. And if you visit a site that has no HTTPS, all of those protections go out the window. But criminals have much more lucrative methods of attack these daysÑyou donÕt need hotel or airport Wi-Fi for searphishing or cryptominingÑmaking hotels and airports that much less appealing of a target.

"I'm telling people to enjoy public Wi-Fi, whether they're at MacyÕs for Christmas shopping or at the Hilton," says Wisniewski. "WhatÕs in it for the adversary? Why would you choose monkeying with the Wi-Fi at the airport or the hotel over some other attack method? When you look at the profitability and the risk, it just doesnÕt make sense other than an amateur to be doing it for giggles."

Extra Protection

It's totally understandable if you still have concerns. Maybe you visit a lot of unencrypted sites, or don't want a hotel chain to have even domain-level insight into your browsing. Or maybe you're a journalist, or an aerospace executive, or a politician, or someone else the GRU or Chinese intelligence agencies might put in their crosshairs. Or maybe you've just got a vestigial mistrust that you can't shake.

That's fine! Whatever the case, there are plenty of things you can do to protect yourself, starting with using a virtual private network. A VPN sends all of your traffic through an encrypted connection, meaning that the hotel or anyone else can't see where you've been or what youÕre doing. Well, almost anyone else; the VPN provider potentially could, so use one you trust.

Even better than a VPN, especially if you have an unlimited data plan: Use your smartphone as a hotspot. "There aren't any published exploits that are useful over LTE. If youÕre really worried about it, tether up your phone," says Beardsley. "ThatÕll get you a long way."

But if those donÕt apply to you; if you're just hopping on Facebook and Amazon, or looking up good nearby restaurants on Yelp? Use the Wi-Fi at the hotel. It might not have your security interests at heart, but more than ever, the web itself does.

Copyright 2018 Conde Nast. All rights reserved. From By Brian Barrett.

To view all articles, check out the Internet Travel Monitor Archive