![](\"https:\/\/media.wired.com\/photos\/5bef55be6f9680187f54acf6\/master\/pass\/hotel-wifi-543369698.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sun, 18 Nov 2018 12:00:00 +0000<\/strong><\/p>\n As you travel <\/span>this holiday season, bouncing from airport to airplane to hotel, you\u2019ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network<\/a>? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.<\/p>\n This advice comes with plenty of qualifiers. If you\u2019re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you\u2019d rather people not know you frequented, you need to take precautionary steps that we\u2019ll get to in a minute. Likewise, if you\u2019re a high-value target of a sophisticated nation state\u2014look at you!\u2014stay off of public Wi-Fi at all costs. (Also, you\u2019ve probably already been hacked some other way<\/a>, sorry.)<\/p>\n But for the rest of us? You\u2019re probably OK. That\u2019s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.<\/p>\n \u201cA lot of the former risks, the reasons we used to warn people, those things are gone now,\u201d says Chet Wisniewski, principle researcher at security firm Sophos. \u201cIt used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel.\u201d<\/p>\n In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks, from hackers tracking your every move online, to so-called man-in-the-middle efforts that tricked you into entering your passwords, credit card information, or more on phony websites. A cheap, easy to use device called a Wi-Fi Pineapple<\/a> makes those attacks simple to pull off.<\/p>\n All of that's still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.<\/p>\n Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED\u2019s servers to your browser and back. That encryption is enabled by what\u2019s knowns as Hypertext Transfer Protocol, with the \u2018S\u2019 standing for Secure. The most important thing to know about HTTPS, though, is that it obviates most of the attacks that (rightly) scared you off of public Wi-Fi in the first place.<\/p>\n \u201cIf you\u2019re in the US, the web is pretty well encrypted. It\u2019s unusual to go to a website that matters and it\u2019s not HTTPS,\u201d says Tod Beardsley, director of research at security firm Rapid7. \u201cBecause of that, the threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped.\u201d<\/p>\n "A lot of the former risks, the reasons we used to warn people, those things are gone now."<\/p>\n Chet Wisniewski, Sophos<\/p>\n Just how dramatically? Consider that as recently as March 2016, only 21 of the web\u2019s top 100 sites<\/a> used HTTPS by default. Today, that number has flipped. Seventy of the top 100 sites<\/a> have HTTPS switched on by default, with nine more offering HTTPS compatibility. Many of the holdouts are based in China. As of January 2017, more than half of the web<\/a> was encrypted. Today, about 84 percent of websites<\/a> loaded through Firefox have HTTPS enabled. And yes, that includes porn<\/a>.<\/p>\n HTTPS has some arguable drawbacks. Mainly, there\u2019s virtually no barrier to getting HTTPS certification, which has made it attractive for criminal groups<\/a> hoping to add an air of authenticity to bogus sites. That little green padlock guarantees that you\u2019re sending data encrypted, but not that the person on the receiving end has scruples.<\/p>\n But that has nothing to do with hotel or airport Wi-Fi. You can fall for those scams no matter how you\u2019ve connected to the internet. And using that approach to target those specific locations hardly seems worth it in practice.<\/p>\n \u201cYou\u2019d have to get a soundalike domain name, register that, then get an encryption certificate, then get someone to go to your site,\u201d says Beardsley. \u201cI don\u2019t know how successful an attack would be to set up my rogue Wi-Fi, wait for people to mistype a URL, and come to my fake bank site. I\u2019m not super sure that\u2019s a very valuable attack. You\u2019re going to be waiting a long time for that typo.\u201d Especially given another, slightly less recent change in how we use the web: So few people actively type URLS that Google has considered doing away with them<\/a> altogether.<\/p>\n It helps to think through how other attacks might play out in practice as well, especially as caveats come into play. In addition to phony sites, there\u2019s the concern that someone else on your network might be \u201csniffing\u201d your browsing activity, the internet version of eavesdropping. They can still try, but HTTPS means that they can\u2019t see what individual pages you\u2019re visiting, just the domains. Someone could figure out you\u2019re on Netflix, in other words, but not which movie you\u2019re watching. Or they might know you\u2019re on Bank of America\u2019s site, but wouldn\u2019t be able to see any of your identifying details. It\u2019s the difference between observing a conversation from far across the street, and having it bugged.<\/p>\n You can easily imagine cases where that\u2019s not still ideal. You may not want anyone to know that you\u2019re visiting sites of a sensitive nature, regardless of what specifically you\u2019re looking at while you\u2019re there. And if you visit a site that has no HTTPS, all of those protections go out the window. But criminals have much more lucrative methods of attack these days\u2014you don\u2019t need hotel or airport Wi-Fi for searphishing or cryptomining\u2014making hotels and airports that much less appealing of a target.<\/p>\n \u201cI\u2019m telling people to enjoy public Wi-Fi, whether they\u2019re at Macy\u2019s for Christmas shopping or at the Hilton,\u201d says Wisniewski. \u201cWhat\u2019s in it for the adversary? Why would you choose monkeying with the Wi-Fi at the airport or the hotel over some other attack method? When you look at the profitability and the risk, it just doesn\u2019t make sense other than an amateur to be doing it for giggles.\u201d<\/p>\n It\u2019s totally understandable if you still have concerns. Maybe you visit a lot of unencrypted sites, or don\u2019t want a hotel chain to have even domain-level insight into your browsing. Or maybe you\u2019re a journalist, or an aerospace executive, or a politician, or someone else the GRU or Chinese intelligence agencies might put in their crosshairs<\/a>. Or maybe you\u2019ve just got a vestigial mistrust that you can\u2019t shake.<\/p>\n "The threat, and really the risk, of going on even sketchy local Wi-Fi has dramatically dropped."<\/p>\n Tod Beardsley, Rapid7<\/p>\n That\u2019s fine! Whatever the case, there are plenty of things you can do to protect yourself<\/a>, starting with using a virtual private network. A VPN sends all of your traffic through an encrypted connection<\/a>, meaning that the hotel or anyone else can\u2019t see where you\u2019ve been or what you\u2019re doing. Well, almost anyone else; the VPN provider potentially could, so use one you trust.<\/p>\n Even better than a VPN, especially if you have an unlimited data plan: Use your smartphone as a hotspot. \u201cThere aren\u2019t any published exploits that are useful over LTE. If you\u2019re really worried about it, tether up your phone,\u201d says Beardsley. \u201cThat\u2019ll get you a long way.\u201d<\/p>\n But if those don\u2019t apply to you; if you\u2019re just hopping on Facebook and Amazon, or looking up good nearby restaurants on Yelp? Use the Wi-Fi at the hotel. It might not have your security interests at heart, but more than ever, the web itself does.<\/p>\n