In my opinion, arguments we have been using for years to say that public Wi-Fi access points are insecure are no longer valid, and so are the recommended remedies (e.g. use VPN).
Nowadays, most sites use HTTPS and set HSTS headers, so the odds that someone can eavesdrop someone else's connection is very low, to the point of expecting a zero-day vulnerability in TLS.
So, what other threats may someone face nowadays on a public network?
Public WiFi is still insecure, and it will always be if not used together with something like a VPN.
Obviously a VPN isn't a silver bullet that solves all your security issues. But a good VPN does solve the ones specifically related to surfing on public coffee shop WiFi.
I'm a little surprised that nobody has pointed out that there's more to the internet than HTTP.
Even if your claims about HTTP(S) and HSTS were correct (and other answers discuss that), you're forgetting POP, SMTP, IMAP, FTP, DNS, etc. None of these protocols are inherently secure.
Another difficulty of public wifi access is that you are on the same local network as other unknown actors. Any misconfiguration of your local network permissions can lead to an intrusion into your device. Maybe at home, you have configured shared data on your local network. Now, everybody on the same wifi access point may have access to those shared data. Most often, this protection is assured by a firewall (whether at the office or at home), and you consider the local network more secure than the naked internet. But this time, you may be on the same local network as an attacker.
I would argue that any time you connect to a publicly accessible network you're putting yourself at risk, VPNs are great, but do nothing to firewall your machine against the threats on the local network if you, the user, screw up and open say: your private folder for sharing to anyone else.
One strategy I employed and played with in the past when on a public network is the old-fashioned honeypot, share a folder with a file, and watch for access too that file, immediately disconnect when it gets accessed and you know you didn't access it.
Some of the concern has to do with MiTM attacks and the tendency for laptops to be configured to blindly connect to open networks based on SSID after the initial connect. Nothing stops an unknown party from firing up an access point with the same SSID as is used at other locations. Thus, while some of your traffic may be protected, a fair amount won't be, and the attacker will have a path over which they can attempt to compromise your laptop.
About using public Wifi services, Tor and VPN still can leak information.
Besides Tor and VPN security implications, you still have to get at least DHCP services from the public Wifi.
Depending on the wifi settings, the offering service still may open a (limited) browser window directly in your device even when using VPN if using captive network technologies, and your device will be exposed, and talking outside the VPN to a certain degree until you authenticate in the captive network portal.
IMO this is the bigger elephant in the room nowadays that people do not think about - I wrote a proof of concept in FreeBSD that opens a skull pic in the client, before you go the VPN route, my workmates were not that amused.
I would advise that depending on the device, besides Tor or/and VPN, you need at least, to have the latest OS updates done, and a finely tuned firewall running on your device too.
So actually, no, HTTPS and related technologies are only a (small) part of the equation in a security setting and only offer you a false sense of security when used per se.
This is exactly a scenario where semi-"opportunistic" encryption (like the mixed plaintext/encrypted HTTP/HTTPS ecosystem) can fail you - at the very least you have to rely on your browser not unexpectedly opening some resource embedded in a webpage via an unsecured protocol (even if a man in the middle downgrades it for you), and also on dodgy certificates not being accepted. For every page, and for everything every page loads.
A VPN, as mentioned, can still tunnel all kinds of malicious traffic to a vulnerable endpoint - and back.
In the absence of truly problematic malware like keyloggers and illicit remote control software, the safest setup would be controlling a trusted remote computer via something like remote desktop or ssh (with or without X11 forwarding), causing all relevant traffic to be via one encrypted channel. Establishing this channel would still need extra diligence (eg verifying certificate footprints manually) to avoid any remaining risk of MITM attacks (which could gain an attacker login credentials in the worst case).
As Norton, a security company, says:
What are the risks?
The problem with public Wi-Fi is that there are a tremendous number of risks that go along with these networks. While business owners may believe they’re providing a valuable service to their customers, chances are the security on these networks is lax or nonexistent.
Man in the Middle attacks
One of the most common threats on these networks is called a Man in the Middle (MitM) attack. Essentially, a MitM attack is a form of eavesdropping. When a computer makes a connection to the Internet, data is sent from point A (computer) to point B (service/website), and vulnerabilities can allow an attacker to get in between these transmissions and “read” them. So what you thought was private no longer is.
Unencrypted networks
Encryption means that the messages that are sent between your computer and the wireless router are in the form of a “secret code,” so that they cannot be read by anyone who doesn’t have the key to decipher the code. Most routers are shipped from the factory with encryption turned off by default, and it must be turned on when the network is set up. If an IT professional sets up the network, then chances are good that encryption has been enabled. However, there is no surefire way to tell if this has happened.
Malware distribution
Thanks to software vulnerabilities, there are also ways that attackers can slip malware onto your computer without you even knowing. A software vulnerability is a security hole or weakness found in an operating system or software program. Hackers can exploit this weakness by writing code to target a specific vulnerability, and then inject the malware onto your device.
Snooping and sniffing
Wi-Fi snooping and sniffing is what it sounds like. Cybercriminals can buy special software kits and even devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even being able to hijack your accounts.
Malicious hotspots
These “rogue access points” trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Say you’re staying at the Goodnyght Inn and want to connect to the hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “GoodNyte Inn,” but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information.
When everyone know those risks, the minimal thing that there is to do is reduce the risks.
About this, you can read some articles:
I am not 100% sure what your concern is.
Public WiFi hotspots are not trustworthy, that's right. But the internet is not trustworthy. The sites you visit are not trustworthy. The sites you use to search the web are particularly not trustworthy.
Someone on a public WiFi hotspot might be able to eavesdrop on your connections. Someone will, without any doubt eavesdrop on all your communications. This routinely happens within the provider's infrastructure, at the CIX, at country borders, and at trans-ocean (and sometimes trans-continental) cables. Your trustworthy provider may very well be allowed, and required by the law (they are here!) to record and store detailled statistics about every connection you made, all DNS queries, whatever, and share that information with some moderately trustworthy and some definitively not trustworthy parties, among them organizations from hostile countries.
All the major industry states (not just the USA) have eavesdropping organizations with ten to hundred thousands of people in each, doing nothing but eavesdropping your communications and making profiles about you depending on who you communicate with, when you communicate, what DNS names you resolve, and so on.
Is this a problem for you? Well, if it is, don't use the internet, really.
Someone on a public WiFi hotspot might try to exploit your computer. Well guess what, someone might do that via your home internet connection as well. It's not as easy as being on the same local network for sure, but nowhere near impossible.
My venerable old Windows 7 already considered trusting hotspots being not such a great idea and considers all hosts untrusted in that setting (unless you explicitly tell it something different). That doesn't happen for no reason. But given reasonable settings, being on a completely hostile local network would nevertheless still be reasonably safe. None of the services that were exploited during the last couple of years are even running on my computer (irrespective of the firewall dropping traffic anyway). Just, don't run shit you don't need. The fewer network-accessible services, the fewer exploits (more RAM available and faster booting as free bonus).
There's not really that many reasons to use a public WiFi hotspot anyway (I don't recall ever having used one). One reason might be that you are on the road and need to do something really important online very urgently. OK, I admit, in this context, public WiFi may cause a bad feeling in your stomach, but how often does that happen anyway. Also, your bank hopefuly uses https: and you can trivially verify whether they do, before your enter your account information.
Although people nowadays perceive that they must be online and reachable all day (be honest, when did you last turn off your cellphone?) that is actually not true. You can very well do your banking from home, and you do not really need to be online 24/7 when on the road. Usually, at least.
No, being at Starbucks doesn't mean you have to twitter about it and post a photo of your coffee on Facebook. Who cares anyway? But if you think this is absolutely necessary, and public WiFi is too scary, well, then use your smartphone's LTE connection (which is marginally safer). It's not like you have to use public WiFi.
Another reason to use a public WiFi would be that you are planning to do something illegal where you wouldn't want your identity be too easily pinpointed. Sure, you wouldn't want to do hefty illegal stuff (selling weapons, drugs, snuff movies? terrorism?) from home. But hey, in that case, what's the problem with the hotspot not being trustworthy? I mean, seriously? A teenager sniffing on your traffic at the hotspot is the least of your problems in that context.
Nowadays, most sites use HTTPS and set HSTS headers, so the odds that someone can eavesdrop someone else's connection is very low
This assumption is scary bad. It does not matter how many sites set HSTS headers if HTTPS itself cannot be depended upon to provide endpoint to endpoint security. And it can't. Sadly.
Have you heard of a TLS Interception Proxy? They are commonplace. Deployed in schools, universities and libraries and used by employers and coffee shops alike, these hardware proxies (such as WebTitan Gateway or Cisco ironPort WSA) render HTTPS null and void, because during the "secure" connection they introduce a dynamic certificate pretending to be the destination website's official certificate. My browser doesn't know the difference, and if I didn't know better then I'd trust each HTTPS connection on its face.
Initially, HTTPS was designed to prevent MiTM attacks. Today, the TLS Proxy IS the MiTM attack! Whether you're reading your email or checking your bank account balance, you should be under no illusions that HTTPS is actually doing what you expect it to do, that is, secure your connection from eavesdropping. And unless you're connecting through your home WIFI & router, or unless you're using a decent VPN, get used to the fact your connection is probably being decrypted and re-encrypted on-the-fly, without your knowledge or consent.
There's little need to consider the "other threats" suggested by the OP until bona fide encrypted connections are the norm. Currently, they're not, and HTTPS is a farce. (To prevent eavesdropping, use a reliable VPN run by a company that won't store or release records. Use TOR to make the connection even better.)
Why do I assert that HTTPS/HSTS is not really a web browser's security blanket? Because 3 years prior to OP asking the question, it was already exploited and defeated. And just 2 years prior, it was subverted. Further, certain popular implementations of SSL were proven broken as far back as 1998. Even certificate authorities (CAs) are not to be trusted. A brief timeline:
Currently, to battle issues like "transitive trust," subCAs and the shenanigans of CAs who issue them, e.g. GeoTrust, etc., we have the DANE protocol, designed to "secure" the security certificate—the irony is not to be missed here—via DNSSEC by allowing domain admins to create a TLSA DNS record.
If DANE were widely implemented, I might be more inclined to agree with the OP's low threat assessment, but using DANE means a site needs to DNSSEC-sign their zone, and as of 2016, only about 0.5% of zones in .com are signed.
As an alternative to the poorly adopted DANE, there are CAA records, designed to do the same thing, but the latter mechanism isn't any more entrenched than the former.
It's the end of 2017, and the odds are extremely good someone can eavesdrop your HTTPS/HSTS protected connection.
UPDATE DEC 2018: Whether it's insecure protocols, poorly implemented secure protocols outside the user's purview, secure technology awaiting mainstream adoption, fraudulent authorities issuing unverified certificates, or good old-fashioned hardware-assisted eavesdropping, it's the end of 2018 and I still maintain the odds are extremely good your HTTPS connection is not protecting you.
Your argument would be valid if all wireless users were aware of the security implications associated with web browsing and public hence untrusted wifi networks. WiFi is no threat as much as social engineering is no threat either.
In a nutshell, WiFi&HTTPS do not carry vulnerabilitites but that doesn't mean they do not pose a threat.
A protocol like https can only be as secure as the medium it is transmitted on, will allow.
That means that even if everything you do uses HTTPS (it probably doesn't for most people), and even if nothing on your end is insecure (it probably is), then the attacker can target your connection to WiFi, your login, scan your device for open ports, and do a lot to get control of the communication or device, making https as effective as a lock on a door with an open door next to it.
