On unencrypted public wifi, what kind of real danger am I in?



First, my setup

  • Windows 7 Home Premium

  • use the built-in firewall

  • UAC on max

  • in Windows' wireless network settings for public networks, besides the default settings, I have 1)set to block all media streaming, and 2)turned off public file sharing. When I connect to a free wifi, I always set Windows to classify it as a "Public Network".

  • fully patched Windows, Office, Firefox, Flash Player, Java, etc, etc....everything

  • I always make 100% sure I connect to the expected wifi and not someone's fake-out data-stealing pirate wifi network.

  • Whenever I log into a site I care about, I always log in using https. All of my email accounts (gmail) use https. I really don't care if anyone sees my websurfing (forum posts, google searches, etc).

Regardless of whether or not my AV would detect and stop malware that actually did make it onto my computer, let me ask

q1) what are the chances of malware getting onto my computer from the lan/wifi? (not asking about malware coming from email, websites, flash drives, etc. Only asking about the possibility of getting something from the public lan/wifi)

Next, assuming no malware was placed on my computer from the lan/wifi, what (and how great) is the danger to

q2) my data on my computer (from being stolen or viewed)?

q3) the sensitive data I transmit using https being seen or stolen and unencrypted?

I'm asking for real world ("in the wild") dangers at any random free wifi like Starbuck's etc, but not about every possibility or about methods that require skills or equipment that are extremely unlikely to be encountered.

btw, I know there are further steps I could take for better security than the ones I mentioned above, however, for now, I need to get an accurate, but not overly paranoid, picture of where I stand with my current set up. I'm hopeful there are people here that can give me perspective.


formatting edit: I edited so that each question would have a unique number


2I would say your chances are pretty low, as Windows 7 is more security-featured than previous Windows-based operating systems. Where you stand is far more secured than most and I would expect your attack surface to be pretty low, even in the most open of networks. – brandon927 – 2010-12-05T21:22:59.157

I think it's worth taking a look at FireSheep - making mischievous activities all too easy. Jeff Atwood explains ... http://www.codinghorror.com/blog/2010/11/breaking-the-webs-cookie-jar.html

– rlb.usa – 2010-12-07T16:09:34.887



a1) What do you mean by "what are the chances"? What are the chances the wifi owner is malicious, or what are the chances they can do it if they are? The former question I have no data on. The latter depends on what you're using their wifi for. If you are downloading executable files and running them then obviously it's very easy for them to put malware on your computer. The next most likely vectors are PDFs, or malicious Java / Flash / scripts on websites, but all of those would need you to be running vulnerable software (although in the case of Adobe Acrobat, it is vulnerable even if you are 100% up to date, we just don't know what's wrong with it yet ;)

To avoid this I would say, in ascending order of paranoia (i.e. 1 is sensible, the rest are more paranoid):

  1. Do not download any executables over an internet connection you don't trust
  2. Don't have your browser set up to open PDFs in Acrobat (there are many safer alternatives), Flash, or Java applets without asking you
  3. Consider using NoScript

Of course, if you are using SSL websites, then they cannot modify what data you get. Probably. See answer 3.

a2) Assuming no malware has been planted on your computer, and you operate under the rules in answer 1, effectively zero. There might be programs that are leaking information, or have bugs that let people put things on your computer, but that isn't really relevant to the wifi. Minimising the number of applications allowed to use the internet (in the firewall settings) is a good idea for this reason.

a3) When you use HTTPs your browser verifies that the site is who they say they are by checking their certificate. Only certain people can give out these certificates, and your browser knows how to check theirs.

What does this mean for security? Well for one, it means you are trusting those certificate writers. There have been attacks on their systems to produce fraudulent certs in the past, and there have been cases of browsers trusting certificate authorities that no one is quite sure who owns them now.

What can you do? Some browsers have extensions to help you out here. What you want is something that remembers what certificate a given website had last time you visited it, and will put up a big fat warning if that changes. This means even if a certificate authority is compromised in some way, you still won't hand over your data.

This is a very unlikely outcome, by the way - it would require someone to obtain a fraudulent cert AND to then target people using that site over their wifi... Given the value of the cert, and the effort to obtain it, it's much more likely it would be used in a wider attack. But it won't hurt to protect yourself against such things, anyway.

Oh and of course, sites using self-signed certificates are trivial to masquerade as. Having an extension that compares the cert to the last time you accessed them would alert you to any man-in-the-middle going on.

To clarify my q1, for purposes of my question, I'll assume the wifi network itself is honest. It's free, open, unencrypted, and has numerous other random users connected. What about q1 then? – CChriss – 2010-12-06T03:32:33.123

Unchanged. Any of those other users could be redirecting your traffic through themselves. – ZoFreX – 2010-12-06T04:23:01.737

So if the wifi itself is not malicious and the owners of the wifi are honest, how can this part of your answer be true: "If you are downloading executable files and running them then obviously it's very easy for them to put malware on your computer"? And how could "Any of those other users ... be redirecting [my] traffic through themselves" with my setup being as I described? – CChriss – 2010-12-06T05:21:52.227

Something like ARP poisoning or similar could be used to redirect traffic. Someone could also set up their own access point with the same SSID and try to steal clients from the legitimate one. To be fair these aren't unique to unencrypted wifi. – ZoFreX – 2010-12-06T10:11:48.120

I read a little about ARP poisoning, and would it be correct to say that most likely a free unencrypted wifi wouldn't use ARP, which would make this method of redirecting ineffective? I don't see any defense against someone using the same SSID to trick people into connecting to their wifi, that's why in my question I stipulated that the question assumes I'm on the actual wifi I wanted. – CChriss – 2010-12-06T17:16:11.900

I believe there are other attacks similar to ARP poisoning, some of which may work in that scenario, but I'm afraid we're exceeding the bounds of my knowledge there. – ZoFreX – 2010-12-07T00:21:41.147


Q1) Barring any problems with the IP stack, your main risk additional risk is a man in the middle type attack where someone masquerades as the server, and injects code into some data you retrieve. This is a risk whenever you don`t have control of the full path. Whether or not the connection is encrypted likely does not change the risk much. Code injection attacks are generally done by infecting the server and is unrelated to wi-fi access.

Q2) Unless file sharing of some form gets turned on your computer data should be safe from network file access. Problems with the IP stack or other software may allow someone to crack your system. Other than ease of directly accessing your computer via the network, using public wi-fi does not change the risk much. If you keep patched, all known vectors should be covered.

Q3) HTTPS is quite secure, and there are no known practical cracking methods for the common cyphers. Data transmitted over this protocol can be consider secure. Man in the middle attacks are possible, but generally require a matching certificate issued by a trusted certificate vendor. There have been some attacks in the past where the address bar was overwritten to hide the real address. This should no longer be possible.

You seem to be following good procedures for ensuring you are safe. If you are the specifically targeted, your risk goes up. Use of public wi-fi may increase your risk somewhat for some targeted attack vectors.

The Secunia PSI software can audit your installed software for known security risks.


The first question that occurs to me is about your A1. Are you saying that (barring a problem with the IP stack) unless I connect to a "server" on the network (and a malicious one at that), there's not really a way for anyone to infect me from the lan (given my current setup)? So I'm safe in that way(?). It seems like you're saying otherwise I'm safe as ling as I stay updated (and am not one of the first victims of a zero-day attack). – CChriss – 2010-12-06T02:59:12.013

@CChriss In a man-in-the-middle attack, someone on your network (the attacker) might pose as any server you connect to (e.g. superuser.com). – Daniel Beck – 2010-12-06T03:16:28.340

Could that happen with my current setup if I'm already connected to the wifi network I meant to connect to? Seems like they would need a way to send me to their "server" instead of where I meant to go. – CChriss – 2010-12-06T03:22:26.330

RE: Q3, yes, https is secure, but many times it's just the login data (username/password) is encrypted, but the token (cookie) is not. Firesheep works by stealing this cookie. – Rich Homolka – 2010-12-07T16:07:11.313

A1) Zero-day attacks are always a risk. You can be exposed to drive by attacks on sites you expect to be safe such as Government, Banks, and Businesses. Wi-fi is not required. – BillThor – 2010-12-08T01:47:37.050

Man in the middle attacks can be done by ARP poisoning, and works on both wired and wireless networks. This will result in your packets traversing the wrong server. DNS poisoning is an alternate vector and has been used globally. It the wireless network is configured to isolate users, then it may be more resistant to ARP poisoning than a wired network (at least from other wireless devices). Masquerading as a wi-fi portal is one man in the middle vector which only exists on wireless. – BillThor – 2010-12-08T01:49:47.550

A3) The HTTPS token should be marked HTTPS only, but often is not. It it is not, then it may be passed in the clear on an HTTP session. – BillThor – 2010-12-08T01:50:53.273


In most cases public wifi should be no more risky from the sort of malware your antivirus software might stop than any other wifi. However, it is possible to set up many access points to use what it called a "captive portal" page — the kind of thing you might find in places that make you log on before passing traffic to the web. A hacker could set up one of these pages to auto-authenticate you and then redirect you to any malicious web site of their choosing.

Additionally, when you use unencrypted wifi all your non-https traffic is broadcast in the clear for anyone who might be listening. Hopefully the only "listener" is your wireless router/access point, but it isn't that hard to set up a computer to listen to this traffic any more. This is especially dangerous in public places where there are likely others using the same connection, but even your own home isn't immune if you don't encrypt your traffic.

Unless you also limit your browsing to only encrypted networks or only https sites (as opposed to plain http sites), broadcast information includes cookies, authentication tokens, passwords, and more. If you're not encrypting your wifi, it's essentially game over.

Regarding your warning of "captive portal" page, is that still possible if I am truly logged on to the public wifi I intended to (assuming Starbuck's isn't doing it, of course)? (As part of the criteria for my question, I wanted people to assume for the purpose of the question, that I'm not connected to a "fake-out data-stealing pirate wifi network") – CChriss – 2010-12-05T22:40:57.140

While Joel's answer is true, sensitive information should always be tunnelled anyway. If you're worried that your IM traffic is being intercepted, get Adium or Pidgin with OTR, for example. MITM attacks can come from more than just your hotspot. – msanford – 2010-12-05T22:54:47.090


Thanks, but this is just a copy and paste of a link to a generic article on wireless attack techniques. I can find articles like this all day long. I came here asking for info specific to my setup, and for info about real world expectations, not everything that's possible, as I also specified in my question. – CChriss – 2010-12-06T02:33:01.693

Any wifi connection that is not protected with WPA2 and a strong encryption cypher and key can be compromised fairly easily. Also, be sure the connection is set to "Public" in windows 7. Most public wifi connections are not using encryption of any kind and you can be hacked very easily. This does not mean you will be. – Moab – 2010-12-06T02:36:31.487

My question is about connecting to public wifi networks, like at Starbucks, where there is no encryption, that's why I'm asking this. I mentioned in my question that I had modified the settings for public networks in Windows, and maybe I should've also specified that I when I connect to a public wifi I designate them to be treated as a "Public Network" by Windows (which uses the settings I mentioned). – CChriss – 2010-12-06T03:03:51.587

Then you are vulnerable to attack by anyone with the skills to do it. No ifs ands or buts about it. – Moab – 2010-12-06T05:01:25.700

That's a broad statement, and my question is asking for how my setup is vulnerable. Again I direct you to read my question (you still don't seem to have it cached your RAM) The part that's most relevant to your latest comment is the part where I said, "I'm asking for real world ("in the wild") dangers at any random free wifi like Starbuck's etc, but not about every possibility or about methods that require skills or equipment that are extremely unlikely to be encountered." So far your answer is has just been computer cliches and generalities about wireless security. – CChriss – 2010-12-06T05:25:22.987

You asked a broad question weather you wish to admit it or not, it is obvious you are in over your head on this subject. You are vulnerable with a public hot spot, that is a fact, nothing you can do to prevent some attacker that uses software that hacks you with one click. Hacking a unencrypted wifi connection is very easy if you have the correct software, and it is easy to find if you want. Now go get hacked. – Moab – 2010-12-06T05:57:31.827

Yeah, your attempt at getting me to give your comments respect they don't deserve by trying to scare me ("Hacking a unencrypted wifi connection is very easy if you have the correct software, and it is easy to find if you want. Now go get hacked.") made me laugh. It appears you have no ideas about how my setup makes me vulnerable, but enjoy commenting anyway. By vomiting generic talking points it looks like you are attempting to make yourself appear (and feel?) like an authority, when actually you're in over you head on this one. – CChriss – 2010-12-06T17:28:02.940

So lame on your part. using my over your head comment, is that the best you can do, obviously you know little about unencrypted wifi, you better study up before you embarrass yourself further, once data leaves your PC on an unencrypted signal, anyone can sniff your packets and see everything you do, has absolutely NOTHING to do with your set up or any protections you may have on your PC, the data is in the air and is unencrypted, how hard is that to understand, too hard I guess. – Moab – 2010-12-06T19:36:13.010


CChriss - you say you always make 100% sure you connect to the right network. Please read this article on Evil Twin attacks. It can be very difficult to be 100% sure!

Other than that you seem to be doing way better than the majority of users - you are at considerably lower risk than them.

So -

  • A1 - you're pretty safe
  • A2 - you're pretty safe
  • A3 - you're doing the right things but could still connect to the wrong network if an attacker has set one up

Rory, I know that's true, but I phrased my question like I did because I already know that it's possible and a person just has to be as careful as possible and be on guard for it. As far as I know there not a defense against it other than not connecting until verifying the name of the wifi you're intending to connect to. Please let me know if I'm wrong, because stuff like that is why I asked this question. – CChriss – 2010-12-07T01:59:17.583

The whole point of the Evil Twin attack is that verifying the name will not help you! That was the point of my message. You can do everything right and still end up using a malicious wireless network - so you really must use end to end encryption for your whole connection - don't even trust using http then moving to https, as initial session cookies may be reused! – Rory Alsop – 2010-12-07T09:22:16.397