Staying safe on public wifi
Published May 21st, 2015 at 12:54 PM EDT , modified May 21st, 2015 at 12:54 PM EDT
Everyone has to use public wifi now and then. It is somewhat common knowledge that this is unsafe, but most people aren’t entirely sure what to do about that, other than not visiting sensitive sites, like their bank site. Fortunately, there are some good tricks to keeping your Mac and your data safe on public wifi.
The dangers of public wifi are fairly easy to understand. There are a few basic risks. The first is that anyone connected to the same public wifi network can “sniff your packets.” (No, that’s not something dirty, stop grinning like that!) This means that they can capture and view any data that is sent over the network. So all the data you’re sending and receiving can be viewed, unless it is encrypted in some way.
Encryption helps, but not all data is encrypted by default. E-mail messages, for example, are sent and received in clear text (ie, not encrypted). Even some passwords are sent in clear text! Secure sites (ie, sites having addresses starting with “https://”) encrypt all data, but depending on the site, there could be vulnerabilities in specific sites that could allow an attacker to impersonate you and gain access to your account on that site.
Worse is what is called a “man-in-the-middle” attack. This happens when an attacker occupies a privileged position on the network. (This generally means they own the network.) This can happen if you join a network set up by a hacker to lure people in with the promise of free wifi. The network could even be given an enticing name, like “Starbucks Hi-Speed”, which could imply an ownership of the network by Starbucks when it’s really being run by a hacker.
In such a case, the network could actually redirect you to malicious sites. For example, if you try to log in to PayPal while on such a network, you might actually end up on a phishing site designed to look just like PayPal, and to steal your PayPal login information when you enter them. Next thing you know, your PayPal account has a bunch of strange charges on it.
In addition, having your Mac connected to a network full of strangers exposes you to other risks. If you have file sharing turned on, for example, someone else on the network could potentially gain access to your Mac and browse through your files. There are many server processes built into Mac OS X, all designed to accept incoming connections from other computers. Most are off by default or harmless, but many people won’t know what might have gotten turned on or when there might be some kind of vulnerability that could be exploited by a hacker on the same public wifi.
So what can be done about all this? Here’s what I advise doing whenever on public wifi:
Turn off Bluetooth
To prevent any attempts to connect to your computer via Bluetooth, rather than wifi, while out in public, turn off Bluetooth. This may not be feasible if you are using a wireless mouse with your MacBook, but if you’re not using Bluetooth, turn it off. This can be done very easily in the Bluetooth pane of System Preferences. There’s even an option there to display a Bluetooth item in the menu bar, from which you can turn Bluetooth on and off without delving into System Preferences.
Use a VPN
A VPN, or “virtual private network,” is a way to, in essence, connect to a network that’s not really there. A good VPN will encrypt all communications between your computer and the VPN, protecting them from snooping in transit through insecure public wifi. (Of course, this requires that you trust the VPN, otherwise your substituting one untrusted network for another.)
Businesses will sometimes provide a VPN to employees, and universities to staff and students, as a method for allowing remote access to internal servers. (For example, consider a university library with content only available to people connecting from a university network. A university VPN would allow people using it to access that content remotely, because the VPN gives access to the university network.)
If you have access to such a VPN, check with the folks providing it to make sure it encrypts traffic. If it does, use that. If you don’t have one, or if you’re provided one with no encryption, look for another option. I’ve been using IPVanish recently with good results, and like it in particular because it’s fairly easy to set up without installing any software. (Mac OS X has support for VPN connections built in.) This is not to say that I have done any exhaustive comparisons and found IPVanish to be the best. There are plenty of other options, and some may even be better for all I know.
Be careful of free VPN services, though. Nothing is truly free in this world, and many of the “free” VPNs will inject advertising into web pages you visit.
Without a VPN 🙁
With a good VPN, you can go to your bank site with impunity on any public wifi. However, if you can’t use a VPN for whatever reason, you’ll need to take some other precautions.
Turn on the firewall
Most of the time, the firewall on your Mac is completely useless. It doesn’t protect you against anything on a trusted network, and just annoys you when asking for permission to allow a connection. On public wifi, however, it becomes useful at preventing anyone from connecting to your Mac; but only if you configure it properly!
Go to System Preferences and click the Security & Privacy icon. (If you don’t see that, or if you’re using an older version of Mac OS X where it has a different name, enter “firewall” in the search box in the top right corner of the System Preferences window to find the right preference pane.)
Once you’ve found the firewall settings, turn on the firewall. In order to do that, you may need to unlock it, by clicking the lock icon in the lower left corner of the window and entering your admin account password.
After you have turned on the firewall, click the Firewall Options button. A “sheet” window will drop down. The first option there should be “Block all incoming connections” – check that box. This will prevent all incoming connections, which will mean that certain things will stop working. File sharing, for example, will be unavailable until the firewall is turned back off.
Once you’ve got it configured, just turn the firewall on any time you have to use public wifi, and turn it back off again when you’re back on a trusted network, like your wifi at home.
Avoid sensitive sites
Since you can’t prevent packet sniffing without a VPN, you’ll need to be selective about the sites you visit. Don’t connect to anything that would be disastrous if it got hacked, whether it’s a secure site or not. If at all possible, make sure you have two-factor authentication turned on for any accounts you’re using on public wifi. (Two-factor authentication generally uses something besides just a password – such as a special code texted to your cell phone – to verify that you are who you say you are.)
Encrypt e-mail passwords
Some older mail servers may not encrypt your passwords by default. In other words, your password will be sent in clear text, plainly visible to any packet-sniffing hackers on the same public wifi. Ensure that your e-mail client (such as Mail) is set to use SSL when connecting to the mail server. This will ensure that the password is transmitted securely. Check with your mail provider for configuration instructions. If they don’t support SSL, don’t check mail on that account from an insecure network. In fact, don’t even open the Mail app at all!
Nothing, of course, can ever guarantee you total security online. But if you take these basic precautions, you should be far more secure while using public wifi. Keep in mind, also, that hackers tend to go after “low-hanging fruit.” Like the old joke that you don’t have to run faster than the bear, you only have to run faster than the other guy, making yourself a harder target than the person in the next seat will mean you’re far less likely to be targeted in the first place.