How can you prevent others from eavesdropping on network traffic when operating a PC on a public Wi Fi hotspot?

Introduction

By default, Wi-Fi is not secure. On private networks, yes you can enable encryption to prevent unauthorized people from connecting and reading the traffic as it travels through the airwaves, but depending upon the security mode you use, connected users may still be able to eavesdrop on each other’s traffic. And although public networks may use web-based authentication (captive portals), most don’t use actual encryption. Thus anyone nearby can eavesdrop on the hotspot traffic, even if not a paying customer.

Here I’ll discuss this Wi-Fi eavesdropping issue and share some tips on how to protect the users on your private network and how to protect yourself when using public Wi-Fi hotspots.

What Eavesdropping Can Reveal

To better understand Wi-Fi eavesdropping, you should know what one might be able to do with the Wi-Fi traffic they capture from the airwaves. They could capture your passwords and content for services or sites you sign into that aren’t using SSL encryption, most commonly your POP3/IMAP email and FTP connections. They could also hijack your logins to unencrypted sites like Facebook and Twitter. And on private networks, they may also be able to capture file transfers.

Fortunately, people eavesdropping on your Wi-Fi traffic can’t easily capture your login credentials or hijack your sessions to services and sites using SSL encryption, like your banking sites. But they are still susceptible to the other known SSL vulnerabilities, which is a whole another subject.

Protecting Yourself on Public Networks

Since most Wi-Fi hotspots don’t use encryption, providing no protection of your traffic at all, eavesdropping is likely more of a concern there than it is on private networks. In other words, take hotspot security seriously. Obviously, there’s not a Wi-Fi hacker at every hotspot, but the tools now these days are so easy to use that pretty much anyone can use them. And it takes no more than a smartphone to capture your passwords or to hijack your accounts.

The best way to keep your traffic secure while on Wi-Fi hotspots is to connect to a Virtual Private Network (VPN), maybe to your work’s network, a server you set up at your home, or a hosted service designed specifically for hotspot security, such as Private WiFi or Hotspot Shield. When connected to a VPN, all your Internet traffic is sent from your computer/device through an encrypted tunnel to the VPN provider’s network. Thus it’s encrypted and secured from any local Wi-Fi eavesdroppers at the hotspot.

If you can’t (or don’t prefer to) use a VPN, you should at least make sure any services or sites you use while on the hotspot are secured with SSL encryption. When SSL is used, web browsers will have an https address, instead of http, and will display a pad lock or some other indicator. For email client programs, such as Outlook or Thunderbird, you need to make sure SSL is being used for the POP3 or IMAP and SMTP server connections. However, many email providers don’t support encryption. If yours doesn’t, you may want to look into other solutions, such as Neomailbox, Hushmail, or 4Secure-mail.

Regards of being on a public hotspot, you should always make sure any website you log onto that deals with sensitive information or any service you use (such as email and FTP) are protected with SSL encryption. This will ensure the information passing to and from your computer and the site or service are secure.

Protecting Your Private Network

Though Wi-Fi eavesdropping is more of an issue when on untrusted networks, it can still be a concern on your private network. Your users should be “trusted”, but you could still have rogue employees, or even intruders, sniffing the wired network and/or wireless network. Though using the Pre-Shared Key (PSK) mode of WPA2 security (also called the Personal mode) for your wireless network encrypts the data and requires people to enter a password to connect, it still allows anyone on the network to read any one else’s traffic.

The Enterprise mode of WPA2 security (also called the 802.1X or EAP mode), however, prevents users from reading each other’s traffic. This is because each user is given unique login credentials (username/password and/or a digital certificate) to connect to the wireless network instead of using a global password like with the Personal mode. When users log in via the Enterprise mode, their automatically assigned unique encryption keys that regularly change.

The Enterprise mode of WPA2 security, however, requires an authentication server, commonly called a Remote Authentication Dial In User Service (RADIUS). But if you’re running a Windows Server, you could use the Internet Authentication Service (IAS) component of Windows Server 2003 R2 and earlier or the Network Policy Server (NPS) component of Windows Server 2008 and later.

If your current servers don’t provide RADIUS functionality, there are still many free and low-cost servers out there, such as FreeRADIUS, TekRADIUS, ClearBox, and Elektron. Some access points (like the HP ProCurve 530 or the ZyXEL NWA-3500, NWA3166 or NWA3160-N) even have embedded RADIUS servers, great for smaller networks. And if you don’t want to run your own server at all, there are hosted services, like AuthenticateMyWiFi.

Summary

As we’ve discussed, Wi-Fi eavesdropping can be a real issue on public Wi-Fi hotspots. The best way to protect yourself is by connecting to a VPN, or at least ensuring at sites or services you log into are using SSL encryption. Then for your private network, security shouldn’t stop at the barriers. You should also be concerned about the internal security and ensure users can’t snoop on each other’s Wi-Fi traffic. And to prevent snooping on the wired side, consider implementing Internet Protocol Security (IPsec) to authenticate and encrypt Ethernet traffic as well.

So you're at your favorite coffee shop and have hopped onto the free WiFi with your tablet to check your social networks, read the latest news, and maybe take a quick peek at your bank balance while you're enjoying your latte. We're so used to having Internet access whenever and wherever we need it that we don't often stop to consider whether logging into a public network is safe.

Over the last decade, Techlicious has been tracking the dangers of using public WiFi, and we have found three major ways these free public hotspots could get you into trouble. And to keep you safe, we recommend five simple things you can do to protect your privacy when you use public WiFi. 

The 3 big risks of free public WiFi

Using public WiFi is like having a conversation in a public place: Others can overhear you unless you take precautions.

1. Your personal information is sent in clear text

If you don't take precautions, information your devices send over a public WiFi network goes out in clear text — and anyone else on the network could easily take a look at what you're doing with just a few simple software tools.

Someone spying could easily pick up your passwords or other private information. If you use the same password on multiple sites, that could be a big problem. This is the biggest concern with public hotspots.

2. You connect to a honeypot WiFi hotspot set up by thieves

The next potential problem is what is called a honeypot. Thieves might set up their own WiFi hotspot with an unassuming name like "Public WiFi" to tempt you to connect so they can grab up any data you send. These are easy to set up without any kind of special equipment — it could be done just using a laptop or smartphone — so you could run into them anywhere. 

3. Hackers hijack your connection to social media and other sites

Finally, using public WiFi puts you at risk for session hijacking. This is when a hacker who's monitoring your WiFi traffic attempts to take over an open session you have with an online service (like a social media site or an email client) by stealing the browser cookies the service uses to recognize who you are. Once hackers have that cookie, they can pretend to be you on these sites or even find your login and password information stored inside the cookie.

5 ways to stay safe on public WiFi

1. Know your network

Before you connect, be sure you know whose network you're connecting to so you don't fall prey to WiFi honeypots. If you're not sure what the public network at a business is called, ask an employee before connecting. And check to make sure your computer or smartphone is not set up to automatically connect to WiFi networks other than your work or home — or set it to ask you before connecting. This way you'll be sure you know what you're connecting to when you connect.

2. Keep your connection secure

Make sure to connect to websites via HTTPS, which encrypts anything you send and receive from the website. While a VPN service encrypts everything you send, HTTPS ensures that communication to and from a particular website is secure. To verify if you're connected via HTTPS, look at the address bar of your browser window; you should see "HTTPS" at the beginning of the web address (or, on some web browsers, a lock icon). 

3. Use a VPN

If you use a VPN service, anyone trying to steal your personal information will see only encrypted data. Based on our own testing, as well as third-party analysis, we chose SurfShark (on sale for $2.49 per month) as our Techlicious Top Pick for the Best VPN. It receives top marks for speed and privacy from AV Test Comparatives and is recommended by many other third party testers, including Security.org, Top10VPN, PCMag, and more. We also like the free version of ProtonVPN if you're looking to protect just one device (just your laptop or just your phone). ProtonVPN is also recommended by ZDNet and Digital Trends and sits in the middle of the pack for speed, according to AV Test Comparatives.

4. Use two-factor authentication

Whenever you can, use two-factor authentication, which requires both a password and a secondary code that changes regularly, for websites and apps. This makes it very difficult for hackers to get at your accounts because even if they can get your password, they won't have the secondary code. Authy has a list of sites that support two-factor authentication.

5. Disable file sharing

Make sure your computer isn't configured to share access to files or be seen on public or guest networks. When you're at home, it may be convenient to keep things in a folder you share with other members of the household, but that's less safe when you're connecting to public WiFi.

Disable sharing in: 

• Windows 10 and 11: Go to Control Panel > Network and Internet > Network and Sharing Center > Change advanced sharing settings. Turn off file and printer sharing and network discovery and save changes.

• Mac OS X: Go to System Preferences > Sharing and be sure that File Sharing doesn't have a check mark by it.

Good luck, and safe browsing!

Updated on 4/15/2022 with current settings information for Windows 11 and Techlicious Top Pick for the Best VPN

[Image credit: woman with laptop and HTTPS image via BigStockPhoto.com]

Elizabeth Harper is a writer and editor with more than a decade of experience covering consumer technology and entertainment. In addition to writing for Techlicious, she's Editorial Director of Blizzard Watch and is published on sites all over the web including Time, CBS, Engadget, The Daily Dot and DealNews.