- Why HTTPS alone won’t keep you safe on public WiFi
- How HTTPS works
- What is a DNS query?
- DNS leak
- DNS spoofing
- Punycode
- Use a VPN on public WiFi
- Richie Koch
- Public Wi-Fi VPN – The Best Way to Secure Public Wi-Fi with VPN
- What Is Public Wi-Fi
- Why Do You Need a VPN for Public Wi-Fi
- What Is the Best Public Wi-Fi VPN
Why HTTPS alone won’t keep you safe on public WiFi
Posted on April 5th, 2019 by Richie Koch in Privacy & Security.
Most websites now use HTTPS to encrypt your connection and add an additional layer of protection to your data. But if you are on public WiFi, using HTTPS without a VPN means that some of your data will still be vulnerable.
Edit: An earlier version of this blog post could have been misunderstood as implying that TLS 1.2 has been broken. We have removed the section which can cause this confusion.
The Hypertext Transfer Protocol Secure, or HTTPS, encrypts the traffic between your device and a website, making it difficult for intruders to observe the information being shared. It also provides signatures, or HTTPS certificates, that allow you to verify that the site you are on is run by whom it claims it to be. HTTPS has become a standard security feature for nearly all websites.
If HTTPS encrypts your connection with a site, then isn’t public WiFi safe? Unfortunately, HTTPS does not encrypt all your data, like DNS queries. If you are using public WiFi without a VPN, you are putting yourself at risk.
How HTTPS works
HTTPS uses the Transport Layer Security (TLS) protocol to secure the connection between a web browser and a website. A protocol is simply a set of rules and instructions that govern how computers communicate with each other. The TLS protocol is the backbone of securing online connections. It’s what allows you to enter your login credentials, browse websites, or perform online banking without others seeing the contents.
TLS uses private-key cryptography. A key is simply a code for computers involved in message transmission, and a private key is one that is not open to the public. To ensure the integrity of their connection, your browser and the Internet server initiate a “handshake” by sharing a public key. Once the handshake is established, the server and browser negotiate private keys to encrypt your connection. Each connection generates its own, unique private key, and the connection is encrypted before a single byte of data is transmitted. Once the encryption is in place, intruders cannot monitor or modify the communications between the web browser and website without being detected.
TLS also supplies digital certificates that authenticate the credentials of websites and let you know that the data is from a trusted source (or a site who claims to be one). A digital certificate is issued by a certification authority.
This system still has certain vulnerabilities, as we will discuss below, but it is considered secure. The first vulnerability that using public WiFi without a VPN exposes you to is the fact that TLS does not protect domain name system (DNS) queries (yet).
What is a DNS query?
The domain name system translates human-friendly URLs into numerical IP addresses that computers can understand. For example, to visit our site, you type in the URL https://protonvpn.com, but your computer sees it as [185.70.40.231]. To find this number, your web browser uses what is called a DNS resolver, which is usually supplied by your Internet service provider. Think of this resolver as a sidekick who scurries around translating the URL of the site you wish to visit into its IP address.
Your DNS request is not encrypted. An intruder can observe your DNS queries and your DNS resolver’s responses to them. This leads us to the first attack you could suffer if you use public WiFi without a VPN: DNS leaks.
DNS leak
If someone were to monitor your DNS queries, they would have a list of all the sites you visited along with your device’s IP address. Given the weak security of most public WiFi hotspots, it would be relatively simple for an intruder to gain access to the network and then log your DNS queries. Your data could still be at risk even if there is no intruder because the resolver on the public WiFi could harvest your data itself.
DNS spoofing
A DNS leak allows an intruder to monitor your activity, but if an attacker spoofs your DNS requests, they can redirect you to a malicious site they control. Also known as DNS poisoning, this happens when an attacker pretends to be your DNS resolver. The attacker then spoofs the IP address for a target website and replaces it with the IP address of a site under their control. The URL would be the same as the site you were intending to visit, but the site would be under the control of the attacker. Modern browsers will generally alert users that they are on a site without HTTPS, and this attack won’t work for HTTPS sites that have a certificate.
However, with a variation of DNS spoofing, an attacker could send you to a site with a slightly different URL from the one you were intending to visit. Think “protomvpn.com” instead of “protonvpn.com”. Moreover, this type of fake site can use HTTPS and have a valid certificate. Your browser would show a green lock next to address, making it harder to detect.
Punycode
Unfortunately, with recent Punycode attacks, hackers have found a way to make two websites with the same URL and a valid HTTPS certificate. Punycode is a type of encoding used by web browsers to convert all the different Unicode characters (like ß, 竹, or Ж) into the limited character set (A-Z, 0-9) supported by the international domain names system. As an example, if a Chinese website used the domain “竹.com”, in Punycode, that would be represented by “xn--2uz.com”.
Intruders discovered that if you reverse the process and enter Punycode characters as a domain, as long as all the characters are from a single foreign language character set and the Punycode domain is an exact match as the targeted domain, then browsers will render it in the targeted domain’s normal language. In the example used in The Hacker News article linked above, a researcher registered the domain “xn--80ak6aa92e.com” which appeared as “apple.com”. The researcher even created this fake apple site to demonstrate how hard it is to tell the sites apart using URL and HTTPS information alone.
As the researcher’s example demonstrates, a Punycode site can implement HTTPS and receive a valid certificate, making it very hard for you to detect you are on a fake site. Only by examining the actual details on the HTTPS certificate can you differentiate between “xn--80ak6aa92e.com” and “apple.com”.
Fortunately, many browsers have already addressed this vulnerability and most would now show the address as xn--80ak6aa92e.com
Use a VPN on public WiFi
These are just some of the vulnerabilities you face when using an unsecured public WiFi network. Even if you visit a legitimate site with properly enforced HTTPS, it could contain images or scripts from sites not protected by HTTPS. An attacker could then use these scripts and images to deliver malware onto your device.
A trustworthy VPN can protect you from all of these vulnerabilities. A VPN encrypts your traffic and routes it through a VPN server, meaning that your Internet service provider (or the owner of a malicious WiFi hotspot) cannot monitor your online activity. This additional encryption will protect your connection from a TLS downgrade attack.
Thorough VPN services, like Proton VPN, also run their own DNS servers, so that they can encrypt and process your DNS queries. Proton VPN’s apps protect you from a DNS leak by forcing your browser to resolve DNS queries via our DNS servers. We even protect your DNS queries if you are disconnected. Our Kill Switch feature instantly blocks all network connections if you are disconnected from your VPN server, keeping your data from being exposed.
Proton VPN’s Free VPN plan offers everyone a free, simple way to protect their Internet connection against these attacks. With our free VPN service, you never have to use public WiFi without a VPN again.
Best Regards,
The Proton VPN Team
You can follow us on social media to stay up to date on the latest Proton VPN releases:
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Richie Koch
Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.
Public Wi-Fi VPN – The Best Way to Secure Public Wi-Fi with VPN
Public Wi-Fi VPN can help you escape from security risks. Get the best VPN for public Wi-Fi to protect your online safety when connecting open Wi-Fi hotspots.
By Jane Updated on Jan 31, 2023
Undoubtedly, public Wi-Fi offers easy and convenient access to the internet. People usually find this Wi-Fi in hotels, cafes and shopping malls. But, security is one of the major concerns when it comes to the open hotspots. Therefore, you need to be very careful when accessing free internet outside. And, VPN for Public Wi-Fi can help keep your connection private.
In this article, you will learn everything you need to know about public Wi-Fi VPN.
What Is Public Wi-Fi
As the name suggests, it is a free internet commonly found in popular public places such as malls, restaurants and airports. These hotspots are widespread and people frequently access them for free. But, it should not have to be that way. Remember, public hotspots are not safe. Still, many people connect to them without thinking twice.
A number of risks can go along with public networks. Security and privacy should be top concerns when connecting to these networks. Hackers can position himself between you and the connection point. As a result, hackers can use an unsecured network to distribute malware. Therefore, it’s a necessity for you to use a VPN free on public Wi-Fi.
Why Do You Need a VPN for Public Wi-Fi
As discussed above, using a public internet network can be very risky for you. Public hotspots can leave you vulnerable to hackers, third-party stalkers or others. They can attack you and steal your information. First of all, hackers can see public hotspots as an easy target to attack you and your personal data. As a result, they can gain access to your private information. Other than hackers, commercial entities may want to capture your key information. These entities make it easy for the users to use free Wi-Fi. In return, they can grab as much information as they can to optimize their marketing and communications with the users. So, your private data including IP address, browsing history or location might be at risk.
Of course, no one wants to put his privacy at risk. For that purpose, Virtual Private Network (VPN) is a great tool boosting your privacy. A solid VPN for Public Wi-Fi can strictly encrypt your online data even though you are using a public hotspot. If you don’t want yourself to be exposed online, you’d better get the best Public Wi-Fi VPN.
What Is the Best Public Wi-Fi VPN
iTop VPN is a highly recommended free VPN for using on public Wi-Fi outside your home. It can keep you safe while you are connected to those free networks. Most importantly, it comes up with top-notch security and privacy protection.
- Safe VPN for Windows, Mac, iOS
- Connect up to 5 devices simultaneously
- 1800+ VPN servers in 100+ locations
- Block ads, split tunneling, Kill Switch
- Dedicated servers for streaming, gaming, and social media