How Safe Is WiFi At Starbucks?

This question originally appeared on How Safe is WiFi At Starbucks? Matthew Lai, CS grad student at Imperial College London, Pilot, Chess player, and Classical musician, answers the question thus:

It’s safe, in the vast majority of cases, and you don’t need to do anything special, or know what VPN, HTTPS, or TOR mean.

It’s tiring to see all the fear mongering going on. Yes, it’s good to be security-conscious in general, but not by spreading false information.

Yes, you can sit at a Starbucks all day and capture packets all you want, but all important packets will be encrypted using industrial strength encryption.

How Safe Is WiFiNone of your bank details, passwords, account numbers, etc, will be transmitted un-encrypted, unless you use a family-run bank in a third world country with 5 employees. This is security 101, and banks are all very security-conscious.

Anything you do on Facebook is encrypted since Facebook switched to HTTPS default a long time ago. No one can get your Facebook account or password, or anything you post. They CAN get the fact that you are interacting with Facebook in some way if they wanted to, but that’s about it.

All webmail services (at least the big… 100?) use HTTPS.

Amazon, eBay, Paypal, Dropbox, they all use encryption by default, and most won’t even let you turn it off. It has been many many years since the last time I saw a site that would take a password un-encrypted.

All modern IM services, as far as I know, use encryption at least by default.

So if you sit at a Starbucks all day capturing traffic, what kind of information can you likely get? – which sites people are on, and approximately how much traffic they are generating with that site, and at what times/intervals- … and that’s about it.

If you don’t want even that information to be public (for example because you need to contact the North Korean government), that’s when you have to start worrying about using VPN.

If you use VPN, the attacker can know the fact that you are using VPN, and which VPN server you are using, and how much total traffic you are generating.

Tor has nothing to do with this. Tor is for hiding who you are, to the website you are accessing. That’s an entirely different and unrelated issue. It does encryption as well, but in that respect alone it’s no better than VPN.

What if the encryption breaks? Well, if anyone can break AES or SHA (most popular ciphers used in SSL, which is what HTTPS is based on), they will be VERY famous, and we’ll have much more important things to worry about, like national security, since AES-256 is approved for use for information with “top secret” classification in the U.S. government.

On the other hand, what IS dangerous is using a public computer. Anything you type on a public computer should be considered public knowledge, because all it takes is a $5 keylogger from eBay for the guy before you to access anything you typed.

Enjoy the free wifi.

EDIT: One of the commenters suggested the possibility of DNS cache poisoning. So I would add one precaution to take when submitting any sensitive information online – look for the lock icon in the URL bar. If it’s not there, don’t type anything sensitive. And obviously, if there is a bit fat warning that says the certificate cannot be verified, don’t click ignore.

Readers Bureau

Do you want to add feedback to this story? Please add comment in box below.

Like our Facebook page

Follow us on Twitter