By Jacob Hoffman-Andrews/The Electronic Frontier Foundation
If you follow security on the Internet, you may have seen articles warning you to “beware of public Wi-Fi networks” in cafes, airports, hotels and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was.
The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communications – for instance, by sniffing packets from unencrypted Wi-Fi or by being the NSA – they could read your e-mail. They could also steal your passwords or your login cookies and impersonate you on your favorite sites. This was widely accepted as a risk of using the Internet. Sites that used HTTPS on all pages were safe, but such sites were vanishingly rare.
However, starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of “sniffing” insecure HTTP to take over people’s accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.
Posted on January 30, 2020