Using public Wi-Fi without protection is a risky business
In this day and age, HTTPS isn't enough. To be truly secure, you need a VPN
I’m one of those weird people who actually likes flying long haul. It’s time away from the normal pressures of day-to-day work. It’s quite comfortable, the food is good and it’s an opportunity to catch up on movies that I didn’t catch in the cinema. It helps that I usually turn left when getting onto a plane these days. When I reached the heady age of 40, I decided that long-haul flights in economy were too much like hard work. And, with increasing age, I noticed that it took longer for me to recover from a flight involving multiple time zone changes.
Another reason I love flying is that it gives me a chance to explore airport lounges. These are fascinating things with a real social hierarchy at work. Scrape together enough tier points for British Airways at Heathrow Terminal 5 and, armed with your trusty Silver card, you can get into the Silver lounge where bacon butties are served. Get enough for Gold and it’s a cooked breakfast buffet. Fly long haul in first class and the Concorde Room awaits, complete with silver service.
Then there’s the people-watching. In the Silver lounge, you’ll spot a lot of Dell and Lenovo. Solid work laptops, doing work things, and Samsung smartphones are the order of the day. Move up to Gold lounge, and there’s a shift to Apple MacBook Pros and iPhones, which are evidently favoured by the board-level members and artistic types.
In the Concorde Room, all I see are iPad Pros. That’s if they have anything, because I guess the truly wealthy will have someone to do that stuff for them. One wouldn’t want to be quite so grubby as to tweet oneself. But I’ve spotted an odd trend: the rise of the Linux laptop. I’ve pondered long and hard about this and can only conclude that these are the dodgy super-rich, the sort for whom heavy encryption is the norm, along with keeping away from any US-hosted cloud services. Last week, it was four burly Russians sat around a table with laptops running what looked, from afar, like Linux Mint.
How fascinating it would be to get access to the underlying network data to see just how realistic my feeble sampling is. On more than one occasion, I’ve been tempted to fire up Wi-Fi packet sniffing tools and Wireshark analysis to see what was going on. One would hope that almost everything would be HTTPS or equivalently encrypted, but I somehow doubt that’s the case. In truth, it’s probably best I don’t – especially if sitting near to a Mr Big (or Bigsky).
One thing’s certain: when out in a crowded public space such as a terminal lounge, locking down all of your traffic via a VPN tunnel is a prerequisite. The same applies to your local high-street coffee shop, of course; it’s just that you tend to go home after that, rather than to another continent.
So how often do people protect themselves in this manner? Again, my sampling is unreliable, but my best guess is not very often at all. And that’s to be expected. It really is time that the underlying operating systems we use on a daily basis immediately recognise when we’re on neither our work nor home networks, and take appropriate measures to protect our machines. And to do so seamlessly, without user input.
I’m sure there are management tools that can do this for large corporations, with appropriate certificates and access control lists, but the rule needs to apply across the board. Unless we’re connected to our home or work network – or an approved mobile hotspot device such as our phone – connections should be treated as untrusted and require a VPN tunnel to a known endpoint. For myself, I tunnel back to the lab in Huntingdon from my laptop and phone. Home users have fewer choices, although they ought to be able to tunnel back to a home network, if necessary via a cloud lookup service. The least happy solution is to tunnel to an endpoint managed by a third-party company, but even that is better than nothing.
Now some people might claim that this is all paranoia and unnecessary in a modern segregated network. And they might be right. But I’d rather trust my own security than have to consider whether I might or might not be safe.
So here’s my question, dear reader: do you run a VPN when away from your home or office, whether it’s for work purposes or just for good security for home operations? If you don’t, I would humbly suggest you reconsider. Until such connections become automatic, as outlined above, it’s down to you.