HTTPS Means You Should No Longer Be Afraid of Public Wi-Fi EFF explains why you can safely use public Wi-Fi February 1, 2020 https://news.softpedia.com/news/htt...longer-be-afraid-of-public-wi-fi-529052.shtml EFF: Why Public Wi-Fi is a Lot Safer Than You Think
I also think that. Updated OS + inbound firewall + authenticated&encrypted DNS service + HTTPS on the webpage and it should be fine for a lot of stuff.
I would never use public Wifi with just HTTPS.... VPN or SSH tunnel is a must to make sure you are safe. Why? Because many sites still (even with things like free Let's Encrypt certificates) don't HTTPS their whole sites but only parts of them, worse some idiotic sites used to start connection to login pages in pure HTTP(!) and then switch to HTTPS (yeah, im looking at you yahoo...) Also, there has been well known HTTPS downgrade attack from 2009 that has been only recently been fixed by HTST.... which still is not used by everyone.... curl -s -I https://www.google.com | grep Strict-Transport-Security Gives you nothing! curl -s -I https://www.gmail.com | grep Strict-Transport-Security Gives you also nothing! Only by adding -L switch (follow redirection to the real target: https://www.google.com/gmail) curl -L -s -I https://www.gmail.com | grep Strict-Transport-Security Strict-Transport-Security: max-age=31536000; includeSubDomains At least facebook is okay.... curl -s -I https://www.facebook.com | grep Strict-Transport-Security Strict-Transport-Security: max-age=15552000; preload Besides downgrade attacks, failures to use HTTPS everywhere there is also the very real possibility of MiTM attack by changing the certificates on the fly by modified Wifi-Router. Especially in dictator countries, in public airports, this is more than likely that the goverment have bunch of valid SSL certificates registered either directly to them or throught some shell-corporation. And your browser won't cry Wolf because often those dynamically on-the-fly changed certificates are trusted by the damn browser. It's really not any different what your anti-virus possibly is doing right now to inspect HTTPS connection but on larger scale of course ... For example, real NSA cert from one of my old posts... https://www.orwell1984.today/nsa_real_ssl_cert.png And this is how Avast changed it on-the-fly and browser was totally okay with it https://www.orwell1984.today/nsa_avast_spoofed_ssl_cert.png So for the love of god, don't trust only HTTPS when using public Wi-Fi....
I don't see it that often nowadays. I think that intermediately-advanced users figured it out which sites from the pool of sites they use and log in do that dangerous thing. Actually I was using Yahoo e-mail account, but I always used Thunderbird (IMAP over TLS) on public Wifi networks, never Yahoo webmail. Firefox won't downgrade if you typed in* full URL including https prefix. It is important to include that https prefix to prevent MitM. Firefox is (or at least was) superior to Chrome in that regard. *By typed in I mean also copy&paste from password manager or using a bookmark.
https://news.netcraft.com/archives/...rvers-vulnerable-to-trivial-mitm-attacks.html EDIT: Few people type the protocol part.... Heck! Even I don't type it anymore and I have been using net since 1995.... Point is: 1) No one really explicitly type https 2) Almost always, the HTTPS site first connection is unencrypted HTTP (usually by HTTP -> HTTPS redirection). And even if it isn't, the first connection is not using HSTS, only the connections after that...(*if* the site has configured HSTS ...) 3) 2016 95% HTTPS site (according to that netcraft article) were not using HSTS ..... and it's been standard since 2012 so adoption has been really sloooooooow....
I wouldn't use my computer or smartphone nowhere near the border to log into anything important with or without VPN. It is advised to not use PC there at all, but checking weather or public transport to the hotel on freshly installed copy of OS is acceptable. Exactly what I said. I must admit I behave slightly differently online when using public Wifi networks, but I used them without VPN even for things like logging into my bank webpage. I know my bank webpage, I know bank have done good securing that web page. I always copy&paste URL to Firefox from password manager, after connecting check for sign of lock and check who issued their extended validation certificate. Not to mention bank uses 2FA.
None of those really matter if network owner can decrypt the SSL, inspect and modify the HTTP stream.Your extended validated green lock certificates can be manipulated, the DNS connections that you device makes can be manipulated easily within public Wifi (heck, it's their network after all that you are connecting and doing ARP spoofing is trivial...). The only thing protecting you is that 2FA. And VPN or SSH
Well, I type https on important websites such as my bank account. If you type domain without protocol part then yes, browser uses both unsecure http and secure https, but again I type protocol part on important sites. As I said by typing I also mean copy&pasting from password manager or using bookmark. Ev certificates may be manipulated on public Wifi as easily as on private Wifi or ethernet network in my home. I have file (which I memorized) with issuers of certificates for some sites important for me. Not every certificate manipulation would hide from my attention.