Are TLS v1.3 connections over open Wi-Fi secure?


  • QA Engineer

    If a non-compromised device is connected to the internet via open Wi-Fi, anyone can view the traffic.

    But if all the connections to the servers use a reasonably secure cryptographic protocol (such as a recent version of TLS), is the communication secure?

    If so, what is the harm of using open Wi-Fi if one only allows TLS v1.3 connections?



  • TL/DR: Using a public Wi-Fi is fine as long as you are making sure not to visit any site without TLS, and keep your device (particularly OS and browser) up to date.

    Man in the Middle Attacks

    An open Wi-Fi cannot compromise a properly secured TLS connection. But not every TLS connection is properly secured. The majority of the sites do not use https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security (although thankfully most major sites do), which means they are vulnerable to https://security.stackexchange.com/a/41991/235964 attacks. Most normal users, and even most tech savvy ones, will not notice it. The solution is to https://www.eff.org/deeplinks/2021/09/https-actually-everywhere in your browser.

    DNS is mostly also in clear, which allows anybody sniffing your traffic to intercept responses to your DNS requests and modify them. However, they will still be unable to forge a valid TLS certificate, so your browser will throw a warning. If, however, you are paranoid and want to make sure people on the open Wi-Fi cannot even see your DNS requests, you can enable DNS over HTTPS.

    Attacks against your Machine

    On a open/public Wi-Fi, an attacker can also try to attack your machine directly. For example, they can try to brute-force your password through SMB, or attempt to exploit any recent OS vulnerabilities for which you may not have a patch installed. Obviously, the solution is to keep your system up-to-date. If you're tech-savvy enough, configuring your firewall to block all unwanted incoming connections will help. (On Windows, marking a network as public will tell the OS to close several of the holes in it's firewall.) Of course, if your threat model includes zero days, you might want to stay away from public Wi-Fis altogether

    Note that, contrary to what some older posts on this site might imply, VPNs are not the solution to any of these problems.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2