Don’t Connect to a Public Wi-Fi Network Anywhere You Wouldn’t Go Barefoot

We’ve all done it. Maybe because of work pressures—you need to catch a plane but are also pushing toward a deadline. Maybe out of sheer boredom—your flight is delayed yet another hour and there is really only so much time you can spend at the airport bar before noon. Whatever the reason, we’ve all been there—stuck in the airport, looking at a list of little Wi-Fi signals, some without the lock next to them, wondering … it couldn’t hurt, could it? Just this once?

Of course, airports aren’t the only place with skeezy Wi-Fi. Coffee shops, parks—bring your device to any public place and see what networks are out there. Your phone is constantly calling out, looking for any Wi-Fi networks it has connected to in the past, and any networks that it might want to connect to in the future. (Your smartphone is definitely in an open relationship with your home network.) Some of these Wi-Fi networks have names you want to trust: OHare Airport Official Wi-Fi, for example. Some definitely scream “stay away”—like GetOffMyLAN. Some are bizarrely complex—Purchase4478_Open3’—and some are thoroughly bland—Netgear00. But what do you really know about any of them?

Public Wi-Fi is a lot like the airport. The airport floor, in fact. If you’re good and nerdy, you probably thought I was going to make an analogy about airplanes, terminals, packets, and ports—nope. I want to talk about the airport floor, the part right after you go through the TSA. Thousands of people stream through here every day. Lots of them don’t have their shoes on. They have varying ideas of what “hygiene” means. In a word: gross.

You can’t see the gross stuff on the airport floor, but you wouldn’t walk there barefoot. (Would you? Please don’t.) Similarly, you can’t always see the icky things on public Wi-Fi, but often, they’re there. Things like man-in-the-middle attacks—standing between you and everywhere you connect, picking up your login credentials, logging your behavior, maybe even grabbing secret copies of the files you transfer. Man-in-the-middle attacks might even change where you intended to go on the internet, swapping your visit from the innocuous www.icanhascheezburger.com to something like icanhascheesburger.ru, which offers all the adorable cats with a side of silent spyware.

A man-in-the-middle, or MitM, attack can also try to trick you into giving up your user name and password. It can be executed by anyone who’s compromised the Wi-Fi network—perhaps remotely, but it’s much more likely if you’re in the same physical location, since most Wi-Fi hotspots have about a 50-yard range. I ran into one of these at a restaurant once: I went to log into the Wi-Fi (after starting up my virtual private network, of course—more on that later), and a box popped up asking for my username and password. The box looked legit, but it was generic—it wasn’t tied to any of my accounts or apps. The Wi-Fi was open, so there was no reason I could think of that my credentials would be required. I wasn’t trying to log into an application or website. So my fiance and I started throwing interesting messages into the pop-up box—things like username “yourMom” and password “YourMitMSucks.” After a few minutes, two guys at the bar quickly packed up their computers, looked hastily around, and rushed out the front door. And just like that, the mysterious pop-up boxes vanished as well.  It’s a circumstantial case, to be sure—but it didn’t seem like a coincidence to me.

Even if there isn’t an active attack on the network, public Wi-Fi, like the airport floor, is shared with a lot of people. Those people might not have the same sensibilities that you do. They might click on every sketchy email they receive, open every questionable attachment, and infect the network. Your behavior on the network is open to everyone within Wi-Fi range. A few simple tools can be used to collect all the activity on the network—whether you’re giggling at cats falling out of boxes or logging into your bank account. In short, there are a lot of nasty things that can happen on public Wi-Fi—even if you can’t see them.

So you’re back at the airport bar, the public Wi-Fi beaconing to you at full strength. Maybe that report is late, perhaps you owe an article to your Slate editor. Or maybe you’re just bored. Are you doomed to stay in airplane mode before you’ve taken flight? Certainly not. Much like wearing shoes will protect you from the ick on the airport floor, a virtual private network will act as a barrier between you and the unknown hazards of the network. A VPN hides your activity from other people on the network—they can see you’ve connected to the VPN, but your communications are encrypted and you are protected.

How to bring this wonderful technology to your devices? Lifehacker has a well-researched list of “Five Best VPN Service Providers,” emphasizing privacy-preserving features, speed, trustworthiness of the company, and ease of use. Some VPNs are free, others cost a few dollars per month. Like a pair of flip-flops, it’s easy and doesn’t cost too much to get some basic protections.

Using a VPN is an easy step to take—much like wearing shoes—and can go a long way towards protecting your cyber health.

This piece originally ran in Slate's Future Tense, a partnership between New America, Slate, and Arizona State University.