Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Facebook

Public Wi-Fi can alarm your browser, don't let it alarm you

Rob Pegoraro
Special for USA TODAY
A customer at a Starbucks.
  • Hot spot will provide a connection%2C but re-route to a login page
  • Access pages were set up to combat security fraud
  • Tip%3A Google has settings that will disable private search results

Question: Why do Facebook, Twitter and other secure sites freak out the first time I connect to a Wi-Fi network that makes me log in over the Web?

Answer. I know this routine all too well. You open a laptop, connect to the free Wi-Fi at an airport, hotel, train or convention center — and boom, a bunch of pages in the Web browser flip out with scary warnings about unverified site identities. Then you click through the Wi-Fi network's log-in page in your browser, and the warnings go away.

What just happened can be confusing, alarming, or just irritating. But it also shows your browser's security working as it should.

That's "security," not just "encryption." Before your browser can scramble data sent to a site to thwart snooping attempts (any three-letter government agencies come to mind?), it must confirm that it hasn't reached an impostor — like first checking somebody's ID prior to chatting in a made-up language.

Wi-Fi networks with Web logins break this chain. They will provide a working connection right away — then re-route most Internet traffic to that login page. Once you enter a password or click an "OK" or "accept" button indicating your understanding that you may not get the world's fastest and most reliable connection, you get full access.

(Most of these pages also feature ads and locally relevant info like an airport's list of departing flights. Non-browser Wi-Fi logins, where the hot spot needs your device's regular wireless software to cough up a password, are simpler but don't allow for those possibilities.)

Until you pass this "captive portal" login, you're guaranteed awkwardness with sites that encrypt connections, identified by a lock icon in the browser toolbar and usually a highlighted "https" prefix before their address.

The first time one of those pages tries to reload, your browser will find that its copy of the site's security certificate no longer has any match on the other end of the connection. Instead, it sees what looks like a "man in the middle" attack" — because a wireless network re-routing your traffic matches that definition.

Browsers used to be less alarmist about security mismatches, but years of online fraud changed that. They'll now throw up a bold-type alerts that strongly encourage disconnecting and may not even let you click through to the Wi-Fi log-in page.

Non-browser applications like Mac OS X's Mail not only get confused by this runaround but have no way to show you that log-in form.

Christian Gunning, a spokesman for Boingo, a Los Angeles-based operator of public wireless networks, wrote that a hot spot operator can't avoid this when it requires a Web login.

But your browser still won't be able to keep a secure connection to Facebook, Gmail, Twitter and other sites that use full-time encryption until you complete your login to the hot spot.

Remember that outside of this scenario, the call-and-response process needed to set up an encrypted connection works amazingly well; in a moment, your browser has not only confirmed that it's talking to the right site but has collaborated with that site to compute a secret formula that scrambles data going between the two.

That provides the same benefit as the "two-step verification" offered by Google, Facebook and others. Instead of relying on a single shared secret — a password — that you must keep using, you generate a second one that expires after one use.

You should also remember that this complex cryptography won't stop two other risks. Somebody could see you typing a password —"shoulder surfing" — and record those keystrokes on video or in their own memory. Or a keystroke logger hidden on your computer could do the same job automatically.

Tip: Double-check Google searches by de-personalizing them

The fusion of privacy policies that Google carried out last year has helped give you search results personalized according to Google's perception of your interests and activities.

That can help, but it may also obscure results that Google incorrectly sees as less relevant to you. To check for that, click the globe icon to the right of your searches, just to the right of a simplified icon of a person.

To have Google stop showing personal results from now on, click the gear icon at the top right, select "Search settings," and click the button next to "Do not use private results."

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.

Featured Weekly Ad