Securing TLS 1.3 on Public Wi-Fi

TL;DR

TLS 1.3 is generally very secure, even over open (unencrypted) Wi-Fi networks. However, it’s not foolproof. You need to be aware of potential risks like rogue access points and ensure your devices are up-to-date with the latest security patches. This guide explains how to maximise your security.

Understanding the Risks

Open Wi-Fi networks don’t encrypt the data transmitted between your device and the access point. TLS 1.3 encrypts the data *between you and the website/service*, but someone on the same network could still try to intercept or manipulate that connection before it’s encrypted (a ‘man-in-the-middle’ attack). Here’s how to protect yourself:

Steps to Secure Your Connections

1. Verify Website Certificates: Always check the website address starts with https:// and that your browser shows a valid security certificate. Look for the padlock icon in the address bar.
   • Clicking the padlock usually allows you to view certificate details – ensure it’s issued to the correct domain.
2. Use a VPN: A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a VPN server, protecting all your internet traffic, even before TLS 1.3 kicks in.
   • Choose a reputable VPN provider with a strong privacy policy.
   • Most operating systems have built-in VPN support or apps available for download.
3. Beware of Rogue Access Points: Criminals can set up fake Wi-Fi networks that look legitimate (e.g., ‘Free Airport WiFi’). These are designed to steal your data.
   • Avoid connecting to unfamiliar or suspiciously named networks.
   • Confirm the network name with staff if possible.
4. Keep Your Software Updated: Regularly update your operating system, browser, and other software.
   • Updates often include critical security patches that address vulnerabilities in TLS 1.3 implementations or related protocols.
   • Windows: Check for updates via Settings > Update & Security > Windows Update.
   • macOS: System Preferences > Software Update.
   • Android/iOS: App Store/Play Store automatic updates are recommended, and ensure your OS is current.
5. Check Your Firewall Settings: Ensure your device’s firewall is enabled.
   • This helps block unwanted connections and potential attacks.
   • Windows Firewall: Search for ‘Firewall’ in the Start menu.
   • macOS Firewall: System Preferences > Security & Privacy > Firewall.
6. Use Multi-Factor Authentication (MFA): Enable MFA wherever possible.
   • Even if someone intercepts your password, they’ll need a second factor (e.g., code from an app) to access your accounts.
7. Inspect Network Connections (Advanced): You can use tools like Wireshark to examine network traffic and verify TLS 1.3 is being used.

   wireshark

   • This requires technical knowledge of networking protocols. Look for the ‘TLSv1.3’ protocol in the packet details.

Checking TLS Version (Command Line)

You can verify the TLS version used by a website using OpenSSL:

openssl s_client -connect example.com:443

Look for the line ‘Protocol : TLSv1.3’ in the output to confirm TLS 1.3 is being used.