I frequently need to access secure resources (gmail, banking, remote desktop, etc) while on public wifi hotspots. What can I do to ensure that nobody can sniff my passwords or my other browsing activity?

  • 2
    also, a lot of applications these days access the internet outside the browser. There's no way to know if these apps are using https
    – kenwarner
    Commented Aug 4, 2009 at 15:50

7 Answers 7


It's a bit complicated but you can setup a VPN at home and connect to that. That way all your traffic is encrypted.


  • 2
    what kind of performance hit is there with this approach?
    – kenwarner
    Commented Aug 4, 2009 at 17:33
  • 1
    Usually not very big unless your home server or laptop is very old. The main bottleneck would probably be the wifi since the traffic has to go laptop->wifi->home->www->home->wifi->laptop
    – Nifle
    Commented Aug 4, 2009 at 17:49
  • i guess that's moreso what i meant. i wouldn't imagine there would be a lot of CPU processing involved, just the delay in jumping through hoops. will definitely be trying this when i get home. i saw something that some routers have built-in VPN capabilities too.
    – kenwarner
    Commented Aug 4, 2009 at 19:04

Make sure that all of your connections are using SSL. For example use https://gmail.com instead of http://gmail.com. Same goes for your bank, etc.

  • 9
    And make sure that the SSL certificates are valid. If accessing a known site, like Gmail gives you a notification about the certificate validity, don't go any further! It's not very hard for an evil hacker to offer you his own self-signed certificate and pretend to be the site you're trying to access.
    – Kaitsu
    Commented Aug 4, 2009 at 18:04
  • a very important point. it's almost trivially easy for any script-kiddie to do this.
    – Ian
    Commented Aug 4, 2009 at 21:00
  • And make sure that form submit actions are https.
    – jtimberman
    Commented Aug 5, 2009 at 0:18
  • Using https for all webmail sites all the time is advisable (if they don't support it, don't use them). This will at least encrypt data between you and your own inbox. Remember that email is otherwise not encrypted!
    – MGOwen
    Commented Sep 23, 2009 at 2:46

The first thing I would recommend is to have your personal firewall turned on. The next thing you want to consider is that you should not enter sensitive information into your browser unless the connection to the website is encrypted. Each browser has a small icon at the bottom to indicate when the connection is encrypted. You can click on this little icon to get more information about the identity of the certificate owner.

As long as you maintain an encrypted session to your website, sniffing the traffic will not prove to be all that useful. Just make sure you keep track of when the site is encrypted and when it is not. If there is ever any doubt as to whether you will be safe, then it is better to err on the side of caution.

  • 1
    if a website doesn't offer a https connection, is there anything else i can do to use that site without potentially being compromised?
    – kenwarner
    Commented Aug 4, 2009 at 15:48
  • 2
    Nothing more to be done unfortunately. http always goes across the wire in the clear.
    – Axxmasterr
    Commented Aug 4, 2009 at 15:50
  • 2
    I'm usually using my home machine over RDP from the outside for things that can't be encrypted. Also you can set up a VPN server or proxy in a trusted location.
    – Joey
    Commented Aug 4, 2009 at 16:36
  • Re: RDP. There are a lot of steps to get it to run securely. See mobydisk.com/techres/securing_remote_desktop.html ... even then, I'd prefer SSH tunneling or a VPN. Commented Aug 4, 2009 at 16:57
  • cwrea: This is between two Windows 7 machines here. Note that RDP security has come a long way since Windows XP.
    – Joey
    Commented Aug 4, 2009 at 17:26

In little things, you can force GMail to use secured connection :

Login to Gmail > Go to Settings > General > Browser Connection > Always use https


One more thing to be aware of - certain public WiFi locations get you to pay by credit card before you can access the internet. This can be common in hotels.

When you try and browse to the internet you are re-directed to a page where you can enter credit card details and then gain access to the internet.

Beware that some scammers have actually caught onto this and created dummy hotspots (pretending to be a hotel or whatever) to collect credit card information.


A slightly more involved but good solution is to run a PPTP Server from a home PC.

It's easy to setup in Windows, and will encrypt and forward any and all traffic through your Home PC and then out to the internet from your home ISP connection.

There is a performance impact, but for email, and standard web applications, it's not prohibitive on modern hardware.


If you're using a public wifi at a business or educational institution you are affiliated with, it's likely they will also provide a VPN server for you to login to with your network credentials.

Despite being reasonably common practise this went pretty much unused at my University.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .