Can free Wi-Fi hotspot providers snoop on HTTPS communications?

Generally speaking†, one cannot intercept HTTPS communications.

However, a hot-spot provider can do the following:

  1. See the hostnames you want to connect to from your DNS requests
  2. See the IP addresses you connect to
  3. If you type in say http://yourbank.com, hoping for a redirect to https://yourbank.com, the hot-spot owner can intercept that and redirect you or serve you their own content. This is one reason why HSTS exists. If the site uses HSTS or you type in https://yourbank.com or you use a VPN you are fine.

† With the following assumptions:

  1. the site gets a reasonable score on https://www.ssllabs.com/ssltest/
  2. the browser gets a reasonable score on https://www.ssllabs.com/ssltest/viewMyClient.html
  3. the user doesn't override cert warnings

Tags:

Wifi

Tls

Snooping

Related

Bank complains about rooted Android. Is it really any worse than a Windows desktop? Will same-site cookies be sufficent protection against CSRF and XSS? Can governments intercept end-to-end encrypted Whatsapp communication through lawful interception? Why is it considered safe to install something as a non-root user in Linux environments? How can the nmap tool be used to evade a firewall/IDS? What are the disadvantages of using public key cryptography when encrypting files? How can I tell if a PDF file I was sent contains malware? I almost searched my password, but didn't press enter. Is my password at risk, because of autocomplete or anything else? Could keystroke timing improve security on a password? How do I remove my website from the malware database? Does FTPS (FTP+S) offer better security than SFTP on the server side? Can firewalls decrypt SSL packets?

Recent Posts