This site is supposed to give a simple overview over the different Wi-Fi encryption standards. None of this protects against the operators of the network, but at least they may have a good reputation to lose.
Most public Wi-Fi hotspots are completely unencrypted. This means that all information sent between your device and the access point is encapsulated only in some metadata (e.g. which device send the data and which other device should received the data). Since reading and processing data converts electricity into heat (a.k.a. ‘consumes energy’), wireless network cards are built by the manufacturer to discard everything that is not addressed to them. With smartphones and many laptops it is no longer possible to configure the device to process all packets (monitor mode). Of course, this doesn’t stop criminals from simply using a suitable Wi-Fi dongle or a so-called software-defined radio. This gives them the opportunity to record and analyze all the data that is exchanged. Even though access to most websites on the Internet is encrypted trough TLS nowadays, metadata can still be intercepted without any problems. This includes, for example, which servers you connect to in the first place. Even though a potential attacker cannot see what you are doing on a website, they can see that you are visiting the website in the first place. In the same way, an attacker can largely figure out which apps you have installed on a smartphone, simply because most apps connect to the corresponding servers.
WPA and WEP
WPA and WEP were supposed to provide some basic encryption but nowadays are completely unsafe and should not be used. If you still have a device that only supports WPA or WEP, it probably has many other security issues as well.
Private Wi-Fi networks have been using WPA2-Personal almost universally for a long time. WPA2-Personal uses the password as a “pre-shared key” (PSK) to encrypt and decrypt the packets between all participants. Although this often works well, the problem is that anyone who has the password can decrypt the traffic. This is not a big problem with a private Wi-Fi as long as the password is secret. However on a public hotspot, e.g. in a shopping mall or hotel, the password can easily be obtained by an attacker. Since an attacker can eavesdrop on them just as easily as an open Wi-Fi, using WPA2 Personal for public hotspots does not provide any security gain. Also, there is a known exploit called “key reinstallation attack” (KRACK), which was discovered in 2017 and essentially affects all devices that have not received an update since then.
WPA2-Enterprise differs from WPA2-Personal in that it creates a new secure connection for each device. The access point (or rather the “RADIUS server”) has a database with separate credentials for each user. These credentials consist of a username and either a password or a public key certificate (X.509). As the name suggests, it is mainly used in enterprises and similar environments such as universities (it is also used in eduroam). Apart from the “key reinstallation attack” (KRACK) another problem with WPA2-Enterprise is that it is quite complicated to use.
WPA3-Personal is similar to WPA2-Personal in that it uses only a simple password, but is similar to WPA2-Enterprise in that it creates a new secure connection for each device. This means no other device can simply listen in on the right frequency and read all traffic, even if it has the password. Guessing the password is also harder, as the attacker needs to establish a new connection for each try. Of course, this does not protect against an active attacker, who also sends out packets himself and, for example, creates another Wi-Fi network with a similar name and tries to get you to use that Wi-Fi network instead. However, such behavior could be noticed by other people and also by the original access point itself. There also is a mixed WPA3/WPA2-Personal mode.
WPA3-Enterprise is used similarly to WPA2-Enterprise, but uses more modern encryption. There is also a mixed WPA3/WPA2-Enterprise mode.
Opportunistic Wireless Encryption (OWE) is similar to OPEN in that no password is required to access the network. However, the connection is secured with a new secure connection for each device, similar to WPA3-Personal, WPA3-Enterprise and WPA2-Enterprise.
For home usage:
- If your access point and all your other devices support it, WPA3 Personal is the best option.
- If your access point supports it but not all devices, you can create a main WPA3 Network and a seperate WPA2 Network for older devices.
- If your access point does not support WPA3 at all, WPA2 is kind of still fine for use at home.
For public hotspots:
- If your access point supports it, add an OWE-Network.
- Keep the old and unsecure OPEN-Network, as there are still many devices out there with old software :(