When you connect to an open network—like the Wi-Fi at a local coffee shop or an airport—you are essentially sharing a digital “room” with everyone else on that network. Without the barrier of individual encryption keys, your data packets are often flying through the air in a way that others can intercept.
Here is a breakdown of what an attacker can actually see when they’re “sniffing” the traffic on an open network.
1. Metadata: The Digital Paper Trail
Even if you are using encrypted services (like WhatsApp or HTTPS websites), you still generate metadata. Think of this as the information on the outside of an envelope; the attacker might not see the letter inside, but they see who it’s from and where it’s going.
- IP Addresses: Attackers can see the destination IP of every service you contact. By looking up these IPs, they can identify that you are communicating with servers owned by Netflix, a specific bank, or a dating app.
- Packet Timing and Size: By analyzing the frequency and size of data bursts, attackers can sometimes guess what you are doing (e.g., streaming video vs. typing in a chat).
- Device Information: Your device broadcasts a MAC address and a “hostname” (like “Mike’s iPhone”), which helps an attacker profile who you are and what hardware you’re using.
2. DNS Requests: The Phonebook of the Web
DNS (Domain Name System) is often the weakest link. Most devices send DNS queries in plaintext, meaning they aren’t encrypted.
- The Exposure: Before your browser connects to
example.com, it asks the network, “Where is example.com?” Anyone listening can see exactly which websites you are attempting to visit. - DNS Spoofing: An attacker can not only see these requests but can also “race” to answer them first. They can send your device a fake IP address, redirecting you to a malicious version of a site (like a fake login page) without you ever realizing the redirect happened.
3. Browsing Activity: HTTP vs. HTTPS
The level of detail an attacker sees depends heavily on whether the site uses encryption.
Unencrypted Traffic (HTTP)
On an old or poorly configured site using standard HTTP, an attacker sees everything:
- The exact URLs of the pages you view.
- The text you type into forms.
- Session Cookies: These are the most dangerous. If an attacker steals your session cookie, they can paste it into their own browser and “clone” your login session, accessing your account without needing your password.
Encrypted Traffic (HTTPS)
Most modern web traffic uses TLS/SSL (HTTPS). In this case:
- The Content is Hidden: Your passwords, messages, and specific sub-pages are encrypted.
- SNI (Server Name Indication): Even with HTTPS, the initial “handshake” often reveals the domain name you are connecting to in plaintext. So, while they can’t see what you’re buying on Amazon, they definitely know you are on Amazon.
Summary Table: What is Visible?
| Feature | Open Network (No VPN) | With a Secure VPN |
| Website Domains | Visible (via DNS/SNI) | Hidden |
| Specific Page URLs | Visible on HTTP sites | Hidden |
| Passwords/Forms | Visible on HTTP sites | Hidden |
| Device Name/MAC | Visible | Visible to local router |
| Actual Data Content | Encrypted if using HTTPS | Double Encrypted |
Would you like me to walk you through how to configure a device to use “DNS over HTTPS” (DoH) to help hide your browsing requests on public networks?