← All sample lessons

Shared lesson

Best Practices for Public Networks: Threat Models and Layered Defenses

60 min · 1.3

Objective

Students will analyze the risks of public Wi-Fi networks (open networks, MITM, rogue APs, evil twins) and evaluate layered defensive controls (disable auto-connect, HTTPS-only, VPN) by assessing scenario-based risks and recommending specific mitigations at AP-exam rigor.

Hook

5 min

Open with a live scenario. Say: 'You're at the airport with a 90-minute layover. Your phone shows three networks: FreeAirportWiFi (open), BOS-Airport-Guest (open, has a captive portal with the airport logo), and BOS-Airport-Guest (also open, no captive portal). Which do you connect to, and what do you do first once connected?' Take 60 seconds of table talk, then cold-call two students. Push back on any answer: 'Why do you trust that SSID? What proves the logo is real?' The goal is to surface the assumption that a familiar name or a nice portal page equals safety. Land the hook by revealing that in a 2020 Coronet report, over 1,000 US airport networks were classified as high-risk, and evil-twin hotspots at Heathrow and DFW have been documented harvesting credentials. Frame today: we will build a threat model for public Wi-Fi and evaluate which defenses actually block which attacks.

Direct instruction

  1. 7m

    The public-network threat model: open networks, sniffing, and MITM

    Content

    On an open Wi-Fi network, frames between clients and the AP are unencrypted at layer 2, so any device in radio range running a tool like Wireshark in monitor mode can capture other users' packets — this is packet sniffing. A password-protected public network is only marginally better: WPA2-Personal with a shared PSK means every user who knows the password can derive session keys and, if they capture the 4-way handshake, decrypt neighbors' traffic. That is why 'it has a password' is not the same as 'it is private.' A man-in-the-middle attack goes further: the attacker positions between you and the gateway (via ARP spoofing on the LAN, or by being the AP itself) and relays traffic while reading or modifying it. Concrete example: a user loads http://news.example.com over an open network. The attacker sees the full request, injects a redirect to a fake login page, and captures the credentials. If the same user had loaded https://news.example.com, the attacker still sees the SNI and IP but cannot read the body or forge a valid certificate — TLS breaks the attack.

    Delivery

    Anchor everything to the diagram on the slide showing user → AP → internet with an attacker tapping the wireless segment. Emphasize the AP course skill of analyzing risk: likelihood is HIGH on open Wi-Fi because the attack requires only physical proximity and free software; impact depends on what protocols the victim uses. Ask: 'If every site you visit is HTTPS, what can the attacker still learn?' (Answer: destination domains via SNI/DNS, timing, volume.) Pre-empt the misconception that a password on the network equals privacy — state it directly: a shared password does not protect you from the other people who also have that password.

  2. 6m

    Rogue access points and evil twins

    Content

    A rogue access point is any AP an attacker controls that clients associate with. The evil twin is the sharpest version: the attacker sets up an AP broadcasting the exact SSID of a legitimate hotspot — 'Starbucks WiFi', 'BOS-Airport-Guest' — often with a cloned captive portal. Clients auto-connect to the strongest signal with a matching remembered SSID, so simply sitting closer to the victim with a stronger transmitter can win the association. Once connected, the attacker IS the network: they see every DNS query, can strip HTTPS on non-HSTS sites (SSL stripping), and can serve a fake portal that asks for an email password 'to verify your account.' The reason auto-connect is dangerous: your phone stored 'BOS-Airport-Guest' as trusted after your last trip; today an evil twin with that SSID makes your phone join silently, before you even open it. Real case: the 2022 Australian Federal Police charged an attacker who flew domestically running fake in-flight and airport SSIDs like 'Qantas Free WiFi' and harvested 12+ users' credentials via a spoofed portal.

    Delivery

    The slide shows a user between a legitimate AP and an evil-twin AP with identical SSIDs. Ask students: 'What information could you use to tell them apart?' Elicit that BSSID (MAC) differs, but users never check it; certificate warnings on the portal are the practical tell. Directly correct the misconception: an official-sounding SSID proves nothing — SSIDs are not authenticated. Tie to Skill Category 1: likelihood rises in crowded venues, impact scales with what users do on the connection.

  3. 7m

    Layered defenses: disable auto-connect, HTTPS-only, VPN — and what each does NOT do

    Content

    No single control blocks every public-network threat, so security relies on layered defenses. Bottom layer — behavior: disable automatic connection and 'forget' open networks after use, so your device does not silently associate with an evil twin. Middle layer — application encryption: enable HTTPS-Only Mode (Firefox, Chrome, Edge all support this) so the browser refuses to send plaintext HTTP; this defeats SSL stripping and passive sniffing of page contents. Top layer — transport tunnel: a VPN encrypts every packet leaving the device to a trusted VPN server, so the local AP (even an evil twin) sees only ciphertext to a single IP. Critically, know what a VPN does NOT do: it does not authenticate you to the sites you log into, it does not protect you if your endpoint is already compromised with malware, and it does not make you anonymous to a service where you sign in with your real account. And HTTPS still matters WITH a VPN, because the VPN provider itself sees your traffic if TLS is not present — you have simply moved trust from the coffee shop to the VPN company. Worked reasoning for an AP-style item: 'A user connects to open Wi-Fi, enables a VPN, then logs into a banking site over HTTPS.' Which threats are mitigated? Sniffing on the local segment — yes (VPN + HTTPS). Evil twin capturing plaintext — yes. Bank account compromise via phishing email opened on the same device — no (endpoint / user layer).

    Delivery

    The slide shows the layered-defense stack graphic. Walk up the stack; at each layer state one threat it blocks and one it does not. Directly refute two misconceptions: VPN ≠ anonymity and HTTPS is still necessary under a VPN. Tie to Skill Category 2 Mitigate Risk: AP will ask students to select controls that address specific vulnerabilities, not just list controls. Ask: 'If a student says "I use a VPN so I don't need HTTPS," what is the counterexample?' (VPN provider or exit node observing plaintext; VPN dropping and traffic failing open.)

  4. 22m

    Activity block (see activities section)

    Content

    This block is the two-part activity: Part A risk-assessment matrix, Part B MITM diagram annotation. See activities[0].

    Delivery

    See activities[0] for facilitation notes, timing, and expected outputs.

  5. 6m

    Pre-lab prep for next class: Wi-Fi Traffic Capture & Defense Lab

    Content

    Next class we run a Wi-Fi Traffic Capture & Defense Lab in the computer lab. Each pair will (1) use Wireshark on a pre-recorded .pcap file from an open network capture to identify one unencrypted HTTP login, one DNS query, and one HTTPS session, and (2) reconfigure a lab laptop's Wi-Fi settings — disable auto-connect, forget saved open networks, enable HTTPS-Only Mode, and connect through the school's approved VPN client — documenting each change with a screenshot and one-sentence justification. Safety and ethics: we capture ONLY on the isolated lab network with instructor-provided pcaps; capturing on the school's production Wi-Fi or any network you do not own is a federal offense under 18 U.S.C. § 2511 (Wiretap Act) and violates school policy — the lab is scoped so you cannot accidentally do this. To prepare: review the vocabulary list, install Wireshark on your assigned lab laptop (already imaged, but confirm it launches), and read the 2-page Wireshark HTTP-vs-HTTPS primer posted in the LMS.

    Delivery

    State the two pre-lab priming questions students must answer in their notebooks tonight and bring to class: (1) 'In a Wireshark capture on open Wi-Fi, which fields of an HTTP POST request are visible to a sniffer, and which are hidden if the same site loads over HTTPS?' (2) 'A classmate says the lab is pointless because they always use a VPN. Give one concrete finding from tomorrow's capture that would still matter to them.' Emphasize the legal boundary firmly — this is a professional-conduct expectation, not a suggestion.

Activities

  1. 22m

    Public-Network Risk Assessment + MITM Diagram AnnotationLab

    Students work in pairs on a two-part handout. Part A (12 min) is a risk-assessment matrix targeting AP Skill Category 1 Analyze Risk. Part B (10 min) is a MITM diagram annotation targeting AP Skill Category 2 Mitigate Risk. Circulate and press pairs on the WHY of each defense — 'why does HTTPS help here even though there's a VPN?' Debrief the last 3 minutes by cold-calling one pair per scenario. Targets AP Skill Categories 1 (Analyze Risk) and 2 (Mitigate Risk). Student handout — Public-Network Risk Assessment Part A — Risk-assessment matrix (pairs, 12 minutes) For each scenario below, complete four columns: - Primary threat (name it: sniffing, MITM, evil twin, rogue AP, session hijacking) - Likelihood (Low / Medium / High) — justify in ≤ 10 words - Impact (Low / Medium / High) — justify in ≤ 10 words - Best single defensive control — pick ONE and explain in one sentence why it addresses THIS threat Scenarios: 1. Maya opens her laptop at a coffee shop, sees 'CoffeeShop_Guest' (open, no password), and connects to check her Gmail at https://mail.google.com. Her browser has HTTPS-Only Mode on. 2. Ravi is at Logan Airport. His phone auto-connects to 'BOS-Airport-Guest' (a network he used last month). He opens the airline app and logs in. He does not know an attacker two gates away is broadcasting the same SSID with a stronger antenna. 3. Priya is at a hotel. The Wi-Fi 'Marriott-Guest' requires a room-number login via a captive portal. She turns on her VPN before doing anything else, then browses http://weather.com (plain HTTP). 4. Jordan is on 'Library_Public' (WPA2-Personal, password posted at the desk). He logs into his school portal over HTTPS without a VPN. Another patron on the same network has captured the 4-way handshake. 5. Sam is at a conference. The advertised SSID is 'DEFCON-Official'. Six APs are broadcasting that name. Sam has auto-connect enabled and no VPN. Part B — MITM diagram annotation (pairs, 10 minutes) On the diagram provided (user laptop → wireless link → access point → internet → https://bank.example.com, with an attacker device on the same wireless segment), use colored pens to mark: - Red: every segment where an attacker on the open Wi-Fi can read plaintext if the user browses over HTTP with no VPN - Green: every segment that becomes encrypted if the user enables HTTPS-Only Mode (no VPN) - Blue: every segment that becomes encrypted if the user enables a VPN (no HTTPS) Then answer in 2-3 sentences each: a) With BOTH HTTPS and a VPN enabled, at which point in the diagram is the traffic first decrypted? Who controls that point? b) A classmate argues: 'If I use a VPN, HTTPS is redundant.' Refute this with one specific scenario from the diagram. c) The attacker sets up an evil twin with the same SSID. Which of your three colored layers (red/green/blue) does that change, and why?

    Materials

    • Printed student handout (one per student, content below)
    • Computers with browser access to https://phet.colorado.edu (optional exploration)
    • Colored pens or highlighters (red, green, blue) for diagram annotation
    Example outputs
    • Scenario 2 correct answer: Primary threat = evil twin (auto-connect makes the phone associate silently). Likelihood HIGH (crowded venue, known SSID, auto-connect on). Impact HIGH (airline credentials + payment on file). Best control = disable auto-connect and forget saved open SSIDs, because the attack succeeds ONLY if the phone joins without user confirmation; a VPN alone would not help because the login page could be a spoofed captive portal served before the VPN establishes.
    • Part B (b) sample: 'A VPN only encrypts to the VPN server. If I browse http://bank.example.com under the VPN, the VPN provider — or an attacker who compromised the VPN exit node — sees my session cookie in plaintext. HTTPS keeps the data encrypted from my browser all the way to bank.example.com, so the VPN provider sees only ciphertext to bank.example.com.'
    • Scenario 5 correct answer: Primary threat = evil twin / rogue AP. Likelihood HIGH (six APs broadcasting same SSID = at least five are illegitimate). Impact HIGH (no VPN, auto-connect on, credentials likely). Best single control = do not connect / use cellular tether; if forced to connect, require VPN before any traffic and disable auto-connect.

Formative assessment

8 min
  1. A user connects a laptop to an open Wi-Fi network named 'Cafe_Guest' at a coffee shop. She enables a commercial VPN before opening her browser, then logs into http://forum.example.com (note: HTTP, not HTTPS). An attacker in the shop is running a rogue AP with SSID 'Cafe_Guest' and has captured all traffic her laptop associated to. Which statement BEST describes the attacker's access to her forum login credentials? A) The attacker reads her password in plaintext because the network is open. B) The attacker sees only encrypted traffic to the VPN server and cannot read the password. C) The attacker cannot read the password on the local segment, but the VPN provider (or a compromised VPN exit) can, because the site is HTTP. D) The attacker reads her password because a rogue AP defeats VPN encryption. (Targets Skill Category 1 Analyze Risk.)

    multiple choiceC. The VPN tunnel encrypts traffic between the laptop and the VPN server, so the rogue AP on the local wireless segment sees only VPN ciphertext (eliminates A and D). However, the VPN only protects the transport to the VPN server; from the VPN exit onward, traffic travels as it was originally — and because forum.example.com is HTTP, the credentials are in plaintext at the VPN exit and beyond. B is wrong because it ignores what happens past the VPN server. This is the exact reason HTTPS is still required under a VPN.
  2. Explain in 3-5 sentences how a VPN protects data on an open Wi-Fi network AND describe two specific things a VPN does NOT protect against. Use at least one concrete example. (Targets Skill Category 2 Mitigate Risk.)

    short answerA VPN builds an encrypted tunnel from the endpoint to a trusted VPN server, so any device on the local wireless segment — including an evil-twin AP or another user running packet sniffing — sees only ciphertext to a single IP address, defeating passive sniffing and local MITM. However, a VPN does NOT (1) protect the endpoint itself: malware or a phishing page opened on the laptop still steals credentials regardless of the tunnel; and (2) provide anonymity or protection at the destination: if the user logs into their real Gmail account, Google still knows exactly who they are, and if the site is HTTP the VPN exit sees plaintext. Example: enabling a VPN in an airport does nothing to stop a user from typing their password into a spoofed captive-portal page rendered before the VPN establishes.
  3. You are advising a colleague who travels weekly and uses hotel and airport Wi-Fi. Her current plan: 'I use hotel Wi-Fi with the room password, my phone auto-connects to networks I've used before, I enable my VPN when I remember, and I trust HTTPS to protect me otherwise.' Identify the TWO most serious weaknesses in this plan and, for each, recommend a specific configuration change AND explain which threat the change mitigates. (Targets Skill Categories 1 and 2.)

    short answerWeakness 1: Auto-connect to previously-used SSIDs. An evil-twin AP broadcasting a stored SSID (e.g., 'Marriott-Guest') causes the phone to associate silently, before any VPN starts, exposing the captive-portal login and any auto-launching app traffic. Change: disable auto-connect and delete/forget saved open SSIDs after each trip; require manual join. Mitigates: evil-twin / rogue AP attacks that rely on silent association. Weakness 2: VPN used inconsistently ('when I remember'). On the sessions she forgets, all traffic is exposed to the local network — including any HTTP sites, DNS queries revealing browsing, and any app that fails to enforce TLS. Also, trusting the hotel's shared room password provides no protection from other guests on the same PSK network. Change: configure the VPN client to auto-connect on any untrusted Wi-Fi (kill-switch on) AND enable HTTPS-Only Mode in the browser as a second layer. Mitigates: passive sniffing, local MITM, and SSL stripping on non-HSTS sites — layered so a VPN dropout does not immediately expose plaintext.

Vocabulary

public Wi-Fi / open network
A wireless network that anyone within range can join, often with no password or a shared password; other users on the network can potentially observe traffic.
man-in-the-middle (MITM)
An attack in which an adversary secretly relays and possibly alters communication between two parties who believe they are talking directly.
packet sniffing
Capturing wireless or wired frames off the network to inspect their contents; trivial on open Wi-Fi and against unencrypted protocols.
rogue access point
An unauthorized AP added to a network (or standing alone) by an attacker to lure clients and intercept their traffic.
evil twin
A specific rogue AP that copies the SSID (and often the captive portal) of a legitimate hotspot to trick users into associating with it.
SSID
The human-readable name broadcast by a Wi-Fi network; SSIDs are not authenticated, so any AP can advertise any name.
captive portal
The web page that intercepts a new client and requires terms acceptance or login before granting internet access; commonly spoofed by evil twins.
VPN
A virtual private network that builds an encrypted tunnel from the endpoint to a trusted server, protecting data in transit from the local network and ISP — but not from the destination site or a compromised endpoint.
HTTPS / encryption in transit
TLS-encrypted HTTP that protects request contents and integrity between browser and web server, even if the underlying network is hostile.
session hijacking
Stealing a valid session token (e.g., a cookie) captured from unencrypted traffic to impersonate a logged-in user without needing the password.

Common misconceptions

  • 'If the network has a password, it's private.' Wrong — WPA2-Personal with a shared PSK lets any user who knows the password (i.e., every other patron) capture the 4-way handshake and decrypt neighbors' traffic. A password gates access; it does not isolate users from each other.
  • 'A VPN makes me anonymous and safe.' Wrong — a VPN protects data in transit to the VPN server only. It does not hide your identity from services you log into with your real account, does not protect a malware-infected endpoint, and moves trust to the VPN provider rather than eliminating it.
  • 'An official-sounding SSID (Starbucks WiFi, BOS-Airport-Guest) proves the AP is legitimate.' Wrong — SSIDs are not authenticated. Any AP can broadcast any name, and evil-twin attacks specifically exploit users' trust in familiar names, sometimes cloning the captive portal as well.
  • 'Once my VPN is on, HTTPS is redundant.' Wrong — the VPN tunnel terminates at the VPN provider's server. Past that point, unencrypted HTTP is visible to the VPN provider, the exit-node network, and every hop to the destination. HTTPS keeps encryption end-to-end from browser to origin server, which is why the layers stack rather than substitute.

Materials checklist

  • Printed handouts (Part A scenarios + Part B MITM diagram), 1 per student
  • Red, green, and blue pens or highlighters, 1 set per pair
  • Projector for slide deck
  • Computers/laptops (for optional exploration and pre-lab Wireshark install check)
  • Lesson slide deck (auto-generated from this plan)