Xfinity hotspots are a brand of public WiFi. And all public WiFi has this in common: It’s someone else’s network, and you can’t quickly know whether it’s safe or not. For example:
- Are the network devices configured correctly?
- Are they up-to-date with their security patches?
- Is someone actively exploiting that network as you access it?
- Is the owner of the WiFi network tracking you and selling that data?
Your best bet is to avoid using public WiFi altogether. Instead, use the mobile hotspot provided through your mobile carrier, or tether your laptop to your mobile device.
The whole situation is like a city swimming pool. Just by looking at the water, you can’t tell if it’s clean. You’d need to test the chlorine levels and other factors to know for sure.
Here’s a recent example of a WiFi exploit named KRACK.
A serious flaw in WPA2 protocol lets attackers intercept passwords and much more.
What’s the risk? “Attackers within radio range of vulnerable device or access point can intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting.” Not to mention the ability to directly probe your computer for weakness to exploit.
Will SSL/TLS solve the problems? No: “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” the researchers explained. “For example, HTTPS was previously bypassed in non-browser software, in Apple’s iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
Will using a VPN solve the problems? Only if you’ve chosen very carefully. For example, in one “comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google’s official Play Market finds that the vast majority of them can’t be fully trusted. Some of them don’t work at all.” Since many of the providers are cross-platform, these results are likely true for other devices as well.
Majority of Android VPNs can’t be trusted to make users more secure.
Again, your best answer is to use a mobile hotspot provided through your mobile carrier, or tether your laptop to a mobile device, and avoid using public WiFi altogether.