Does public wifi pose a security risk to existing logins?

Question

I'm taking a trip soon and want to figure out how safe it is to use public wifi for services. A common piece of security advice I've found about public wifi (example) is don't log into things, because it's easy for others to snoop on what you're doing. More specifically, they say don't type your username/password into a login form and hit the submit button, or access any sensitive data like bank accounts.

But what if I logged into a service on my private home network, never cleared the session and want to continue using the service from public wifi after I leave the house? I'm thinking like Dropbox or Pandora or Netflix. If I don't need to type in my password and hit send, is that safer/safe enough? Would it make a difference if it's going through a browser or a dedicated app?

EDIT:
While I appreciate the answers so far they seem geared towards real computers and I want to clarify I'm thinking about my Android phone. Thus my question about apps, because I have no idea how to tell if an app is using HTTPS or what.

Answer 1

If the site you are visiting uses HTTPS for the entire site (not just the login page) and you check that it actually is using HTTPS, with a valid certificate (e.g., no warnings about a bad certificate) and it is the URL you want to go to, then you are safe.

(Except against extremely strong adversaries like governments who have the ability to coerce Certificate Authorities into signing fraudulent certificates or giving them the ability to sign them. But at this point, these strong adversaries can do these malicious changes at the ISP level, so you are screwed either way).

If the site isn't using HTTPS, any data you send or receive may be eavesdropped or easily changed by an attacker.

You should also be extremely careful about downloading and installing anything that didn't come over HTTPS when on public wifi (though you probably should be cautious about this regardless). E.g., if you install a browser plugin or command-line instructions that came over regular HTTP, it would be possible for an attacker to modify the plugin (to for example run on all webpages and send every form submission to some random domain it controls to steal your passwords / credit card info / etc).

EDIT: While I appreciate the answers so far they seem geared towards real computers and I want to clarify I'm thinking about my Android phone. Thus my question about apps, because I have no idea how to tell if an app is using HTTPS or what.

You could try using a network packet catcher (like wireshark) to see if the apps are communicating using only encryption (e.g., look for HTTPS protocol). Most major vendors should be using HTTPS for their apps if they use HTTPS for their website everywhere else, but you can't be sure (and its safer to assume it doesn't). You mentioned Dropbox, and Dropbox for example states they use network encryption (TLS) everywhere between their apps, so you are safe to use Dropbox (assuming they are checking certificates correctly).

If you are unsure of a mobile app you can often use the mobile HTTPS site in your web browser instead.

Answer 2

But what if I logged into a service on my private home network, never cleared the session and want to continue using the service from public wifi after I leave the house?

No it wouldn't make much of a difference.

What makes a difference though, is making sure the site you are visiting uses HTTPS and that your email client (if you use desktop or mobile mail client) is configured to use TLS to access your mail server.

Learn how to verify SSL certificate (no need to go for the maths, just verification based on what the browser tells you when you click the lock icon the address bar). Always verify the server's certificate, and that your are in the correct domain name before your enter your credentials.

Also, this should be obvious, but don't ignore any security warnings that the browser or the OS is telling you. If the browser says it can't make a secure TLS connection, leave your business until later.

Don't use services that handles personal information that doesn't support HTTPS/TLS while using an untrusted network, heck don't even use them at all.

You also want to make sure you don't reuse password between different websites. Especially dangerous is reusing password between sites that uses https and ones that doesn't.

You also want to make sure that your system is up to date before leaving home. If you want to update or install software, make sure you download the software over secure connection. There are ways to verify authenticity of software/files downloaded over insecure connection, by checking their cryptographic signature, but if you have to ask this question, then I'll just recommend that you just don't even try to because it's easy to get this wrong and compromise your security.

You should make sure to type https:// when accessing any sensitive websites, to prevent against sslstrip type of attack. Alternatively, bookmark the site or use HTTPSEverywhere.

All those above are difficult to do consistently, and it easy to make mistakes. For added security, you may want to enable TOTP Two Factor Authentication (e.g. Google Authenticator app) for services that provides them, so that even if you slipped and someone swiped your password, they'll still be unable to access your account without also stealing your second factor, usually your mobile phone. Many major web services now supports 2FA, e.g Dropbox, Google.