I stay at a dorm. I am wondering about the security of the log-in wifi system. I want to know if my browsing history can be seen by the internet-admin that I'm connecting with.
If I install an OS on a virtual machine, will I be safe from the attacker (because I'm still connecting to the public wifi)?
Virtual machines make no difference here.
Assuming the owner/admin of the wifi access point is a average person, and not the NSA:
If the admin is reading the traffic passing his AP, but not doing anything else, HTTPS connections that are properly configured by the website owners are secure (sadly, as lay person, judging the configuration quality is not possible).
HTTP connections are fully readable by the admin.
If the admin starts to modify traffic passing the AP, as before HTTP connections are not protected from anything. This holds in both directions, ie. what you get from the webserver could be faked, and what the webserver gets from you too.
About HTTPS, pay attention to certificate warnings (instead of clicking the away, if the browser allows it). A warning is no proof for maicious activity, but nonetheless, don't proceed.
Thhird point, stop thinking that your wifi traffic is everything. Being connected to some network controlled by an attacker is very helpful to take over your computer completely...
Public Wi-Fi is a horror show in terms of security. The mains risks being:
1) Do you trust the provider? Even if it is not compromised, the access point you connect to is capable of seeing all your traffic. That's everything - from the sites you visit to the passwords the enter. This is done through a man-in-the-middle attack and you might not even notice it.
2) Public wifi probably means a public password. Anyone can spin up a rogue access point which looks exactly like the real thing, this is called an evil twin, if the attacker sets the power high enough, you might not even see the real network. If you connect to this everything you do can be seen by the attacker who owns the rogue AP..
A VM is really of no use, your primary threat here is attackers seeing confidential traffic and your only defence is a VPN.If you use a VPN they won't see the sites you visit, just the connection metadata for your vpn tunnel.
