When using a public network, ensuring security and privacy is paramount. Through an iterative approach, we have developed a practical configuration that maximizes protection while maintaining performance and usability.

The foundation of public network security begins with enforcing HTTPS. Firefox’s built-in feature to block all HTTP connections ensures that no data is transmitted in plaintext, effectively mitigating the risk of man-in-the-middle attacks and network eavesdropping. In tandem with HTTPS enforcement, enabling DNS-over-HTTPS (DoH) encrypts all DNS queries, preventing network operators, ISPs, and malicious actors from snooping on domain resolution requests or engaging in DNS hijacking. Because traditional DNS queries are among the most frequently exploited weaknesses in internet security, encrypted DNS is a critical safeguard.

To eliminate public Wi-Fi as a potential attack vector, an Ubuntu laptop was tethered to a mobile phone, providing complete autonomy over network traffic. This method bypasses reliance on shared, potentially compromised infrastructure. Testing revealed a key distinction between the IP addresses of each device: the phone, protected by Cloudflare’s WARP service, showed an IP assigned by Cloudflare, masking its actual network origin. In contrast, the laptop retained an IP assigned by the library’s network, as WARP was not directly running on the laptop.

Despite this, the laptop remains secure by enforcing HTTPS and encrypted DNS, ensuring that all sensitive traffic is protected even though its IP is visible to the network. While the library can observe that a device is connected and transmitting encrypted data, it cannot determine which websites are being accessed, nor can it decrypt the contents of any communications.

By routing mobile traffic through Cloudflare’s WARP service, the phone gains an additional layer of encryption between itself and Cloudflare’s edge servers, preventing passive surveillance at the local level. Although WARP does not function like a traditional VPN—meaning it does not mask the IP address from Cloudflare or hide traffic beyond Cloudflare’s network—it still guarantees encrypted transport across untrusted networks. As a result, local observers or filtering systems see only opaque, encrypted connections, with no usable insight into the data being exchanged.

This security posture offers several tangible advantages. DNS queries are shielded from tampering and surveillance. All plaintext HTTP traffic is categorically blocked. Local network interception becomes ineffective, as encryption ensures that only meaningless ciphertext is visible. Traditional filtering, tracking, and logging mechanisms employed by public networks are rendered impotent. Even if someone attempts to analyze traffic patterns, they encounter only an encrypted tunnel—impossible to decrypt or inspect.

By combining modern browser features, encrypted DNS, and WARP-based transport security, this solution provides a robust layer of protection when operating over public networks. It maintains speed and usability while neutralizing local surveillance and control. The result is a resilient, low-maintenance strategy that secures end-to-end communication and renders public network oversight effectively obsolete.

om tat sat