Please ask your questions here (not in email) – we promise to respond here, no such promise with email. This is a benefit of membership. Here’s info on how to post to this Q&A Forum.
You must be logged in as a Premium Member to Ask the Geeks a question. All are welcome to freely browse the Forums.
Log In
Home
Topic RSS
10:40 am
This is a copy of a post from one of the forums that I am a member of. It seems to conflict with information about https that I think I learned from you. Could I request your comments about this and suggestions?
Quote
“There is a lot of misinformation about the safety and security of your computer
connecting to various types of networks. And since those of us in an RV spend a
lot of time traveling, we need to understand what is safe to use and what is
not.
First, a couple of disclaimers…
There is no such thing as absolutely secure and security is continuously
changing. Example: an encryption that is viewed as secure today might not be
secure tomorrow as computers grow in capability.
There are always some risks to security; some people are more comfortable with
risk than others.
So here are the typical networks we might encounter as we travel.
Open WIFI �” Just say no.
When you connect to an Open WIFI, you open yourself to all sorts of attacks.
Everyone else can see what you are doing and can attack your computer and
potentially your identity. (search for “firesheep”)
And you have to trust the owner of the WIFI network (I wouldn’t trust anyone
running an open WIFI).
Even https doesn’t provide adequate protection because your computer can be
attacked by others in the WIFI network (are you sure your computer is up to
date?) and the provider of the network can redirect requests via an attack
strategy called “man in the middle” (search for “man in the middle”).
And by the way, if you try to take advantage of an open WIFI you just happen to
“find” be aware that in some jurisdictions, that may be considered
“theft”.
I have a computer (yes, I carry multiple) that has no personal information and I
never connect to anything that requires a password with this computer. If
anything goes wrong with this machine, I wipe the disk and reinitialize. That is
the ONLY machine I would attach to an open WIFI and all I would do is check the
news, read online docs, listen to music, etc.
Encrypted WIFI �” Better but risky.
First, if the WIFI is encrypted with a security type of WEP, then it is not
really encrypted in a way that is safe. WEP WIFI networks are as dangerous as
open WIFI. WIFI must be encrypted with some form of WPA to be considered secure.
A WPA encrypted WIFI all but eliminates attacks from others that are on the same
WIFI network. But you still need to trust the provider of the network. For
example, how much do you want to trust Joe’s Pizza WIFI? (see “man in the
middle”)
I might read email on such a network but except in an extreme emergency I would
not perform financial transactions on such a network. And I would make certain
that my system was up to date and my personal firewall was functioning. And I
would make sure I had some level of trust in the provider of the network.
Your own encrypted WIFI via your own router �” the best answer
Use a router that connects to the cell network and provides a local WPA
encrypted WIFI (sometimes called a MIFI). No one else is on the network except
your machines. You control the router. You know the network provider (your cell
provider). And the added bonus is that the computers on this network are hidden
from the outside world all but preventing inbound attacks. This (see “network
address translation”) provides a very strong firewall.
When traveling, this is the only network on which I will perform financial
transactions.
Points of discussion:
Q: Doesn’t https provide a secure, encrypted connection?
A: Think of https as providing a very strong pipe from your computer to another
computer. In general, the pipe will not leak, that is, no one will be able to
pull data out of the pipe. This is all true. However, there are ways to redirect
the pipe so that it doesn’t really go where you expect it to go. So the
communication in the pipe is secure but it can get to the wrong organization /
person. (see “man in the middle”)
Also, if your computer has been previously compromised, https provides no
protection.
Q: Isn’t an encrypted WIFI as safe as data connections to cell networks (3G,
4G, ?)?
A: Not always. A cell network can be worse than a WPA encrypted WIFI or it can
be equivalent when it comes to communication (cell data networks are not in my
areas of expertise). But that isn’t the only issue. The good news with cell
networks is that you know who is on the other end (Verizon, ATT, Sprint, etc.).
When you use someone’s wireless, the answer might be less clear and you
probably do not have a financial connection with the provider. Again, I always
want to be sitting behind a router that I control.”
End Quote
Thanks
Al Wilson
11:16 am
November 3, 2009
Offline
I like the disclaimer. Nothing is absolute. Minimize your risk. Keeping up to date and informed is your best defense.
The main problem as I see it is the reluctance of companies and individuals to upgrade their systems. Older protocols are not secure as mentioned in the article.
Up until this past year, no one had compromised the old https protocol, although there had been a proof of concept to do so. Now, apparently, it has been cracked using a “man in the middle” attack using very sophisticated processes. So far, no one has reported successful attacks in the wild. It is just a matter of time, I'm sure.
The net effect of the reports will force faster adoption of the newer encryption protocols already available which have not been compromised.
Encrypted hot spots are safer than open hotspots. Realize that the encryption is only between your laptop and the local access point.
I will still only do financial transactions on https sites. My gmail is encrypted end to end. I will continue to use public hotspots when I deem it necessary. Is it possible someone is sniffing? Absolutely. Is it likely? That depends on the hotspot. A famous bank robber was once asked, “Why do you rob banks?” He answered, “That's where the money is!” Serious threats are still going to happen where the big money is. That is not usually an RV park WiFi system.
Again, if your computer is infected, you are already unsafe both to youself and others.
Helping Travelers to Plan, Preserve, and Share their Travels
1:08 pm
July 2, 2010
Offline
If anything goes wrong with this machine, I wipe the disk and reinitialize. That is
the ONLY machine I would attach to an open WIFI and all I would do is check the
news, read online docs, listen to music, etc.
Statements like this piss me off! It is SO important for travelers to check their bank accounts when they're traveling, and statements like the above scares them away from doing so.
If:
- your computer's software is up to date, and if
- you browse to your bank's website (don't follow a link in an email that could be bogus) and if
- you see the https in the address bar,
Then you are 99% protected, REGARDLESS of what you use to connect to the Internet (wifi, cellular, satellite, DSL, Cable, encrypted, unencrypted)
On the other hand, if you wait till you get home from vacation and can read your printed bank statement – it will be too late to do anything about that $1,200 charge that you didn't make!
I am willing to take 1% risk any time! Driving our highways (which we do every day) has a much greater risk! I know more people who have suffered gunshot wounds while driving on I-95 in Florida than who have had their identity stolen because of using open Wi-Fi on their computer. We need to be smart about Internet security (see 1,2,&3 above and this video), but not paralyzed.
3:33 pm
Thank you Jim and Chris for the replies. May I have your permission to copy and paste your replies to the other forum? Or, would you prefer me to just reference this discussion on the other forum?
Bottom line – if you are on an open wifi network but connect to your bank through your browser and the web site is shown as “https”, you are safe?
Al
10:22 am
November 3, 2009
Offline
Bottom line: Probably safe. IF your computer is up to date and running firewall and anti-malware programs, and if you are connecting to a legitimate hotspot.
Repeating what Chris said above; knowing what is going on with your money is much more important than worrying that a hacker is connected to the same WiFi hotspot as you.
I just read a story today about 15,000 credit card holders being compromised by hackers. The bank information was stolen and posted.
That is the reality of theft (identity and monetary) today.
You may copy the entire posts and please reference this forum.
Helping Travelers to Plan, Preserve, and Share their Travels
11:04 am
I have seen a reply to the post on the other forum and I thought I would post it here.
“I have had to think about how to answer this post.
I intended my original post for this group of Safari owners. Had I intended it
for a “geek” audience, I would have written it very differently.
It appears that I did not provide sufficient detail for MR Geek…
In order to connect securely to a web site two things are necessary: you need a
secure path and you need to connect to the correct site. While there are
sometimes attacks on encryption that involve sophisticated computing and
generally some luck, I have not heard in the various forums and literature that
I follow of any general attacks on the encryption used by https. At this point
in time, I assume that https has little or no risk. But does it connect to the
correct site? Consider the following example:
I expect that many of you have checked into an RV campsite that offers free
wireless and the office provides you the password (note: not the encryption
key!). You park your rig, start your computer and try to go to “weather.com”.
You are surprised when it takes you to a browser page that asks you for the
password. This is the power of owning your router; you can ask for any internet
address you want, the router can redirect you as needed. Now imagine that
instead of providing you with the security page, a server (call it SERV) goes
to weather.com and provides your browser with the output. Your browser is
connected to SERV but it sure looks like weather.com. SERV can see what you type
to what you believe is weather.com and can see the output from weather.com as
well. This is what is called a man in the middle attack. Doing this in https is
more complicated but you get the idea.
https is a necessary but insufficient step for secure financial computing. That
is why I suggest that you be at an encrypted WIFI from a known vendor and then
be careful.
MRS Geek is pissed off…
There are technically knowledgeable people that can use open WIFI safely. But it
requires a significant understanding of what to do and what not to do. It
concerns me greatly when technical types presume that others have this
understanding (or they are unaware of their own level of understanding).
If all you ever do with your computer is connect to Facebook and read your email
and you are unconcerned about the consequences of your Facebook or email
identity being hijacked, then maybe you can be unconcerned with connecting with
an open WIFI. But if you ever intend to use the computer for financial
transactions or any transactions that you consider important, then an open WIFI
is a really bad idea.
But of course, each person needs to consider their own level of risk tolerance.
By the way, I do all of my financial work online but I follow my own
recommendations.
Good luck.
David (aka Mr. Doom & Gloom)”
1 Guest(s)
