Middle_Seat

A simple question that likely has a non-simple answer: If I use an airport's, coffee shop's or hotel's wifi and restrict myself to https sites, are my communications secure?

MaxBuck

No. No.

Dubai Stu

Gogo wireless got caught pulling a man in the middle attack of sorts with Google https by inserting self-signed certificates of authority and making themselves the issuing authority on their private net. If someone got control of these systems (or a credible forgery thereof), I imagine they could do something similar.

superangrypenguin

Absolutely not.

gfunkdave

I'd be interested to learn why people say no.

Server

Trusting any connection that is not secured with a password or some sort of VPN is a huge no no in the corporate world. Assume any input connections are unsanitary and need protection. Someone could log your credit card or other personal information from the network (man in the middle, etc). Or they could also send a malicious packet to the whole network.

That being said, the likelihood of some individual doing said things intentionally are very low. However, for an airport to log your browsing data and habits? Highly possible. The off chance someone has an unsecured computer without an anti-virus, could un-intentionally infect computers on a network? Also likely.

The best you should do is get a VPN or keep your computer up to date.

Source: Hi! I'm a server! Who are you?

docbert

You got that part right...

The answer is very much "yes and no", depending mainly on you, but also in part on the website.

If you go to your bank website by entering "https://www.bankofamerica.com", and if you don't accept any certificate errors or anything else like that, then you're probably safe. Realistically there's no way that a random hotspot hacker can make your browser believe that's the real BoA with a valid certificate if it's not, and once it's using the real BoA certificate it's basically impossible for them to decrypt your traffic (with a few possible exceptions around recent vulnerabilities - but even then you'd have to be very unlucky, and only if your bank hadn't patched them yet)

However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over httpS then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamercia.com! (You did notice the difference, right?)

The same is true if your bank doesn't use SSL for their main site (hello National Australia Bank of Australia!!) in which case the link on the website to login to Internet Banking could be trivially compromised. Even if you originally went to the SSL site, some links on the site could drop you back to the non-SSL site without you noticing.

There are new features being added to websites/browsers to work around some of these issues (eg, HSTS), but a surprisingly small number of sites are actually implementing them. eg, Bank of America doesn't support HSTS, and NAB doesn't even force SSL on their main site...

You might also be interested in this experiement I did recently - Spoofing public Wifi networks - in the air!

paul21

This guy has it right (mostly). The entire point of HTTPS is that you can use public connections and still have secure communication. As long as your OS is good, your root certificates haven't been compromised, and the URL is known and trusted, then there is no way to introduce a man-in-the-middle type of attack.

Human Factors
The validity of the URL is usually established using a relatively new HTTPS security standard that provides some sort of visual indication of the level of trust established for a particular website. If you go to https://www.chase.com you will see a large green bar or indicator on your browsers that says something to the effect of JP Morgan Chase. These certificates are difficult to obtain from the certificate authority. A scammer/hacker will not be able to get these. Make yourself aware of the icon and you will be protected (mostly).


However, there are a few caveats:
-There was an iphone bug that disabled root-certificate validations.
-The indicators may not be obvious, you may not remember them
-The NSA may compromise root certificates and issue false certificates (rare, difficult to defend against anyway with protected access points).

nerd

But, how would I be fooled by the login page presented by Bankofamercia.com?

After I enter my UserID at BofA.com, it then shows me a graphic I'd previously selected, as well as a phrase below it that I'd hand entered. If that doesn't appear, then I know something is wrong.

docbert

When was the last time you logged into BofA? What you described is their old system that they have been migrating off for some time - as far as I'm aware it's no longer in use at all. When I go to BofA now I see a username/password box on the homepage.

scottpenderson

Agreed, they have moved on to username and password on one page. They do allow two factor authentication instead. After entering my username/password, I am asked to select my on file email or phone number at which point a code is sent.

Now if my phone is compromised, I'm in trouble.

nerd

I've still seen it -- they announced the migration a couple of months ago, to be completed by the end of the year.

edweird

The OP's example was specific to secure web browsing, but the question could be interpreted to mean all communications including non-https traffic.

A VPN in addition to any WiFi and browser based security is a good addition. I was required to use one for work, and now use a personal VPN when I am away from home.

Some folks host a personal VPN server somewhere, or they have this functionality running on their router. Others simply setup an account with a provider (free or charged) for this service.

You will also hear of VPNs being used to change the apparent location of a computer. I know of folks who will use this to be able to view streaming video of entertainment not available within their home region.

:D!

Can someone explain how secure these paid-for VPN services are?

catflyer

So is it impossible for a faker to take the UserID from your initial fake login and pass them on to the real BofA behind the scenes and retrieve those to construct the next fake screen that gets sent back to you?