Is https Secure Over Airport, Coffee Shop, Hotels Wifi?
#1
Original Poster
Join Date: Apr 2001
Location: Austin
Programs: AA P4L, WN, BA, DL, UA, HHonors, IHG
Posts: 3,485
Is https Secure Over Airport, Coffee Shop, Hotels Wifi?
A simple question that likely has a non-simple answer: If I use an airport's, coffee shop's or hotel's wifi and restrict myself to https sites, are my communications secure?
#3
Join Date: Nov 2006
Location: Detroit; Formerly Dubai
Posts: 3,652
Gogo wireless got caught pulling a man in the middle attack of sorts with Google https by inserting self-signed certificates of authority and making themselves the issuing authority on their private net. If someone got control of these systems (or a credible forgery thereof), I imagine they could do something similar.
#6
Join Date: Jul 2014
Location: Loud, dark, warm, lots of ethernet cables, and in some rack space.
Programs: AA:EXP
Posts: 369
Trusting any connection that is not secured with a password or some sort of VPN is a huge no no in the corporate world. Assume any input connections are unsanitary and need protection. Someone could log your credit card or other personal information from the network (man in the middle, etc). Or they could also send a malicious packet to the whole network.
That being said, the likelihood of some individual doing said things intentionally are very low. However, for an airport to log your browsing data and habits? Highly possible. The off chance someone has an unsecured computer without an anti-virus, could un-intentionally infect computers on a network? Also likely.
The best you should do is get a VPN or keep your computer up to date.
Source: Hi! I'm a server! Who are you?
That being said, the likelihood of some individual doing said things intentionally are very low. However, for an airport to log your browsing data and habits? Highly possible. The off chance someone has an unsecured computer without an anti-virus, could un-intentionally infect computers on a network? Also likely.
The best you should do is get a VPN or keep your computer up to date.
Source: Hi! I'm a server! Who are you?
#7
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,155
You got that part right...
The answer is very much "yes and no", depending mainly on you, but also in part on the website.
If you go to your bank website by entering "https://www.bankofamerica.com", and if you don't accept any certificate errors or anything else like that, then you're probably safe. Realistically there's no way that a random hotspot hacker can make your browser believe that's the real BoA with a valid certificate if it's not, and once it's using the real BoA certificate it's basically impossible for them to decrypt your traffic (with a few possible exceptions around recent vulnerabilities - but even then you'd have to be very unlucky, and only if your bank hadn't patched them yet)
However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over httpS then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamercia.com! (You did notice the difference, right?)
The same is true if your bank doesn't use SSL for their main site (hello National Australia Bank of Australia!!) in which case the link on the website to login to Internet Banking could be trivially compromised. Even if you originally went to the SSL site, some links on the site could drop you back to the non-SSL site without you noticing.
There are new features being added to websites/browsers to work around some of these issues (eg, HSTS), but a surprisingly small number of sites are actually implementing them. eg, Bank of America doesn't support HSTS, and NAB doesn't even force SSL on their main site...
You might also be interested in this experiement I did recently - Spoofing public Wifi networks - in the air!
The answer is very much "yes and no", depending mainly on you, but also in part on the website.
If you go to your bank website by entering "https://www.bankofamerica.com", and if you don't accept any certificate errors or anything else like that, then you're probably safe. Realistically there's no way that a random hotspot hacker can make your browser believe that's the real BoA with a valid certificate if it's not, and once it's using the real BoA certificate it's basically impossible for them to decrypt your traffic (with a few possible exceptions around recent vulnerabilities - but even then you'd have to be very unlucky, and only if your bank hadn't patched them yet)
However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over httpS then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamercia.com! (You did notice the difference, right?)
The same is true if your bank doesn't use SSL for their main site (hello National Australia Bank of Australia!!) in which case the link on the website to login to Internet Banking could be trivially compromised. Even if you originally went to the SSL site, some links on the site could drop you back to the non-SSL site without you noticing.
There are new features being added to websites/browsers to work around some of these issues (eg, HSTS), but a surprisingly small number of sites are actually implementing them. eg, Bank of America doesn't support HSTS, and NAB doesn't even force SSL on their main site...
You might also be interested in this experiement I did recently - Spoofing public Wifi networks - in the air!
#8
Join Date: Nov 2012
Location: Minutes from ATL
Programs: DL
Posts: 436
Human Factors
The validity of the URL is usually established using a relatively new HTTPS security standard that provides some sort of visual indication of the level of trust established for a particular website. If you go to https://www.chase.com you will see a large green bar or indicator on your browsers that says something to the effect of JP Morgan Chase. These certificates are difficult to obtain from the certificate authority. A scammer/hacker will not be able to get these. Make yourself aware of the icon and you will be protected (mostly).
However, there are a few caveats:
-There was an iphone bug that disabled root-certificate validations.
-The indicators may not be obvious, you may not remember them
-The NSA may compromise root certificates and issue false certificates (rare, difficult to defend against anyway with protected access points).
#9
FlyerTalk Evangelist
Join Date: Jun 2002
Location: n.y.c.
Posts: 13,988
However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over httpS then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamercia.com! (You did notice the difference, right?)
After I enter my UserID at BofA.com, it then shows me a graphic I'd previously selected, as well as a phrase below it that I'd hand entered. If that doesn't appear, then I know something is wrong.
#10
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,155
When was the last time you logged into BofA? What you described is their old system that they have been migrating off for some time - as far as I'm aware it's no longer in use at all. When I go to BofA now I see a username/password box on the homepage.
#11
Join Date: Oct 2013
Location: SFO/CDG
Posts: 320
But, how would I be fooled by the login page presented by Bankofamercia.com?
After I enter my UserID at BofA.com, it then shows me a graphic I'd previously selected, as well as a phrase below it that I'd hand entered. If that doesn't appear, then I know something is wrong.
After I enter my UserID at BofA.com, it then shows me a graphic I'd previously selected, as well as a phrase below it that I'd hand entered. If that doesn't appear, then I know something is wrong.
Now if my phone is compromised, I'm in trouble.
#12
FlyerTalk Evangelist
Join Date: Jun 2002
Location: n.y.c.
Posts: 13,988
I've still seen it -- they announced the migration a couple of months ago, to be completed by the end of the year.
#13
Join Date: Nov 2007
Location: DAB
Programs: DL PM UA PSilver Marriott Lifetime Plat, AMEX Platinum, Avis PC, UA MPPPlus
Posts: 961
The OP's example was specific to secure web browsing, but the question could be interpreted to mean all communications including non-https traffic.
A VPN in addition to any WiFi and browser based security is a good addition. I was required to use one for work, and now use a personal VPN when I am away from home.
Some folks host a personal VPN server somewhere, or they have this functionality running on their router. Others simply setup an account with a provider (free or charged) for this service.
You will also hear of VPNs being used to change the apparent location of a computer. I know of folks who will use this to be able to view streaming video of entertainment not available within their home region.
A VPN in addition to any WiFi and browser based security is a good addition. I was required to use one for work, and now use a personal VPN when I am away from home.
Some folks host a personal VPN server somewhere, or they have this functionality running on their router. Others simply setup an account with a provider (free or charged) for this service.
You will also hear of VPNs being used to change the apparent location of a computer. I know of folks who will use this to be able to view streaming video of entertainment not available within their home region.
#14
#15
Join Date: Jun 2004
Location: BWI
Programs: UA1P
Posts: 349
So is it impossible for a faker to take the UserID from your initial fake login and pass them on to the real BofA behind the scenes and retrieve those to construct the next fake screen that gets sent back to you?