FlyerTalk Forums - View Single Post - Safeguarding your personal data transmitted over hotel internet
Thread: Safeguarding your personal data transmitted over hotel internet
View Single Post
Old Apr 9, 2013 | 1:40 pm
  #20  
gfunkdave
FlyerTalk Evangelist
Conversation Starter
All eyes on you!
20 Years on Site
 
Join Date: Nov 2002
Location: ORD
Posts: 14,758
Originally Posted by gqZJzU4vusf0Z2,$d7
> HTTPS is a secure end-to-end protocol for web browsing.

NOT necessarily.

There are MANY ways to implement SSL incorrectly. To determine if the website has
correctly implemented SSL; use:

https://www.ssllabs.com

>> padlock icon

RELYING on the little padlock icon in your browser is nuts. More than a few firms
sell appliances that make executing a Man-in-the-Middle (MITM) attack, plug & play.
To determine if your current SSL connection is being hijacked by a MITM attack:

https://www.grc.com/fingerprint

So; how many of these SSL secured websites have substantive problems?
~90% have substantive problems.

https://www.trustworthyinternet.org/ssl-pulse/

A snapshot of several prominent websites that ought'a be ashamed:

https://www.transunion.com
https://www.schwab.com
https://www.tdbank.com
https://www.ibm.com

*I* expect better.
Even so,

1. If the connection is encrypted, the connection is encrypted. This is a separate, but related, issue from MITM attacks.

2. Yes, it's certainly possible for IT departments to put SSL appliances on their networks that allow them to decrypt SSL traffic on the fly and execute a MITM attack, essentially. Companies that do so also need to ensure that the appliance doing the MITM attack has a certificate that is installed on all client computers. This is unlikely in the extreme for a random hotel user wanting to access the internet. If someone is targeting you for something like this, you've got bigger things to worry about! Or am I misunderstanding something about how these MITM appliances work?

3. I tried running IBM.com through that tester website you mentioned, and it got an "A" grade.

4. What are the substantive problems you mention?

I'm not saying SSL/TLS are perfect, just that they have been around for a long time and are pretty well understood. For the average user who wants to check his bank account from a hotel, I'd have no trouble saying that using https is more than adequate protection.
gfunkdave is offline  
Reply