We're veering off topic here. The question the OP asked was, "if I use only https connections at a coffee shop or other public wifi, can I be assured of those communications being secure?"

We got a bunch of initial "NO!" answers with no commentary or explanation. I asked for an explanation.

As has been explained, https verifies the server certificate to ensure it's communicating with whom it thinks it is.

I understand that someone like Gogo can use a self-signed certificate that says it's for Google but the browser won't trust it, since it's not signed by a trusted authority. A user who isn't paying attention would probably not see what's happening.

This is what Gogo was doing.

Right - and the whole point of https is that it verifies the server identity and encrypts communications so you can use things securely over untrusted networks.

If someone is on the plane with you and snooping on the wifi, correct me if I am wrong, but wouldnt they be able to breach your SSL security as the packets would still be "in the clear" on the wifi network on the plane? Or am I too worried about this?

HTTPS actually does protect all your traffic over an open connection: all traffic is encrypted, and can't be observed by a party in the middle of the transaction.

This does not mean that it is not vulnerable to attacks, and there are things you need to be vigilant about before you blindly trust an HTTPS connection. The most important attack you'd need to worry about is a "man in the middle" attack, where a server in the middle lies about its identity and pretends to create a secure pipeline, then listens to traffic over the wire.

The good news is that you can tell when this is happening using the certificate chain. Basically, in information security, a certificate is the equivalent of a trustworthy photo ID for your server. Each HTTPS site will have one, and all the encrypted traffic is encrypted using its ID so you can trust the origin (and determine if it's been tampered with).

How does the web browser tell if a certificate is valid? There's a "trust chain", where the browser ships from its original developers with a set of trusted "root certification authorities". In the photo ID analogy, this would be equivalent to the governmental agency that issues your ID. Each of these root CAs may delegate issuance to another authority a few times, eventually culminating in your server's ID.

You can be sure your connection isn't being tampered with if you evaluate this chain of trust on a trustworthy connection, then compare it with the chain of trust on an insecure one to make sure the same certificate is used.

The good news is that your browser does a lot of this verification for you. If you see the green lock icon in your toolbar, it's passed all the browser verifications (which helps a lot, but isn't an ironclad guarantee). A red icon appears instead if the trust chain doesn't trace back to one of the known-good authorities.

Others have mentioned the Gogo man in the middle attack. This article has great screenshots of what it looks like when this occurs: http://gizmodo.com/gogo-is-using-man...its-1677559652 . The good news is that the Gogo one was obvious to see using standard browser features.

The browser verification isn't foolproof, though. A man in the middle attack can issue fake certificates for the servers you talk to. There's a debugging tool called Fiddler that does this for web developers (although Fiddler helpfully calls its root CA "FIDDLER_DO_NOT_TRUST" ). Those will show up as invalid, but if someone manages to get a compromised root CA certificate, they could set up an attack that would fool your browser into thinking the fake certificates are just-fine-thank-you-very-much.

As an aside, some sovereign states operate root certification authorities that are trusted, too - so they could issue seemingly-valid HTTPS certificates that get the green padlock but aren't authentic.

The best defenses are twofold:

- for any sites you care deeply about, know what the trust chain looks like, and write down the certificate thumbprint for the certificate - a unique ID that's next to impossible to fake. That way you can manually verify whether you're being compromised or not.

https://www.grc.com/fingerprints.htm maintains a list of known good thumbprints - as well as a tool that will check a web site for you on a known-safe connection and give you an ID to compare against.

If you trust me more than your internet connection or the GRC site, one certificate you can easily check is American Express's. Their certificate traces back through two GeoTrust root certification authorities, and its thumbprint is ‎e2 1c 1a cb fa 0b 72 37 73 f2 7b 8d 8c 7e c7 29 c6 58 e2 8e. This certificate expires May 2016 (so if you're looking at this thread next year, they'll probably be using a newer one.).

The way you get to this information differs by browser. for Chrome, click the green padlock in the browser address bar, then "Connection", then "Certificate Information". The thumbprint is on the Details tab; scroll all the way to the bottom.

- Keep your browser and computer up to date. As certificates are lost or compromised, your OS and browser vendors will revoke them in updates so they can't be used in future attacks.


Sorry for the longwinded explanation - wanted to get a little technical to clear up some misconceptions about how this all works. There's probably room for someone to make a plain-english explanation site that can be shared around to folks!

tl;dr: HTTPS does secure you from snooping. But unless you look closely at the certificates and validate the server's identity, you can't be sure of who you're talking to on the other end. The good news is that there are reliable ways to be confident of the server identity; your browser makes a good first attempt, but to be truly secure you need to manually verify it yourself.

How about an app, eg BoA, over public wifi? Would this be vulnerable to the same thing?

In very broad strokes, HTTPS is secure if your browser shows a green icon. An app is a mixed bag -- you need to trust the app creator they are not dumb and communicate over HTTPS. There's no easy way for you to check.

For the more technically inclined, I am running redsocks instead of VPN.

For many of them, the answer is somewhere between "pretty secure" to "very secure" -- not governmental black-ops secure, but still very secure. The catch is that it only secures the data in transit, so you also want to ensure that the VPN servers also do not track or log the information you send (which is another point of information theft, but not from someone sitting beside you at Starbucks).

I personally don't know the specifics of the exact encryption protocols (I'm sure they mean something to the people in the know, but not me), however I've talked to some people who know enough about the business to be happy with my own choice: Tunnelbear VPN. They are very serious about not logging or tracking their client's info or sites, and have shields to bar tracking programs and other location loggers (those are more about privacy than security).

I have Tunnelbear on my smartphone and laptop, and use it whenever I'm doing anything on a public wi-fi. Very easy interface, very reasonable price ($50/yr), and servers in over 20 countries (also important if you want to break any geoblocked sites).

Nothing is 100% safe. So it comes down to how much risk you are willing to take. Using public wifi has its own pitfalls and things to watch out for. Following the advice and precautions shared by other FTers will definitely help mitigate that risk.

Personally I try to avoid doing bank or important business transactions in public places. This is probably more of a personal comfort though than the reality of what could happen.

The Reality is this: You are much more likely to have your CC information stolen at Wal-Mart than over a Wifi connection. Nonetheless I wouldn't throw caution to the wind.

Come on then.... Why not?

This was posted upthread already by BenA.

I don't want to post how to do it as this is a public forum, it's UNLIKELY that you'll run into problems but it's not bulletproof.

That's as layman termed as I could make it

Working in the tech security world, I can say this is about as accurate as it gets.

how do you define "secure"? The OP said "assured".

there were some security issues recently where people might have bogus certificates already installed .. do you remember those? In that case, if that certificate were used in the attack you wouldn't have to accept anything, so you might not even know it.

That said, I do it, but I'm careful.

-David

If you've got bogus certs installed, then you've already lost. Whatever got those certs there is probably already monitoring your traffic, regardless of how/where you connect to the Internet.

Hope you consulted with a lawyer before you did that.
https://www.wklaw.com/stealing-perso...n-public-wifi/

Good question. Theoretically you have to trust these services not to mess with your data as they are the middle-man.

The Hong Kong post office can issue security certificates. What is that about?

So, I would say the answer is no.