ElCaminoReal

The nitty-gritty is over my head, but my understanding is that it would indeed require some intervention to install/validate/bypass a malformed certificate (if your corporate environment is anything like mine, many would instinctively do so thinking it is merely a nuisance warning). My point was that HTTPS does not serve as a direct replacement for the security that a VPN provides and ideally both are used in a layered fashion with additional security steps taken. OP did not mention privacy as a specific concern, but HTTPS certainly lacks in the privacy department.

DYKWIA

I just bought a Mifi device from 3 (a UK network provider), £80 including 12GB of data that can be used in 71 countries. You can connect up to 10 devices.

Very good value IMO

username

I once talked to this security expert and he said his company (a computer security company) does not allow employees to use open wifi as https/TLS are not to be trusted. He said he does not even do computer banking. So....

I guess the downside of using the local SIM is that if you have a Wifi-calling enabled number, you will lose the ability when you insert the local SIM. You also have to worry about the LTE bands.

gfunkdave

UNless he knows that TLS has been broken (which would be catastrophic worldwide and Big News) then this sounds like paranoid nonsense. I'd be interested to know his specific reasoning.

Make sure that the site you're on is the one you think you're on. Check that the domain name shown in the address bar is correct. Check that the browser trusts the site's certificate (https in green/you see the green padlock/no warnings). On Windows, it requires a defined , manual step to add a certificate as trusted: you have to download the certificate, double click it, tell Windows to add it, and sometimes enter the password of an administrator on the computer.

Keep your browser software up to date. Chrome does it automatically. I think Firefox does too. Be sure you apply security updates for your OS as they are released.

You can see different kinds of bad certificates in action at https://badssl.com. Click one of the red "Certificate" tests near the top left of the page.

If a well-funded adversary is after you, all bets are off. But 99% of people in the world can just practice good security hygiene and be totally fine.

txflyer77

Both VPNs and HTTPS use TLS, so if the belief is that TLS is broken (it's not), that conclusion does not make sense.

Now, if this is a computer security company like Matasano or Mandiant with a big fat target on their back, I can understand the extra level of paranoia. He may have meant "TLS is broken" colloquially and was actually referring to other vectors of attack that could be used against targeted individuals.

OTOH, if he's even avoiding online banking he just sounds overly paranoid.

I work with security experts at a very high profile tech company and none of them are afraid of TLS.

kennycrudup

Could he be talking about MITM TLS attacks? (Ironically enough, many companies do that to their own employees)

StephenN.Spurlock

Take a look at Windscribe, Avast or HMA software.
Considering how vulnerable is wireless connection nowadays i make VPN turned on even at home.

txflyer77

Please don't just grab a random VPN. VPNs are rife with problems, notably that they're only as trustworthy as the least trustworthy person working at the VPN provider. Instead of someone snooping on your browsing from the coffee shop's wifi, it's all getting snooped on by a guy in a dolphin onesie:


Every VPN provider claims it's the most secure, but they can't prove it. Meanwhile, HTTPS covers every reasonable concern had by those who aren't being specifically targeted, it's free, and it's built-in.

Install the HTTPS Everywhere extension and move on. If you're using an iPhone, rest easy knowing that Apple has required app developers to only use HTTPS for some time now: https://techcrunch.com/2016/06/14/ap...e-end-of-2016/

Jeannietx

I don't use my phone or tablet for internet, only my laptop. On my laptop and AIO I have Avast Premier with SecureLine VPN. It has traveled with me all over Europe, South America, Australia, South Africa, and many places far and wide with no problem.

docbert

(Yes, old thread, but I think it's worth explaining the normal attach vector here so people understand it a little better...)

Yes, HTTPS is pretty much completely secure. The issue is everything that happens before/around HTTPS being setup.

Most people access their banks website by pulling up their web browser and typing "mybank.com" into the address bar. When you do that, it first sends a DNS request to lookup the IP address of mybank.com. Your browser then sends a non-HTTPS request to "mybank.com", which then generally results in that site redirecting you to the HTTPS version, such as https://www.mybank.com - and that's there HTTPS/SSL kicks in.

There's two very simple attack vectors in that flow. By intercepting the DNS request, and/or the non-HTTPS request to mybank.com, you can take control of the session. Instead of redirecting the session to https://www.mybank.com, you can instead redirect it to https://www.mybank.co/, or to https://www.mybankonline.com, or some other website that the hacker controls. As the hacker controls that website, they can have registered an SSL certificate for it, so going to that website shows the lock icon, and at least to a cursory glance, appears to be completely secure.

In it's simplest form, that rogue website could just be passing traffic backwards and forwards to the real website so you won't even notice any difference - except that when you login they grab your login credentials (or any one of dozens of other malicious things they can do in this situation).

There are security features around today that will at least limit this style of attack, but not all sites use them. (Google for DNSSEC and HSTS to find the two most beneficial for the attack mentioned above). Your browser also attempts to help by doing things like showing "Bank Of America Corporation" next to the padlock on many sites (those using SSL certificates with a higher level of certification), but not all websites use those, and even for those that do it's relying on the user to notice that it's missing when they end up on a rogue website, which most people won't do.


The fundamental difference with using a VPN (based on the comment that "Both VPNs and HTTPS use TLS") is that VPN's use a different version of trust to confirm the site they are connecting to is valid. Your VPN software generally knows the exact site it's going to connect to (there's no redirect/etc as above), and frequently knows the SSL certificate that site uses in advance, so it's far, far more difficult to trick it into connecting to the wrong site.

Exactly! It comes down to who you trust more - the VPN provider, or whoever is providing the internet. If you're at home on Comcast or AT&T, then your Internet provider is likely far more trustworthy than most any VPN provider, so from a general security perspective there's no need to use a VPN.

However once you're on public open internet it's a different story - for two reasons. Firstly, there's the issue of do you trust the provider? How trustworthy is your local coffee shop, or the free wifi you happened to find at the train station?

But even if you do trust the provider, there's the second question of how you know if you're actually connected to that provider. I do generally trust Comcast, so if I see their "xfinitywifi" network I potentially trust it also - but how do I know that it's really xfinitywifi, and not someone simply pretending to be them? Same with Starbucks wifi, or your airports free wifi. If it's an open network, you generally can't trust it as you don't know who's really behind it. In that case, as long as you've picked a reputable VPN provider, you're probably safer with them than the open wifi.

As an example, here's an "experiment" I did a few years ago that showed just how easy this type of thing is to do, and how many people will fall for it - https://blog.docbert.org/spoofing-public-wifi-networks/

ajGoes

I hadn't thought of this before, but that's a great reason to use a password manager. It will automatically log you in only to the URL saved with your credentials.

A weakness to this approach is that legitimate sites often change their URLs, so it's not rare that you have to look up the password and re-enter it. Other than turning your skepticism up to eleven, I can't think of a surefire way to avoid absent-mindedly doing that.

txflyer77

I'd rather trust HTTPS + password manager + two-factor auth than any VPN provider.

DYKWIA

Even if you got this far, no banks ask for just a user name and password these days. It's always certain characters from the password. In fact, one of my banks asks for certain characters from both the password and PIN. So, if you have a long and secure password, you're in no real danger.

txflyer77

I’ve never seen a bank do this, and if I did I’d be afraid it means they’re storing the password somewhere.

Not storing passwords is InfoSec 101.

docbert

Perhaps "no bank" that you use, but every bank that I use asks for my full password on every login.

I used to work in website anti-fraud, and have worked with banks around the world, and the only banks I've come across that did the '3rd and 7th character' thing were a few of them in the UK. It's possible that's changed in the past few years, but it's not something I've seen at any of my banks in either Australia or the US. In fact, one Australian bank has a maximum 6 character password - without symbols or caps... Go figure... (I closed my account with that bank long ago!)

Even then, none of these measures stop a man-in-the-middle attack, where the attacker lets you login successfully, and then uses your session to do whatever they want to do.