Internet security in hotels
 

Do you feel comfortable logging on to, say, your online bank and brokerage accounts, using a hotel's internet service? Does the answer change if it's a wired connection through an ethernet cable vs a generic wifi/wireless "unsecured network"?

In each case Windows gives a warning like "some information may be visible to others on the network", but does the https sufficiently encrypt it? I mean, if someone got hold of one's online banking password, it would be a pretty major hassle for one to sort out!

On my own computer I don't think about it too much, but I don't trust doing stuff like that on common computers.

Generally speaking the HTTPS sufficiently encrypts the communication even on a wireless connection. Yes, there are still ways to intercept the traffic, but they are much more complicated/difficult.

If I'm using my own computer and the site in question is using SSL, I have no problems.

Unless it's a computer I trust, I don't do much beyond facebook/email...and even that is pushing it.

If I'm feeling paranoid and SSL is not an option, I do an SSH tunnel to my home router, and route traffic through that.

What they said.

On my own computer not a problem in my mind as long as the site is secure.

On the lobby computer, or cafe or something like that where there is a good chance of a key logger, nothing like bank or credit card transactions.

I know I'm overly paranoid but I won't do anything over hotel internet connections until I VPN into my home router first. Like others have said avoid business center computers as they may have keylogging software installed (not necessarily by the hotel, but it could be installed by other teenage guests.)

HTTPS connections do a quite good job protecting packets, but they don't protect you from tainted DNS servers (i.e., you enter "www.citibank.com" and the bad DNS resolves you to a phishing site which masquerades as the HTTPS version of the original). About 2 years ago I was in a major Vegas hotel and saw that Hotmail resolved to a private 10.10.x.x address instead of over the public internet.

The certificate exchange in negotiating the SSL connection will verify the site's identity.

yes, that is the purpose of the Verisign certificate, to ensure that the site matches who they say they are. If it is a masquerading site you would get a certificate warning.

Just like what others have posted here I don't usually worry if it is my own computer and HTTPS.

It's better now since Firefox 3.x now complains if the site uses a self-signed certificate instead of one registered through a major player like Verisign. Older browsers would accept self-signed certs and even display their little padlock icon even though the site was as phony as a $3 bill.

I still advocate using a VPN since there still are quite a few vulnerabilities out there, especially if you're not watching carefully. A pretty good report is at: http://people.seas.harvard.edu/~rach...hing_works.pdf

Interesting report- thanks for sharing.

While most people are naturally suspicious enough not to fall for this, but some people would just go on and ignore the certificate warning (basically giving a man-in-the-middle a license to read their encrypted traffic).

If you don't get a certificate warning for a site at home, don't just ignore it if it pops up when you connect somewhere else, folks!

But if you really are paranoid, how about looking out for a hidden camera in the room that records all the passwords you type? ;)

You have to weigh the risks in life and decide where to expend your energy. Sure, you could VPN back to your company first, but doesn't handing your credit card to a waiter at that same hotel represent a greater risk than traffic sniffing? If you're concerned about identity fraud, get protection for that - for example, Californians can contact credit agencies and freeze their credit.

Consider the risk of being attacked by a shark to the risk of driving to the beach while talking on your cell phone. Like the traffic sniffing, the shark attack is possible, and wearing chain mail while swimming in the ocean will certainly reduce your risk of shark attack. So some would say: "why take the chance, always wear chain mail." But you're really much safer ignoring the sharks and putting down the cell phone.

I also use a VPN (witopia.net).
I also only use SSL to check my e-mail accounts (gmail defaults to non-SSL, but you can change the setting to force SSL, for example).
My use of the VPN is primarily to deal with sites that don't use SSL and yet still are info that, although not particularly sensitive, I don't want to be just "in the air". I don't like snoops, and without a VPN, non-SSL webpages are viewable in plain text over non-secured WiFi connections.

Taking this slightly off-track, what home VPNrouter do you guys recommend? Should have support for Windows and Mac.

Back on topic, right now I am generally use my employer's VPN when I am on a network I don't trust (which is pretty much always when I am not at home).

I'm curious about this also. And I think this question is really, which home VPN router and which windows (or other) VPN client do you use?, ... as the two seem to go together.

Some things I saw when I tried to do this: some routers limit the bandwidth available this way. Windows seems to be the only free VPN client that I see out there. And some VPN routers require a static IP address for both the router and the client (which is not possible when traveling).