If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
WiFi HTTPS Security
Not that I would do this but I a curious.
Senario 1: Let's say I am at Starbucks or McDonald's and connected to their open WiFi. I go to an https website (not just http). Is there security for tranactions? How different is this than if I am hardwired to the internet through my own router? Senario 2: I am at a restaurant that has WPA with a simple password that everyone can know. Is there good security for tranactions? How different is this than if I am hardwired to the internet through my own router? --- news://freenews.netfront.net/ - complaints: --- |
Ads |
#2
|
|||
|
|||
WiFi HTTPS Security
OldGuy wrote:
Not that I would do this but I a curious. Senario 1: Let's say I am at Starbucks or McDonald's and connected to their open WiFi. I go to an https website (not just http). Is there security for tranactions? How different is this than if I am hardwired to the internet through my own router? Senario 2: I am at a restaurant that has WPA with a simple password that everyone can know. Is there good security for tranactions? How different is this than if I am hardwired to the internet through my own router? For a security analysis, I'd want a security group, rather than an OS group. The OS isn't contributing anything to this problem. It's a client-server problem. ******* This article discusses the one (good) remaining protocol for https. Something like TLS 1.2. http://en.wikipedia.org/wiki/Transport_Layer_Security There is a table of clients there, as to which ones are bandaid-ed for now. If the server end still insists on the wrong protocol, your https request will fail with the newest clients. Find a web site which checks SSL/TLS and the response of your browser. Just to be sure. For example, I tested a browser just now, and my browser uses TLS 1.0. I won't be using that at the Starbucks. https://www.ssllabs.com/ssltest/viewMyClient.html And if I wanted your machine at the Starbucks, I'd be more interested in injecting malware and just taking over the whole machine. And have your machine report in, botnet style, no matter where you're connected to the Internet. That sounds like a lot more fun. I can then pick apart your "security" at my leisure. Paul |
#3
|
|||
|
|||
WiFi HTTPS Security
I was under the impression, perhaps mistakenly, that the OS is
involved. In the sense that the browser provides some encryption if a HTTPS webpage is encountered; otherise, what is the point of HTTPS. OS involved since IE is/was related to the OS in the past. Browsers live on the OS. --- news://freenews.netfront.net/ - complaints: --- |
#4
|
|||
|
|||
WiFi HTTPS Security
In message , OldGuy
writes: Not that I would do this but I a curious. Senario 1: Let's say I am at Starbucks or McDonald's and connected to their open WiFi. In theory, anyone with a wireless sniffer (i. e. an ordinary wifi capability - built-in or dongle - plus suitable software, such as I believe wireshark) can view your packets. If they're in the clear, they can see what's in them. I go to an https website (not just http). Ah, the packets will now be encrypted before the leave your computer. Is there security for tranactions? https is still thought to be _reasonably_ safe (I think it has been cracked, but not at present within portable equipment). How different is this than if I am hardwired to the internet through my own router? Well, the potential sniffer would now have to tap into your line to see your packets - which would still be clear or encrypted depending on whether you're using an https site or tr. Senario 2: I am at a restaurant that has WPA with a simple password that everyone can know. That password is mainly to control access to the wifi, I think, rather than do any encryption. Is there good security for tranactions? How different is this than if I am hardwired to the internet through my own router? --- news://freenews.netfront.net/ - complaints: --- -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Once a mind is opened it is very hard to shut. |
#5
|
|||
|
|||
WiFi HTTPS Security
That password is mainly to control access to the wifi, I think, rather than do any encryption. If so, would that not mean that going to a non-HTTPS website would allow people to see WiFi traffic stuff in the clear? --- news://freenews.netfront.net/ - complaints: --- |
#6
|
|||
|
|||
WiFi HTTPS Security
OldGuy wrote:
I was under the impression, perhaps mistakenly, that the OS is involved. In the sense that the browser provides some encryption if a HTTPS webpage is encountered; otherise, what is the point of HTTPS. OS involved since IE is/was related to the OS in the past. Browsers live on the OS. The browser is a program. It relies on the TCP/IP stack for communcations. What it says on the stack, what it transmits, is the job of the program. It it wants to talk HTTP or HTTPS, there is code in the browser program to do that. And this is the reason people are patching this exploit, by updating the version of the browser. Or, by changing a preference in the about:config of the browser. It's a browser issue. The OS, via an interface it provides, does do encryption for some things. For example, SMB (server message block), used for file sharing, has some encryption options. If that was broken or compromised, I'd expect to find the solution waiting for me in Windows Update. ******* The product you receive, is an OS plus a suite of programs. Some of the issues with the product, will be part of the OS proper, and some will be issues with the suite of programs provided. The tight interweaving of portions of the browser (it's dual role as an interpreter for chm HTML help files), it doesn't have to be done that way. It's an unnecessary complication. It they'd wanted, the browser could have been completely separated, plus leaving a (separate) subsystem just for HTML interpretation for various OS functions. The weaving was done more for "lock-in" than for "functionality". Paul |
#7
|
|||
|
|||
WiFi HTTPS Security
J. P. Gilliver (John) wrote:
OldGuy writes: Let's say I am at Starbucks or McDonald's and connected to their open WiFi. I go to an https website (not just http). Is there security for tranactions? https is still thought to be _reasonably_ safe (I think it has been cracked, but not at present within portable equipment). But be on the lookout for any untrusted certificate warnings, if you get *any* then disconnect from the WiFi, it might not be the real Starbucks network you've connected to, but one with the same SSID that's using man-in-the-middle attacks ... |
#8
|
|||
|
|||
WiFi HTTPS Security
In message , OldGuy
writes: That password is mainly to control access to the wifi, I think, rather than do any encryption. If so, would that not mean that going to a non-HTTPS website would allow people to see WiFi traffic stuff in the clear? [] See Paul's reply for a more comprehensive answer, but basically, yes. But ask yourself whether you mind them doing so; depends what you're doing. If you're just checking the weather, browsing a catalogue, etc., who cares? If you're checking your email, you may be more concerned, depending on what sort of things you email about. (On the whole, most of _my_ email I'd _not_ be that concerned about, though I'd be cross.) It's also: how much do you trust Starbucks/McDonalds/etc. themselves, never mind the snoopers - but also, how much do you trust your home ISP? -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf TV and radio presenters are just like many people, except they tend to wear make-up all the time. Especially the radio presenters. - Eddie Mair, in Radio Times 25-31 August 2012 |
#9
|
|||
|
|||
WiFi HTTPS Security
On Wednesday, November 5, 2014 11:39:17 AM UTC-6, OldGuy wrote:
Not that I would do this but I a curious. Senario 1: Let's say I am at Starbucks or McDonald's and connected to their open WiFi. I go to an https website (not just http). Is there security for tranactions? How different is this than if I am hardwired to the internet through my own router? Senario 2: I am at a restaurant that has WPA with a simple password that everyone can know. Is there good security for tranactions? How different is this than if I am hardwired to the internet through my own router? --- news://freenews.netfront.net/ - complaints: --- Think about it. You have read of all the hacks into Home Depot, Target, etc. My bank sent me a new Debit/Credit card because of a "3rd party hack." They would not tell me who that 3rd party was. Unless you are hardwired to the Internet ( Ethernet cable, not WiFi ), you can be hacked into. But even with that, hackers can still get your card # etc. from vendors who store that info. They should not be storing that info, but they do so because it is convenient. They should require a PIN number at the very least. Take care, Andy |
#10
|
|||
|
|||
WiFi HTTPS Security
In message , Andy
writes: [] Think about it. You have read of all the hacks into Home Depot, Target, etc. I think you'll find those were theft of large files, not wifi sniffing. My bank sent me a new Debit/Credit card because of a "3rd party hack." They would not tell me who that 3rd party was. Unless you are hardwired to the Internet ( Ethernet cable, not WiFi ), you can be hacked into. Even there you still can; it's just a bit harder for the hacker (they have to tap into your line rather than just sniffing your packets). But even with that, hackers can still get your card # etc. from vendors who store that info. They should not be storing that info, but they do so because it is convenient. They should require a PIN number at the very least. Most of the ones I use do require the security code. (I'm not sure I want my PIN number being repeatedly asked for.) Take care, Andy 4 -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf the best thing to do in your garden at this time of year is to just sit in it and enjoy it - Monty Don, July 2013 |
Thread Tools | |
Display Modes | |
|
|