WiFi HTTPS Security

Not that I would do this but I a curious.

Senario 1:
Let's say I am at Starbucks or McDonald's and connected to their open
WiFi.

I go to an https website (not just http).

Is there security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?

Senario 2:
I am at a restaurant that has WPA with a simple password that everyone
can know.

Is there good security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?



--- news://freenews.netfront.net/ - complaints: ---

OldGuy wrote:
Not that I would do this but I a curious.

Senario 1:
Let's say I am at Starbucks or McDonald's and connected to their open WiFi.

I go to an https website (not just http).

Is there security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?

Senario 2:
I am at a restaurant that has WPA with a simple password that everyone
can know.

Is there good security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?

For a security analysis, I'd want a security group, rather than an OS
group. The OS isn't contributing anything to this problem. It's
a client-server problem.

*******

This article discusses the one (good) remaining protocol for https.
Something like TLS 1.2.

http://en.wikipedia.org/wiki/Transport_Layer_Security

There is a table of clients there, as to which ones are
bandaid-ed for now. If the server end still insists on the
wrong protocol, your https request will fail with the newest
clients.

Find a web site which checks SSL/TLS and the response of your
browser. Just to be sure. For example, I tested a browser
just now, and my browser uses TLS 1.0. I won't be using that
at the Starbucks.

https://www.ssllabs.com/ssltest/viewMyClient.html

And if I wanted your machine at the Starbucks, I'd be more
interested in injecting malware and just taking over the whole machine.
And have your machine report in, botnet style, no matter where
you're connected to the Internet. That sounds like a lot more
fun. I can then pick apart your "security" at my leisure.

Paul

I was under the impression, perhaps mistakenly, that the OS is
involved.
In the sense that the browser provides some encryption if a HTTPS
webpage is encountered; otherise, what is the point of HTTPS.


OS involved since IE is/was related to the OS in the past.
Browsers live on the OS.



--- news://freenews.netfront.net/ - complaints: ---

In message , OldGuy
writes:
Not that I would do this but I a curious.

Senario 1:
Let's say I am at Starbucks or McDonald's and connected to their open
WiFi.

In theory, anyone with a wireless sniffer (i. e. an ordinary wifi
capability - built-in or dongle - plus suitable software, such as I
believe wireshark) can view your packets. If they're in the clear, they
can see what's in them.

I go to an https website (not just http).

Ah, the packets will now be encrypted before the leave your computer.

Is there security for tranactions?

https is still thought to be _reasonably_ safe (I think it has been
cracked, but not at present within portable equipment).


How different is this than if I am hardwired to the internet through my
own router?

Well, the potential sniffer would now have to tap into your line to see
your packets - which would still be clear or encrypted depending on
whether you're using an https site or tr.

Senario 2:
I am at a restaurant that has WPA with a simple password that everyone
can know.

That password is mainly to control access to the wifi, I think, rather
than do any encryption.

Is there good security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?



--- news://freenews.netfront.net/ - complaints: ---

--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Once a mind is opened it is very hard to shut.

That password is mainly to control access to the wifi, I think, rather than
do any encryption.

If so, would that not mean that going to a non-HTTPS website would
allow people to see WiFi traffic stuff in the clear?



--- news://freenews.netfront.net/ - complaints: ---

OldGuy wrote:
I was under the impression, perhaps mistakenly, that the OS is involved.
In the sense that the browser provides some encryption if a HTTPS
webpage is encountered; otherise, what is the point of HTTPS.


OS involved since IE is/was related to the OS in the past.
Browsers live on the OS.


The browser is a program.

It relies on the TCP/IP stack for communcations.

What it says on the stack, what it transmits, is
the job of the program. It it wants to talk HTTP
or HTTPS, there is code in the browser program to
do that.

And this is the reason people are patching
this exploit, by updating the version of the
browser. Or, by changing a preference in the
about:config of the browser. It's a browser issue.

The OS, via an interface it provides, does do
encryption for some things. For example, SMB
(server message block), used for file sharing,
has some encryption options. If that was broken
or compromised, I'd expect to find the solution
waiting for me in Windows Update.

*******

The product you receive, is an OS plus a suite of programs.
Some of the issues with the product, will be part of the
OS proper, and some will be issues with the suite of
programs provided. The tight interweaving of portions
of the browser (it's dual role as an interpreter for
chm HTML help files), it doesn't have to be done that
way. It's an unnecessary complication. It they'd wanted,
the browser could have been completely separated, plus
leaving a (separate) subsystem just for HTML interpretation
for various OS functions. The weaving was done more
for "lock-in" than for "functionality".

Paul

J. P. Gilliver (John) wrote:

OldGuy writes:

Let's say I am at Starbucks or McDonald's and connected to their open
WiFi.

I go to an https website (not just http).
Is there security for tranactions?

https is still thought to be _reasonably_ safe (I think it has been
cracked, but not at present within portable equipment).

But be on the lookout for any untrusted certificate warnings, if you get
*any* then disconnect from the WiFi, it might not be the real Starbucks
network you've connected to, but one with the same SSID that's using
man-in-the-middle attacks ...

In message , OldGuy
writes:

That password is mainly to control access to the wifi, I think,
rather than do any encryption.

If so, would that not mean that going to a non-HTTPS website would
allow people to see WiFi traffic stuff in the clear?
[]
See Paul's reply for a more comprehensive answer, but basically, yes.

But ask yourself whether you mind them doing so; depends what you're
doing. If you're just checking the weather, browsing a catalogue, etc.,
who cares? If you're checking your email, you may be more concerned,
depending on what sort of things you email about. (On the whole, most of
_my_ email I'd _not_ be that concerned about, though I'd be cross.)

It's also: how much do you trust Starbucks/McDonalds/etc. themselves,
never mind the snoopers - but also, how much do you trust your home ISP?
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

TV and radio presenters are just like many people, except they tend to wear
make-up all the time. Especially the radio presenters. - Eddie Mair, in Radio
Times 25-31 August 2012

On Wednesday, November 5, 2014 11:39:17 AM UTC-6, OldGuy wrote:
Not that I would do this but I a curious.

Senario 1:
Let's say I am at Starbucks or McDonald's and connected to their open
WiFi.

I go to an https website (not just http).

Is there security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?

Senario 2:
I am at a restaurant that has WPA with a simple password that everyone
can know.

Is there good security for tranactions?
How different is this than if I am hardwired to the internet through my
own router?

--- news://freenews.netfront.net/ - complaints: ---

Think about it.

You have read of all the hacks into Home Depot, Target, etc.

My bank sent me a new Debit/Credit card because of a "3rd party hack."

They would not tell me who that 3rd party was.

Unless you are hardwired to the Internet ( Ethernet cable, not WiFi ), you can be hacked into.

But even with that, hackers can still get your card # etc. from vendors who store that info.

They should not be storing that info, but they do so because it is convenient.

They should require a PIN number at the very least.

Take care,
Andy

In message , Andy
writes:
[]
Think about it.

You have read of all the hacks into Home Depot, Target, etc.

I think you'll find those were theft of large files, not wifi sniffing.

My bank sent me a new Debit/Credit card because of a "3rd party hack."

They would not tell me who that 3rd party was.

Unless you are hardwired to the Internet ( Ethernet cable, not WiFi ),
you can be hacked into.

Even there you still can; it's just a bit harder for the hacker (they
have to tap into your line rather than just sniffing your packets).

But even with that, hackers can still get your card # etc. from vendors
who store that info.

They should not be storing that info, but they do so because it is convenient.

They should require a PIN number at the very least.

Most of the ones I use do require the security code. (I'm not sure I
want my PIN number being repeatedly asked for.)

Take care,
Andy




4
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

the best thing to do in your garden at this time of year is to just sit in it
and enjoy it - Monty Don, July 2013