If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks. |
Ads |
#2
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 3/23/2020 9:39 PM, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. Most financial institutions provide secure connection (HTPS) However, I would never use a public unsecured WIFI for transaction where personal data ie financial data is involved. I will not even use the WIFI systems in Hotels/Motels we stay at. It is just not worth the risk and hassle. |
#3
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. https consists of component parts. TLS 1.3 is likely to be safer than TLS 1.2. (SSL should be switched off in the browser, and the bank end likely doesn't even have it as a possibility anyway.) CHACHA20 and the elliptic curve polynomial that I don't remember the name of, those are examples of good polynomials for what TLS 1.3 would use. You can test the bank site, by pointing ssllabs at it. (Me, testing a web site in the .cc domain. Substitute your bank domain name here instead!) https://www.ssllabs.com/ssltest/anal...browsers.co.cc You can test the specifics of your intended browser, from this web page. For example, using whatever version of MSEdge you have in front of you now, visit this page. https://www.ssllabs.com/ssltest/viewMyClient.html Between the two responses, it is intended to give you some idea what the "best" response each end can make. Whatever two good things the two ends share in common, is what they're negotiate during contact with each other. In other words, you want a newer browser in any case. I currently don't have any browser on my typing machine, which is good enough for banking. https also uses certificates, which indicate when a site is, what it says it is. There are likely "phishing ways" of getting what I want, instead of sniffing the https stream and getting it that way. While catching you using an insecure comm method is fun and all, presenting a false web page for you to log into, is a better way of getting what I want. Phishing for the win. Paul |
#4
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
In article , kelown
wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. depends who you trust more, the library or the vpn provider. they'll see *which* bank you use (and other sites you visit), but not your login/password or what you do there. keep in mind that banks are *very* sensitive about potential fraud, as they should be, so using a vpn or tor is very likely to trigger an alert, especially if you're suddenly in an entirely different location. |
#5
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. The connection is encrypted hence the S (secure) in HTTPS. The traffic cannot be intercepted. However, that you connected to your bank is not hidden. Your ISP or anyone sniffing your web traffic can see to where you connected. Don't see why you'd care about someone knowing to which bank site you connected. You just want the login and data to be encrypted, and it will be with HTTPS. The connection is end-to-end encrypted. Doesn't matter if the encrypted traffic goes over a public network or VPN: it's still encrypted, and re-encrypting it using an encrypting VPN won't secure it more. However, VPN and Tor will hide to /where/ you connect at the expense of longer chaining (more nodes or hops in the route which means a more fragile and slower connection), plus you are moving exposure of where you are and to where you visit to whomever is operating the VPN or Tor network (and Tor operators are unknown, and can see where you came from, where you went to, and both if the same operator runs the entry and exit Tor nodes, so you are trusting complete unknowns when using Tor). Those can collect statistics, just like your ISP. SSL has already been deprecated, and should not be used by any web browser you use (unless you use some ancient versions, but then the HTTPS sites probably won't let you connect). TLS 1.0 was nothing more than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated. Firefox is dropping support for anything pre-TLS 1.2, so you should be using TLS 1.2 or 1.3 to connect to an HTTPS site. https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/ To see which ciphers Firefox is using, go into about:config and search on "security.tls.version." You'll see what are the minimum and maximum cipher versions that Firefox will support. More info at: http://kb.mozillazine.org/Security.tls.version.* The article doesn't mention that a value of 4 equates to TLS 1.3. For me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3). Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2 has been supported since Firefox v27 (Feb 2014). Go to chrome://flags/#tls13-hardening-for-local-anchors in Google Chrome. The default setting is "Default" which attempts to connect using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome still supports TLS 1.1, or earlier. Setting the setting to Enabled is the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS 1.2 has been supported since version 29 (Aug 2013). Chrome will show (chrome://flags/#show-legacy-tls-warnings) will show warnings if you connect to a site that requests using TLS 1.0 or 1.1. https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/ I didn't bother researching when Mozilla and Google dropped SSL 3.0, and earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0 was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a minimum. When using public wifi hotspots, you should always strive to connect to HTTPS sites unless you don't care about someone else interrogating the content of your web traffic to a site, like it's a public web site from which anyone can obtain the same data but you're not logging in there. If there is a login to an account there, though, you better use HTTPS, and a responsible site will already require the encrypted connection. If you're using a VPN, you better check your DNS requests are funneled through the VPN and are not issued separately outside the VPN. Same for Tor. Else, where you visit can be tracked. There is DNS over HTTPS (DoH) to hide your DNS requests whether or not you use a VPN or Tor network. See: https://lifehacker.com/how-to-enable...ser-1841909057 That encrypts the DNS traffic from your host. Otherwise, DNS requests are plain text (within the packets) which let anyone that can sniff your web traffic to see to where you visited (as long as you specified a hostname which requires an IP address lookup instead of using a direct IP address which doesn't need a DNS lookup). There are fewer DoH servers available than free/alternate DNS providers (instead of defaulting to using your ISP's DNS server). Your ISP can still to where you connect for the IP address, but they can no longer read your encrypted DNS traffic. Same for VPN and Tor. In Firefox, I'm using Cloudflare's DoH server. It's one of the defaults; however, you can select Custom to configure your own choice. In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot specify the DoH server in Chrome's settings. Instead you configure your IP settings to specify which DNS servers to use. I've long moved my ISP's DNS server to 3rd position, and specified Cloudflare as primary and Google as secondary DNS servers. When connecting to Cloudflare's DNS server, it will detect that HTTPS is being used instead of the normal port 53 for plain text DNS traffic, and Cloudflare will automatically switch to connecting you to their DoH server. Google has a mapping table of DoH providers they trust, listed at: https://www.chromium.org/developers/dns-over-https Yet, they make it harder to pick a DoH server by making users configure the the DNS servers (and make sure to pick ones that will auto-switch to their DoH server) in the IP settings. Firefox makes it much easier by a simple drop-down list. |
#6
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. depends who you trust more, the library or the vpn provider. they'll see *which* bank you use (and other sites you visit), but not your login/password or what you do there. So I take it that HTTPS banking is OK on public library WiFi for password protection. Don't care about tracking. Thanks nospam, that's exactly what I wanted to know. |
#7
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On Mon, 23 Mar 2020 20:39:19 -0500, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. I would never use tor when I am accessing my bank, but for VPN yeah, I am using it. Since you never know, that the wifi you are using, the will give you a good honest DNS server, or the bad one. So before you talk to the bank server with HTTPS, you already vulnerable with DNS phishing attack. -- -alien- ~Work like you donβt need the money~ ~Love like youβve never been hurt~ ~Dance like nobody is looking~ |
#8
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 24/03/2020 01:39, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. It doesn't matter. I use public wifi's whenever I'm travelling and security is not something I think about. I rather have a good sleep then worry about silly things like online security or privacy issues. There are some nutters here who have disabled javascript in their browsers because they genuinely believe that Microsoft and Google Executives are sitting on their terminal spying on them 24/7. Just use whatever gets job done but avoid using 3rd party tools to block Google or Microsoft sites just for the sake of it. These 3rd party tools are the main source of security and/or privacy issues. These tools are made by jobless hackers located some where where they can't be traced but some people trust them more than trusting Google or Microsoft. -- With over 1.2 billion devices now running Windows 10, customer satisfaction is higher than any previous version of windows. |
#9
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 2020-03-23 11:42 p.m., VanguardLH wrote:
kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. The connection is encrypted hence the S (secure) in HTTPS. The traffic cannot be intercepted. However, that you connected to your bank is not hidden. Your ISP or anyone sniffing your web traffic can see to where you connected. Don't see why you'd care about someone knowing to which bank site you connected. You just want the login and data to be encrypted, and it will be with HTTPS. The connection is end-to-end encrypted. Doesn't matter if the encrypted traffic goes over a public network or VPN: it's still encrypted, and re-encrypting it using an encrypting VPN won't secure it more. However, VPN and Tor will hide to /where/ you connect at the expense of longer chaining (more nodes or hops in the route which means a more fragile and slower connection), plus you are moving exposure of where you are and to where you visit to whomever is operating the VPN or Tor network (and Tor operators are unknown, and can see where you came from, where you went to, and both if the same operator runs the entry and exit Tor nodes, so you are trusting complete unknowns when using Tor). Those can collect statistics, just like your ISP. SSL has already been deprecated, and should not be used by any web browser you use (unless you use some ancient versions, but then the HTTPS sites probably won't let you connect). TLS 1.0 was nothing more than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated. Firefox is dropping support for anything pre-TLS 1.2, so you should be using TLS 1.2 or 1.3 to connect to an HTTPS site. https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/ To see which ciphers Firefox is using, go into about:config and search on "security.tls.version." You'll see what are the minimum and maximum cipher versions that Firefox will support. More info at: http://kb.mozillazine.org/Security.tls.version.* The article doesn't mention that a value of 4 equates to TLS 1.3. For me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3). Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2 has been supported since Firefox v27 (Feb 2014). Go to chrome://flags/#tls13-hardening-for-local-anchors in Google Chrome. The default setting is "Default" which attempts to connect using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome still supports TLS 1.1, or earlier. Setting the setting to Enabled is the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS 1.2 has been supported since version 29 (Aug 2013). Chrome will show (chrome://flags/#show-legacy-tls-warnings) will show warnings if you connect to a site that requests using TLS 1.0 or 1.1. https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/ I didn't bother researching when Mozilla and Google dropped SSL 3.0, and earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0 was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a minimum. When using public wifi hotspots, you should always strive to connect to HTTPS sites unless you don't care about someone else interrogating the content of your web traffic to a site, like it's a public web site from which anyone can obtain the same data but you're not logging in there. If there is a login to an account there, though, you better use HTTPS, and a responsible site will already require the encrypted connection. If you're using a VPN, you better check your DNS requests are funneled through the VPN and are not issued separately outside the VPN. Same for Tor. Else, where you visit can be tracked. There is DNS over HTTPS (DoH) to hide your DNS requests whether or not you use a VPN or Tor network. See: https://lifehacker.com/how-to-enable...ser-1841909057 That encrypts the DNS traffic from your host. Otherwise, DNS requests are plain text (within the packets) which let anyone that can sniff your web traffic to see to where you visited (as long as you specified a hostname which requires an IP address lookup instead of using a direct IP address which doesn't need a DNS lookup). There are fewer DoH servers available than free/alternate DNS providers (instead of defaulting to using your ISP's DNS server). Your ISP can still to where you connect for the IP address, but they can no longer read your encrypted DNS traffic. Same for VPN and Tor. In Firefox, I'm using Cloudflare's DoH server. It's one of the defaults; however, you can select Custom to configure your own choice. In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot specify the DoH server in Chrome's settings. Instead you configure your IP settings to specify which DNS servers to use. I've long moved my ISP's DNS server to 3rd position, and specified Cloudflare as primary and Google as secondary DNS servers. When connecting to Cloudflare's DNS server, it will detect that HTTPS is being used instead of the normal port 53 for plain text DNS traffic, and Cloudflare will automatically switch to connecting you to their DoH server. Google has a mapping table of DoH providers they trust, listed at: https://www.chromium.org/developers/dns-over-https Yet, they make it harder to pick a DoH server by making users configure the the DNS servers (and make sure to pick ones that will auto-switch to their DoH server) in the IP settings. Firefox makes it much easier by a simple drop-down list. I Will Never Use Online Banking Under Any Circumstances. :-( Rene |
#10
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 3/23/2020 7:21 PM, knuttle wrote:
On 3/23/2020 9:39 PM, kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. Most financial institutions provide secure connection (HTPS) However, I would never use a public unsecured WIFI for transaction where personal data ie financial data is involved. I will not even use the WIFI systems in Hotels/Motels we stay at. It is just not worth the risk and hassle. Would you not even use the WIFI systems in Hotels/Motels just to go to a web site to check the local weather? Why not? What do you see as the risk or hassle? -- Ken |
#11
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
Rene Lamontagne wrote:
On 2020-03-23 11:42 p.m., VanguardLH wrote: kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. The connection is encrypted hence the S (secure) in HTTPS. The traffic cannot be intercepted. However, that you connected to your bank is not hidden. Your ISP or anyone sniffing your web traffic can see to where you connected. Don't see why you'd care about someone knowing to which bank site you connected. You just want the login and data to be encrypted, and it will be with HTTPS. The connection is end-to-end encrypted. Doesn't matter if the encrypted traffic goes over a public network or VPN: it's still encrypted, and re-encrypting it using an encrypting VPN won't secure it more. However, VPN and Tor will hide to /where/ you connect at the expense of longer chaining (more nodes or hops in the route which means a more fragile and slower connection), plus you are moving exposure of where you are and to where you visit to whomever is operating the VPN or Tor network (and Tor operators are unknown, and can see where you came from, where you went to, and both if the same operator runs the entry and exit Tor nodes, so you are trusting complete unknowns when using Tor). Those can collect statistics, just like your ISP. SSL has already been deprecated, and should not be used by any web browser you use (unless you use some ancient versions, but then the HTTPS sites probably won't let you connect). TLS 1.0 was nothing more than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated. Firefox is dropping support for anything pre-TLS 1.2, so you should be using TLS 1.2 or 1.3 to connect to an HTTPS site. https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/ To see which ciphers Firefox is using, go into about:config and search on "security.tls.version." You'll see what are the minimum and maximum cipher versions that Firefox will support. More info at: http://kb.mozillazine.org/Security.tls.version.* The article doesn't mention that a value of 4 equates to TLS 1.3. For me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3). Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2 has been supported since Firefox v27 (Feb 2014). Go to chrome://flags/#tls13-hardening-for-local-anchors in Google Chrome. The default setting is "Default" which attempts to connect using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome still supports TLS 1.1, or earlier. Setting the setting to Enabled is the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS 1.2 has been supported since version 29 (Aug 2013). Chrome will show (chrome://flags/#show-legacy-tls-warnings) will show warnings if you connect to a site that requests using TLS 1.0 or 1.1. https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/ I didn't bother researching when Mozilla and Google dropped SSL 3.0, and earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0 was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a minimum. When using public wifi hotspots, you should always strive to connect to HTTPS sites unless you don't care about someone else interrogating the content of your web traffic to a site, like it's a public web site from which anyone can obtain the same data but you're not logging in there. If there is a login to an account there, though, you better use HTTPS, and a responsible site will already require the encrypted connection. If you're using a VPN, you better check your DNS requests are funneled through the VPN and are not issued separately outside the VPN. Same for Tor. Else, where you visit can be tracked. There is DNS over HTTPS (DoH) to hide your DNS requests whether or not you use a VPN or Tor network. See: https://lifehacker.com/how-to-enable...ser-1841909057 That encrypts the DNS traffic from your host. Otherwise, DNS requests are plain text (within the packets) which let anyone that can sniff your web traffic to see to where you visited (as long as you specified a hostname which requires an IP address lookup instead of using a direct IP address which doesn't need a DNS lookup). There are fewer DoH servers available than free/alternate DNS providers (instead of defaulting to using your ISP's DNS server). Your ISP can still to where you connect for the IP address, but they can no longer read your encrypted DNS traffic. Same for VPN and Tor. In Firefox, I'm using Cloudflare's DoH server. It's one of the defaults; however, you can select Custom to configure your own choice. In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot specify the DoH server in Chrome's settings. Instead you configure your IP settings to specify which DNS servers to use. I've long moved my ISP's DNS server to 3rd position, and specified Cloudflare as primary and Google as secondary DNS servers. When connecting to Cloudflare's DNS server, it will detect that HTTPS is being used instead of the normal port 53 for plain text DNS traffic, and Cloudflare will automatically switch to connecting you to their DoH server. Google has a mapping table of DoH providers they trust, listed at: https://www.chromium.org/developers/dns-over-https Yet, they make it harder to pick a DoH server by making users configure the the DNS servers (and make sure to pick ones that will auto-switch to their DoH server) in the IP settings. Firefox makes it much easier by a simple drop-down list. I Will Never Use Online Banking Under Any Circumstances. :-( Your choice to be paranoid. I suppose you think using the phone is safer. Or that teller you think you can trust. Or handing over your credit card to the minimum wage waitress. |
#12
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 3/24/2020 11:13 AM, Ken Blake wrote:
On 3/23/2020 7:21 PM, knuttle wrote: On 3/23/2020 9:39 PM, kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. Most financial institutions provide secure connection (HTPS) However, I would never use a public unsecured WIFI for transaction where personal data ie financial data is involved.Β*Β* I will not even use the WIFI systems in Hotels/Motels we stay at. It is just not worth the risk and hassle. Would you not even use the WIFI systems in Hotels/Motels just to go to a web site to check the local weather? Why not? What do you see as the risk or hassle? The weather and news are not in the same risk category as those involving financial transaction. So Yes I would, and do use the WIFI in hotels and restaurants for the low security, non financial websites. low security: checking the weather, getting the news, looking for local attractions, reading/sending email, etc. risk or hassle: If an unauthorized person got into a financial account or similar, there could be the hassle of stopping payments, getting credit cards reissued with new numbers, checks possibly bouncing because on insufficient funds, correcting credit reports, the list goes on. I have read cases where someone one got into an account and destroyed a their credit rating, which took years to get Complete straightened out. |
#13
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 2020-03-24 11:26 a.m., VanguardLH wrote:
Rene Lamontagne wrote: On 2020-03-23 11:42 p.m., VanguardLH wrote: kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. The connection is encrypted hence the S (secure) in HTTPS. The traffic cannot be intercepted. However, that you connected to your bank is not hidden. Your ISP or anyone sniffing your web traffic can see to where you connected. Don't see why you'd care about someone knowing to which bank site you connected. You just want the login and data to be encrypted, and it will be with HTTPS. The connection is end-to-end encrypted. Doesn't matter if the encrypted traffic goes over a public network or VPN: it's still encrypted, and re-encrypting it using an encrypting VPN won't secure it more. However, VPN and Tor will hide to /where/ you connect at the expense of longer chaining (more nodes or hops in the route which means a more fragile and slower connection), plus you are moving exposure of where you are and to where you visit to whomever is operating the VPN or Tor network (and Tor operators are unknown, and can see where you came from, where you went to, and both if the same operator runs the entry and exit Tor nodes, so you are trusting complete unknowns when using Tor). Those can collect statistics, just like your ISP. SSL has already been deprecated, and should not be used by any web browser you use (unless you use some ancient versions, but then the HTTPS sites probably won't let you connect). TLS 1.0 was nothing more than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated. Firefox is dropping support for anything pre-TLS 1.2, so you should be using TLS 1.2 or 1.3 to connect to an HTTPS site. https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/ To see which ciphers Firefox is using, go into about:config and search on "security.tls.version." You'll see what are the minimum and maximum cipher versions that Firefox will support. More info at: http://kb.mozillazine.org/Security.tls.version.* The article doesn't mention that a value of 4 equates to TLS 1.3. For me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3). Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2 has been supported since Firefox v27 (Feb 2014). Go to chrome://flags/#tls13-hardening-for-local-anchors in Google Chrome. The default setting is "Default" which attempts to connect using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome still supports TLS 1.1, or earlier. Setting the setting to Enabled is the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS 1.2 has been supported since version 29 (Aug 2013). Chrome will show (chrome://flags/#show-legacy-tls-warnings) will show warnings if you connect to a site that requests using TLS 1.0 or 1.1. https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/ I didn't bother researching when Mozilla and Google dropped SSL 3.0, and earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0 was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a minimum. When using public wifi hotspots, you should always strive to connect to HTTPS sites unless you don't care about someone else interrogating the content of your web traffic to a site, like it's a public web site from which anyone can obtain the same data but you're not logging in there. If there is a login to an account there, though, you better use HTTPS, and a responsible site will already require the encrypted connection. If you're using a VPN, you better check your DNS requests are funneled through the VPN and are not issued separately outside the VPN. Same for Tor. Else, where you visit can be tracked. There is DNS over HTTPS (DoH) to hide your DNS requests whether or not you use a VPN or Tor network. See: https://lifehacker.com/how-to-enable...ser-1841909057 That encrypts the DNS traffic from your host. Otherwise, DNS requests are plain text (within the packets) which let anyone that can sniff your web traffic to see to where you visited (as long as you specified a hostname which requires an IP address lookup instead of using a direct IP address which doesn't need a DNS lookup). There are fewer DoH servers available than free/alternate DNS providers (instead of defaulting to using your ISP's DNS server). Your ISP can still to where you connect for the IP address, but they can no longer read your encrypted DNS traffic. Same for VPN and Tor. In Firefox, I'm using Cloudflare's DoH server. It's one of the defaults; however, you can select Custom to configure your own choice. In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot specify the DoH server in Chrome's settings. Instead you configure your IP settings to specify which DNS servers to use. I've long moved my ISP's DNS server to 3rd position, and specified Cloudflare as primary and Google as secondary DNS servers. When connecting to Cloudflare's DNS server, it will detect that HTTPS is being used instead of the normal port 53 for plain text DNS traffic, and Cloudflare will automatically switch to connecting you to their DoH server. Google has a mapping table of DoH providers they trust, listed at: https://www.chromium.org/developers/dns-over-https Yet, they make it harder to pick a DoH server by making users configure the the DNS servers (and make sure to pick ones that will auto-switch to their DoH server) in the IP settings. Firefox makes it much easier by a simple drop-down list. I Will Never Use Online Banking Under Any Circumstances. :-( Your choice to be paranoid. I suppose you think using the phone is safer. Or that teller you think you can trust. Or handing over your credit card to the minimum wage waitress. Not paranoid, Just Smart. Don't do financial over phone. Don't hand credit card to anyone. Dealing with same bank for about 35 years, Deal with 2 or 3 tellers who I know I can trust. Anything Else? Rene |
#14
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
On 3/24/2020 9:27 AM, knuttle wrote:
On 3/24/2020 11:13 AM, Ken Blake wrote: On 3/23/2020 7:21 PM, knuttle wrote: On 3/23/2020 9:39 PM, kelown wrote: Since HTTPS encrypts website traffic, why would I need to use VPN or TOR for banking with public library WiFi? Thanks. Most financial institutions provide secure connection (HTPS) However, I would never use a public unsecured WIFI for transaction where personal data ie financial data is involved.Β*Β* I will not even use the WIFI systems in Hotels/Motels we stay at. It is just not worth the risk and hassle. Would you not even use the WIFI systems in Hotels/Motels just to go to a web site to check the local weather? Why not? What do you see as the risk or hassle? The weather and news are not in the same risk category as those involving financial transaction. Of course not. So Yes I would, and do use the WIFI in hotels and restaurants for the low security, non financial websites. low security: checking the weather, getting the news, looking for local attractions, reading/sending email, etc. OK, then I misunderstood you. Thanks for the clarification. I'm the same. -- Ken |
#15
|
|||
|
|||
Does HTTPS Allow Safe Banking on Public WiFi?
Rene Lamontagne wrote:
I Will Never Use Online Banking Under Any Circumstances. :-( Rene My bank branch is closed. The ATM still works. Checks can be deposited using the envelopes provided (only works on bank-building-mounted ATM machines). I presume they have some fallback mechanism. Not clear what it is though. Before driving to the bank, you may want to use the online branch selector, and check the "hours of service" part. Paul |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|