Does HTTPS Allow Safe Banking on Public WiFi?

Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.

On 3/23/2020 9:39 PM, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.
Most financial institutions provide secure connection (HTPS)

However, I would never use a public unsecured WIFI for transaction where
personal data ie financial data is involved. I will not even use the
WIFI systems in Hotels/Motels we stay at.

It is just not worth the risk and hassle.

kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.

https consists of component parts.

TLS 1.3 is likely to be safer than TLS 1.2.
(SSL should be switched off in the browser, and the
bank end likely doesn't even have it as a possibility anyway.)

CHACHA20 and the elliptic curve polynomial that
I don't remember the name of, those are examples of
good polynomials for what TLS 1.3 would use.

You can test the bank site, by pointing ssllabs at it.

(Me, testing a web site in the .cc domain.
Substitute your bank domain name here instead!)

https://www.ssllabs.com/ssltest/anal...browsers.co.cc

You can test the specifics of your intended browser,
from this web page. For example, using whatever
version of MSEdge you have in front of you now,
visit this page.

https://www.ssllabs.com/ssltest/viewMyClient.html

Between the two responses, it is intended to give you
some idea what the "best" response each end can make.
Whatever two good things the two ends share in common,
is what they're negotiate during contact with each other.

In other words, you want a newer browser in any case.

I currently don't have any browser on my typing machine,
which is good enough for banking.

https also uses certificates, which indicate when a
site is, what it says it is.

There are likely "phishing ways" of getting what I want,
instead of sniffing the https stream and getting it that way.
While catching you using an insecure comm method is
fun and all, presenting a false web page for you
to log into, is a better way of getting what I want.
Phishing for the win.

Paul

In article , kelown
wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.

depends who you trust more, the library or the vpn provider. they'll
see *which* bank you use (and other sites you visit), but not your
login/password or what you do there.

keep in mind that banks are *very* sensitive about potential fraud, as
they should be, so using a vpn or tor is very likely to trigger an
alert, especially if you're suddenly in an entirely different location.

kelown wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.

The connection is encrypted hence the S (secure) in HTTPS. The traffic
cannot be intercepted. However, that you connected to your bank is not
hidden. Your ISP or anyone sniffing your web traffic can see to where
you connected. Don't see why you'd care about someone knowing to which
bank site you connected. You just want the login and data to be
encrypted, and it will be with HTTPS. The connection is end-to-end
encrypted. Doesn't matter if the encrypted traffic goes over a public
network or VPN: it's still encrypted, and re-encrypting it using an
encrypting VPN won't secure it more. However, VPN and Tor will hide to
/where/ you connect at the expense of longer chaining (more nodes or
hops in the route which means a more fragile and slower connection),
plus you are moving exposure of where you are and to where you visit to
whomever is operating the VPN or Tor network (and Tor operators are
unknown, and can see where you came from, where you went to, and both if
the same operator runs the entry and exit Tor nodes, so you are trusting
complete unknowns when using Tor). Those can collect statistics, just
like your ISP.

SSL has already been deprecated, and should not be used by any web
browser you use (unless you use some ancient versions, but then the
HTTPS sites probably won't let you connect). TLS 1.0 was nothing more
than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different
handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was
just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated.
Firefox is dropping support for anything pre-TLS 1.2, so you should be
using TLS 1.2 or 1.3 to connect to an HTTPS site.

https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/

To see which ciphers Firefox is using, go into about:config and search
on "security.tls.version." You'll see what are the minimum and maximum
cipher versions that Firefox will support. More info at:

http://kb.mozillazine.org/Security.tls.version.*

The article doesn't mention that a value of 4 equates to TLS 1.3. For
me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3).
Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2
has been supported since Firefox v27 (Feb 2014).

Go to chrome://flags/#tls13-hardening-for-local-anchors in Google
Chrome. The default setting is "Default" which attempts to connect
using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome
still supports TLS 1.1, or earlier. Setting the setting to Enabled is
the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS
1.2 has been supported since version 29 (Aug 2013). Chrome will show
(chrome://flags/#show-legacy-tls-warnings) will show warnings if you
connect to a site that requests using TLS 1.0 or 1.1.

https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/

I didn't bother researching when Mozilla and Google dropped SSL 3.0, and
earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0
was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a
minimum.

When using public wifi hotspots, you should always strive to connect to
HTTPS sites unless you don't care about someone else interrogating the
content of your web traffic to a site, like it's a public web site from
which anyone can obtain the same data but you're not logging in there.
If there is a login to an account there, though, you better use HTTPS,
and a responsible site will already require the encrypted connection.

If you're using a VPN, you better check your DNS requests are funneled
through the VPN and are not issued separately outside the VPN. Same for
Tor. Else, where you visit can be tracked. There is DNS over HTTPS
(DoH) to hide your DNS requests whether or not you use a VPN or Tor
network. See:

https://lifehacker.com/how-to-enable...ser-1841909057

That encrypts the DNS traffic from your host. Otherwise, DNS requests
are plain text (within the packets) which let anyone that can sniff your
web traffic to see to where you visited (as long as you specified a
hostname which requires an IP address lookup instead of using a direct
IP address which doesn't need a DNS lookup). There are fewer DoH
servers available than free/alternate DNS providers (instead of
defaulting to using your ISP's DNS server). Your ISP can still to where
you connect for the IP address, but they can no longer read your
encrypted DNS traffic. Same for VPN and Tor.

In Firefox, I'm using Cloudflare's DoH server. It's one of the
defaults; however, you can select Custom to configure your own choice.

In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot
specify the DoH server in Chrome's settings. Instead you configure your
IP settings to specify which DNS servers to use. I've long moved my
ISP's DNS server to 3rd position, and specified Cloudflare as primary
and Google as secondary DNS servers. When connecting to Cloudflare's
DNS server, it will detect that HTTPS is being used instead of the
normal port 53 for plain text DNS traffic, and Cloudflare will
automatically switch to connecting you to their DoH server. Google has
a mapping table of DoH providers they trust, listed at:

https://www.chromium.org/developers/dns-over-https

Yet, they make it harder to pick a DoH server by making users configure
the the DNS servers (and make sure to pick ones that will auto-switch to
their DoH server) in the IP settings. Firefox makes it much easier by a
simple drop-down list.

Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.

depends who you trust more, the library or the vpn provider. they'll
see *which* bank you use (and other sites you visit), but not your
login/password or what you do there.

So I take it that HTTPS banking is OK on public library WiFi for
password protection. Don't care about tracking. Thanks nospam, that's
exactly what I wanted to know.

On Mon, 23 Mar 2020 20:39:19 -0500, kelown wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.

I would never use tor when I am accessing my bank, but for VPN
yeah, I am using it.

Since you never know, that the wifi you are using, the will give you
a good honest DNS server, or the bad one.

So before you talk to the bank server with HTTPS, you already vulnerable
with DNS phishing attack.

--
-alien-
~Work like you don’t need the money~
~Love like you’ve never been hurt~
~Dance like nobody is looking~

On 24/03/2020 01:39, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.

It doesn't matter. I use public wifi's whenever I'm travelling and
security is not something I think about. I rather have a good sleep
then worry about silly things like online security or privacy issues.

There are some nutters here who have disabled javascript in their
browsers because they genuinely believe that Microsoft and Google
Executives are sitting on their terminal spying on them 24/7.

Just use whatever gets job done but avoid using 3rd party tools to block
Google or Microsoft sites just for the sake of it. These 3rd party
tools are the main source of security and/or privacy issues. These tools
are made by jobless hackers located some where where they can't be
traced but some people trust them more than trusting Google or Microsoft.



--
With over 1.2 billion devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.

On 2020-03-23 11:42 p.m., VanguardLH wrote:
kelown wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.

The connection is encrypted hence the S (secure) in HTTPS. The traffic
cannot be intercepted. However, that you connected to your bank is not
hidden. Your ISP or anyone sniffing your web traffic can see to where
you connected. Don't see why you'd care about someone knowing to which
bank site you connected. You just want the login and data to be
encrypted, and it will be with HTTPS. The connection is end-to-end
encrypted. Doesn't matter if the encrypted traffic goes over a public
network or VPN: it's still encrypted, and re-encrypting it using an
encrypting VPN won't secure it more. However, VPN and Tor will hide to
/where/ you connect at the expense of longer chaining (more nodes or
hops in the route which means a more fragile and slower connection),
plus you are moving exposure of where you are and to where you visit to
whomever is operating the VPN or Tor network (and Tor operators are
unknown, and can see where you came from, where you went to, and both if
the same operator runs the entry and exit Tor nodes, so you are trusting
complete unknowns when using Tor). Those can collect statistics, just
like your ISP.

SSL has already been deprecated, and should not be used by any web
browser you use (unless you use some ancient versions, but then the
HTTPS sites probably won't let you connect). TLS 1.0 was nothing more
than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different
handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was
just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated.
Firefox is dropping support for anything pre-TLS 1.2, so you should be
using TLS 1.2 or 1.3 to connect to an HTTPS site.

https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/

To see which ciphers Firefox is using, go into about:config and search
on "security.tls.version." You'll see what are the minimum and maximum
cipher versions that Firefox will support. More info at:

http://kb.mozillazine.org/Security.tls.version.*

The article doesn't mention that a value of 4 equates to TLS 1.3. For
me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3).
Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2
has been supported since Firefox v27 (Feb 2014).

Go to chrome://flags/#tls13-hardening-for-local-anchors in Google
Chrome. The default setting is "Default" which attempts to connect
using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome
still supports TLS 1.1, or earlier. Setting the setting to Enabled is
the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS
1.2 has been supported since version 29 (Aug 2013). Chrome will show
(chrome://flags/#show-legacy-tls-warnings) will show warnings if you
connect to a site that requests using TLS 1.0 or 1.1.

https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/

I didn't bother researching when Mozilla and Google dropped SSL 3.0, and
earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0
was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a
minimum.

When using public wifi hotspots, you should always strive to connect to
HTTPS sites unless you don't care about someone else interrogating the
content of your web traffic to a site, like it's a public web site from
which anyone can obtain the same data but you're not logging in there.
If there is a login to an account there, though, you better use HTTPS,
and a responsible site will already require the encrypted connection.

If you're using a VPN, you better check your DNS requests are funneled
through the VPN and are not issued separately outside the VPN. Same for
Tor. Else, where you visit can be tracked. There is DNS over HTTPS
(DoH) to hide your DNS requests whether or not you use a VPN or Tor
network. See:

https://lifehacker.com/how-to-enable...ser-1841909057

That encrypts the DNS traffic from your host. Otherwise, DNS requests
are plain text (within the packets) which let anyone that can sniff your
web traffic to see to where you visited (as long as you specified a
hostname which requires an IP address lookup instead of using a direct
IP address which doesn't need a DNS lookup). There are fewer DoH
servers available than free/alternate DNS providers (instead of
defaulting to using your ISP's DNS server). Your ISP can still to where
you connect for the IP address, but they can no longer read your
encrypted DNS traffic. Same for VPN and Tor.

In Firefox, I'm using Cloudflare's DoH server. It's one of the
defaults; however, you can select Custom to configure your own choice.

In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot
specify the DoH server in Chrome's settings. Instead you configure your
IP settings to specify which DNS servers to use. I've long moved my
ISP's DNS server to 3rd position, and specified Cloudflare as primary
and Google as secondary DNS servers. When connecting to Cloudflare's
DNS server, it will detect that HTTPS is being used instead of the
normal port 53 for plain text DNS traffic, and Cloudflare will
automatically switch to connecting you to their DoH server. Google has
a mapping table of DoH providers they trust, listed at:

https://www.chromium.org/developers/dns-over-https

Yet, they make it harder to pick a DoH server by making users configure
the the DNS servers (and make sure to pick ones that will auto-switch to
their DoH server) in the IP settings. Firefox makes it much easier by a
simple drop-down list.


I Will Never Use Online Banking Under Any Circumstances. :-(

Rene

On 3/23/2020 7:21 PM, knuttle wrote:
On 3/23/2020 9:39 PM, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or TOR
for banking with public library WiFi? Thanks.
Most financial institutions provide secure connection (HTPS)

However, I would never use a public unsecured WIFI for transaction where
personal data ie financial data is involved. I will not even use the
WIFI systems in Hotels/Motels we stay at.

It is just not worth the risk and hassle.


Would you not even use the WIFI systems in Hotels/Motels just to go to a
web site to check the local weather? Why not? What do you see as the
risk or hassle?


--
Ken

Rene Lamontagne wrote:

On 2020-03-23 11:42 p.m., VanguardLH wrote:
kelown wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.

The connection is encrypted hence the S (secure) in HTTPS. The traffic
cannot be intercepted. However, that you connected to your bank is not
hidden. Your ISP or anyone sniffing your web traffic can see to where
you connected. Don't see why you'd care about someone knowing to which
bank site you connected. You just want the login and data to be
encrypted, and it will be with HTTPS. The connection is end-to-end
encrypted. Doesn't matter if the encrypted traffic goes over a public
network or VPN: it's still encrypted, and re-encrypting it using an
encrypting VPN won't secure it more. However, VPN and Tor will hide to
/where/ you connect at the expense of longer chaining (more nodes or
hops in the route which means a more fragile and slower connection),
plus you are moving exposure of where you are and to where you visit to
whomever is operating the VPN or Tor network (and Tor operators are
unknown, and can see where you came from, where you went to, and both if
the same operator runs the entry and exit Tor nodes, so you are trusting
complete unknowns when using Tor). Those can collect statistics, just
like your ISP.

SSL has already been deprecated, and should not be used by any web
browser you use (unless you use some ancient versions, but then the
HTTPS sites probably won't let you connect). TLS 1.0 was nothing more
than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different
handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was
just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated.
Firefox is dropping support for anything pre-TLS 1.2, so you should be
using TLS 1.2 or 1.3 to connect to an HTTPS site.

https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/

To see which ciphers Firefox is using, go into about:config and search
on "security.tls.version." You'll see what are the minimum and maximum
cipher versions that Firefox will support. More info at:

http://kb.mozillazine.org/Security.tls.version.*

The article doesn't mention that a value of 4 equates to TLS 1.3. For
me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3).
Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2
has been supported since Firefox v27 (Feb 2014).

Go to chrome://flags/#tls13-hardening-for-local-anchors in Google
Chrome. The default setting is "Default" which attempts to connect
using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome
still supports TLS 1.1, or earlier. Setting the setting to Enabled is
the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS
1.2 has been supported since version 29 (Aug 2013). Chrome will show
(chrome://flags/#show-legacy-tls-warnings) will show warnings if you
connect to a site that requests using TLS 1.0 or 1.1.

https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/

I didn't bother researching when Mozilla and Google dropped SSL 3.0, and
earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0
was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a
minimum.

When using public wifi hotspots, you should always strive to connect to
HTTPS sites unless you don't care about someone else interrogating the
content of your web traffic to a site, like it's a public web site from
which anyone can obtain the same data but you're not logging in there.
If there is a login to an account there, though, you better use HTTPS,
and a responsible site will already require the encrypted connection.

If you're using a VPN, you better check your DNS requests are funneled
through the VPN and are not issued separately outside the VPN. Same for
Tor. Else, where you visit can be tracked. There is DNS over HTTPS
(DoH) to hide your DNS requests whether or not you use a VPN or Tor
network. See:

https://lifehacker.com/how-to-enable...ser-1841909057

That encrypts the DNS traffic from your host. Otherwise, DNS requests
are plain text (within the packets) which let anyone that can sniff your
web traffic to see to where you visited (as long as you specified a
hostname which requires an IP address lookup instead of using a direct
IP address which doesn't need a DNS lookup). There are fewer DoH
servers available than free/alternate DNS providers (instead of
defaulting to using your ISP's DNS server). Your ISP can still to where
you connect for the IP address, but they can no longer read your
encrypted DNS traffic. Same for VPN and Tor.

In Firefox, I'm using Cloudflare's DoH server. It's one of the
defaults; however, you can select Custom to configure your own choice.

In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot
specify the DoH server in Chrome's settings. Instead you configure your
IP settings to specify which DNS servers to use. I've long moved my
ISP's DNS server to 3rd position, and specified Cloudflare as primary
and Google as secondary DNS servers. When connecting to Cloudflare's
DNS server, it will detect that HTTPS is being used instead of the
normal port 53 for plain text DNS traffic, and Cloudflare will
automatically switch to connecting you to their DoH server. Google has
a mapping table of DoH providers they trust, listed at:

https://www.chromium.org/developers/dns-over-https

Yet, they make it harder to pick a DoH server by making users configure
the the DNS servers (and make sure to pick ones that will auto-switch to
their DoH server) in the IP settings. Firefox makes it much easier by a
simple drop-down list.


I Will Never Use Online Banking Under Any Circumstances. :-(

Your choice to be paranoid. I suppose you think using the phone is
safer. Or that teller you think you can trust. Or handing over your
credit card to the minimum wage waitress.

On 3/24/2020 11:13 AM, Ken Blake wrote:
On 3/23/2020 7:21 PM, knuttle wrote:
On 3/23/2020 9:39 PM, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.
Most financial institutions provide secure connection (HTPS)

However, I would never use a public unsecured WIFI for transaction where
personal data ie financial data is involved.Â*Â* I will not even use the
WIFI systems in Hotels/Motels we stay at.

It is just not worth the risk and hassle.


Would you not even use the WIFI systems in Hotels/Motels just to go to a
web site to check the local weather? Why not? What do you see as the
risk or hassle?


The weather and news are not in the same risk category as those
involving financial transaction. So Yes I would, and do use the WIFI
in hotels and restaurants for the low security, non financial websites.
low security: checking the weather, getting the news, looking for local
attractions, reading/sending email, etc.

risk or hassle: If an unauthorized person got into a financial account
or similar, there could be the hassle of stopping payments, getting
credit cards reissued with new numbers, checks possibly bouncing because
on insufficient funds, correcting credit reports, the list goes on.

I have read cases where someone one got into an account and destroyed a
their credit rating, which took years to get Complete straightened out.

On 2020-03-24 11:26 a.m., VanguardLH wrote:
Rene Lamontagne wrote:

On 2020-03-23 11:42 p.m., VanguardLH wrote:
kelown wrote:

Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.

The connection is encrypted hence the S (secure) in HTTPS. The traffic
cannot be intercepted. However, that you connected to your bank is not
hidden. Your ISP or anyone sniffing your web traffic can see to where
you connected. Don't see why you'd care about someone knowing to which
bank site you connected. You just want the login and data to be
encrypted, and it will be with HTTPS. The connection is end-to-end
encrypted. Doesn't matter if the encrypted traffic goes over a public
network or VPN: it's still encrypted, and re-encrypting it using an
encrypting VPN won't secure it more. However, VPN and Tor will hide to
/where/ you connect at the expense of longer chaining (more nodes or
hops in the route which means a more fragile and slower connection),
plus you are moving exposure of where you are and to where you visit to
whomever is operating the VPN or Tor network (and Tor operators are
unknown, and can see where you came from, where you went to, and both if
the same operator runs the entry and exit Tor nodes, so you are trusting
complete unknowns when using Tor). Those can collect statistics, just
like your ISP.

SSL has already been deprecated, and should not be used by any web
browser you use (unless you use some ancient versions, but then the
HTTPS sites probably won't let you connect). TLS 1.0 was nothing more
than SSL 3.0 (which was vulnerable; e.g., POODLE), but used different
handshaking that SSL 3.0 and TLS 1.0 were incompatible. TLS 1.0 was
just as vulnerable as SSL 3.0. TLS 1.1 has also been deprecated.
Firefox is dropping support for anything pre-TLS 1.2, so you should be
using TLS 1.2 or 1.3 to connect to an HTTPS site.

https://hacks.mozilla.org/2020/02/it...0-and-tls-1-1/

To see which ciphers Firefox is using, go into about:config and search
on "security.tls.version." You'll see what are the minimum and maximum
cipher versions that Firefox will support. More info at:

http://kb.mozillazine.org/Security.tls.version.*

The article doesn't mention that a value of 4 equates to TLS 1.3. For
me in Firefox 74.0, the min = 3 (TLS 1.2) and max = 4 (TLS 1.3).
Firefox added TLS 1.3 support back in version 61 (June 2018). TLS 1.2
has been supported since Firefox v27 (Feb 2014).

Go to chrome://flags/#tls13-hardening-for-local-anchors in Google
Chrome. The default setting is "Default" which attempts to connect
using TLS 1.3, but will fallback to TLS 1.2. I don't know if Chrome
still supports TLS 1.1, or earlier. Setting the setting to Enabled is
the same as Default. TLS 1.3 was enabled in Chrome 70 (Oct 2018). TLS
1.2 has been supported since version 29 (Aug 2013). Chrome will show
(chrome://flags/#show-legacy-tls-warnings) will show warnings if you
connect to a site that requests using TLS 1.0 or 1.1.

https://www.thesslstore.com/blog/goo...s-1-0-tls-1-1/

I didn't bother researching when Mozilla and Google dropped SSL 3.0, and
earlier. Pretty much figure they've wanted 1.1 at a minimum (TLS 1.0
was short-lived after SSL 3.0 got dumped), and now want TLS 1.2 at a
minimum.

When using public wifi hotspots, you should always strive to connect to
HTTPS sites unless you don't care about someone else interrogating the
content of your web traffic to a site, like it's a public web site from
which anyone can obtain the same data but you're not logging in there.
If there is a login to an account there, though, you better use HTTPS,
and a responsible site will already require the encrypted connection.

If you're using a VPN, you better check your DNS requests are funneled
through the VPN and are not issued separately outside the VPN. Same for
Tor. Else, where you visit can be tracked. There is DNS over HTTPS
(DoH) to hide your DNS requests whether or not you use a VPN or Tor
network. See:

https://lifehacker.com/how-to-enable...ser-1841909057

That encrypts the DNS traffic from your host. Otherwise, DNS requests
are plain text (within the packets) which let anyone that can sniff your
web traffic to see to where you visited (as long as you specified a
hostname which requires an IP address lookup instead of using a direct
IP address which doesn't need a DNS lookup). There are fewer DoH
servers available than free/alternate DNS providers (instead of
defaulting to using your ISP's DNS server). Your ISP can still to where
you connect for the IP address, but they can no longer read your
encrypted DNS traffic. Same for VPN and Tor.

In Firefox, I'm using Cloudflare's DoH server. It's one of the
defaults; however, you can select Custom to configure your own choice.

In Chrome, chrome://flags/#dns-over-https is Enabled. Alas, you cannot
specify the DoH server in Chrome's settings. Instead you configure your
IP settings to specify which DNS servers to use. I've long moved my
ISP's DNS server to 3rd position, and specified Cloudflare as primary
and Google as secondary DNS servers. When connecting to Cloudflare's
DNS server, it will detect that HTTPS is being used instead of the
normal port 53 for plain text DNS traffic, and Cloudflare will
automatically switch to connecting you to their DoH server. Google has
a mapping table of DoH providers they trust, listed at:

https://www.chromium.org/developers/dns-over-https

Yet, they make it harder to pick a DoH server by making users configure
the the DNS servers (and make sure to pick ones that will auto-switch to
their DoH server) in the IP settings. Firefox makes it much easier by a
simple drop-down list.


I Will Never Use Online Banking Under Any Circumstances. :-(

Your choice to be paranoid. I suppose you think using the phone is
safer. Or that teller you think you can trust. Or handing over your
credit card to the minimum wage waitress.


Not paranoid, Just Smart.

Don't do financial over phone.
Don't hand credit card to anyone.
Dealing with same bank for about 35 years, Deal with 2 or 3 tellers who
I know I can trust.
Anything Else?

Rene

On 3/24/2020 9:27 AM, knuttle wrote:
On 3/24/2020 11:13 AM, Ken Blake wrote:
On 3/23/2020 7:21 PM, knuttle wrote:
On 3/23/2020 9:39 PM, kelown wrote:
Since HTTPS encrypts website traffic, why would I need to use VPN or
TOR for banking with public library WiFi? Thanks.
Most financial institutions provide secure connection (HTPS)

However, I would never use a public unsecured WIFI for transaction where
personal data ie financial data is involved.Â*Â* I will not even use the
WIFI systems in Hotels/Motels we stay at.

It is just not worth the risk and hassle.


Would you not even use the WIFI systems in Hotels/Motels just to go to a
web site to check the local weather? Why not? What do you see as the
risk or hassle?


The weather and news are not in the same risk category as those
involving financial transaction.


Of course not.


So Yes I would, and do use the WIFI
in hotels and restaurants for the low security, non financial websites.
low security: checking the weather, getting the news, looking for local
attractions, reading/sending email, etc.



OK, then I misunderstood you. Thanks for the clarification. I'm the same.


--
Ken

Rene Lamontagne wrote:

I Will Never Use Online Banking Under Any Circumstances. :-(

Rene

My bank branch is closed. The ATM still works.
Checks can be deposited using the envelopes provided
(only works on bank-building-mounted ATM machines).

I presume they have some fallback mechanism. Not clear
what it is though.

Before driving to the bank, you may want to use the
online branch selector, and check the "hours of service" part.

Paul