Wi-Fi Access Unsecured - Security Question

Post Reply New Topic

When you access the internet via hotspot (e.g. Hotel, Airport, "Neighbornet") and it's unsecured is it safe to visit banking sites? It has the secured padlock on the lower right. The only sites I am leery of checking out is anything that transmits sensitive information when there is no padlock.

Is this correct thinking?

It's never truly "safe". Even at home a neighbor could have connected to your WLAN or a virus could have dropped a keylogger on you or a whole host of other things make this a risk.

However, if you have the SSL Encryption indicator you're no less safe. It is ultimately your decision as to whether you feel the risk is acceptable. Also, you may not see a padlock if your site address starts with https rather than http. This is essentially the same thing.

That will depend on the strength of the secure connection. If it's TLS (hopefullt you're not really using SSL) with reasonably strong cipher (like 2048 bit RSA / 128 bit AES) then the encryption is actually stronger than the one provided by WPA2. The problem is the likely many connections that's going not through TLS.

Any padlocked sites mean SSL. This is end to end encryption which indicates that traffic between your computer and the host site (ie: the bank) is encrypted.

This is generally safe enough to prevent interception, regardless of the quality of your network.

What isn't safe is;

- Anything "naughty" already running on your computer, as ViperaAspis said, a Keylogger for example.
- Storage at the other end.

The end storage is a biggie. I'm involved with banking security and it's interesting to note that I've never heard of a reliable case of interception since ssl. Sure, you hear about credit card numbers being stolen all the time but that's usually from idiot employees who download them to laptops in an unencrypted state - or end points who store the cards unencrypted on a local hard drive.

In that sense, the online risk with a well known, verified and large company is no greater than the "over the counter" risks you get in a store.

Of course, you still should be careful who you give your card details out to... and whenever possible, consider using BPAY - it's the safest method.

Public WiFi hotspots also run the risk of becoming points for a "main in the middle" attack. Though you are unlikely to log into a public WiFi spot at the moment an attacker is sniffing traffic, it is still a concern if you are trying to protect your privacy or security.

Best practices:

1. Use a good password that no one knows (do not write it down).
2. Use a different password for every account, service, or forum you participate in.
3. Change password frequently.
4. Check bank accounts regularly for unusual activity.
5. Check computer for malware.
6. Log out of site and clear out cookies and passwords when you shut down your browser (which prevents computer thieves from getting access to your online accts.)
7. Secure your own computer, its software firewall, and any hardware (router, cable modem, etc.) you have.

Nothing will stop a determined attacker. But no determined attacker with any serious skills will go after you directly. You just want to avoid being "low hanging fruit" for script kiddies hanging out near Starbucks or an airport departure lounge looking for credit card numbers or Amazon account credentials.

Any padlocked sites means SSL or TLS. SSLv2 is badly broken. SSLv3 fixed most of the problems but has to pass up some improvements because of compatibility reasons. Luckily, even Microsoft has disabled SSLv2 since IE7, so the major thing to look for is the cipher used.

"Man in the middle" attack is very difficult against SSL/TLS with proper certificate. I would worry more about mixing of secure and insecure connections. It opens up a lot of opportunities for cross site scriptings.

It's all just a series of tubes anyway.