How secure is https over open wifi

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

How secure is https over open wifi

Post by matthijs »

When you're using an open wifi (with no WEP/WPA) in for example an internet cafe, but still using https to check email or do online banking, how (in)secure is that?
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: How secure is https over open wifi

Post by jaoudestudios »

Just as secure as doing it over a LAN connection. All data packets are encrypted.
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: How secure is https over open wifi

Post by volomike »

Fairly secure. However, I hate to bust everyone's feeling of security, but...

1. When you do an https transaction, it's using something called SSL. Most browsers use SSLv3 now, and the same with most web servers. But you still see some SSLv2 out there. SSLv3 is, obviously, more secure. Unfortunately you are the mercy of your web browser's capabilities or the web server you are connecting to. If you use FF instead of IE, I can say that at least I know that FF uses SSLv3 and will drop down to SSLv2 if necessary unless you disable that in the "about:config" options for SSL on that browser. But then if you disable SSLv2, then you'll get an error page instead on websites that implement SSLv2 instead of v3.

2. When you do SSLv2 or SSLv3, they then have encryption strength levels. Some web servers go all the way. Some only go just a little. If all web servers went all the way with the strongest encryption, two things would happen: the entire web would suddenly slow down because the traffic would almost double, and your experience on https connections would get a good bit slower. Unfortunately I don't know of a tool that will tell you what encryption strength level is for your web browser and/or your web server to which you are connecting.

3. Anyone with a network scanner can sit outside the cafe, grab the https streams, and then take that back to a large server farm and run various decryption methods for several months. They just might be able to unencrypt your stuff. Of course, if you were only on SSLv2 with 40bit encryption, it might take these guys a mere week to decrypt this.

4. Now, take away the wireless aspect, and you are at the mercy of your ISP and your router hops. If anyone with a router on those hops is a bad guy who has the power to flip a switch and start logging packets, then they could do the same thing I mentioned in point # 3. There have been no known cases of this going on except by various governments trying to catch terrorists, political activists, etc.

5. I read once that if anyone tries to bring up a tap into the main or minor internet pipes and start filtering packets, a ton of security alarms would automatically go off and the guys at the telecom companies, perhaps under direction of the UN, would be jumping on this. Google on an article on Estonia, Wired, and network security and there's an article I once read in Wired magazine about these guys who protect our Internet.

6. A common scam with wireless Internet cafes, which actually is fairly easy to implement, unfortunately, is to do this:

a. Walk around the cafe a few days a week and identify what banking sites people usually go to.
b. Visit those sites and collect the HTML into a folder.
c. Bring up your own sites with this HTML, but this time with malicious PHP code that basically grab usernames and passwords.
d. Sit outside the cafe and host your own free wireless Internet connection, named almost the same as the other one inside the cafe.
e. Boost the signal with a booster so that it is more reliable and stronger than the one in the building.
f. Inundate the other wireless router so that it is busy and cannot service new requests.
g. New users will use your wireless service because it's available, and think they are connecting to the cafe's wireless Internet.
h. If the websites those users are visiting aren't the banking sites, just forward the traffic on. If they are intended for those websites, however, you redirect them to your laptop's web server.
i. They type in their username and password, thinking they are on the banking website, when they are not. You store these usernames and passwords and then post an error message, "Sorry, but you typed your password incorrectly. Click here to try again." Of course, when they click there, you direct them to the real banking site instead of the one on your laptop. But by then you have grabbed their username and password and they never detected a thing.
j. The hacker then takes the usernames and passwords and hacks into your account.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: How secure is https over open wifi

Post by pickle »

That's all true, but what ~jaoudestudios said still holds. The very fact that you're transmitting your packets over wireless vs. wired doesn't make your https connection any more or less secure.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: How secure is https over open wifi

Post by jaoudestudios »

Thanks for the info. Not too sure you should be giving people ideas though :?
That's all true, but what ~jaoudestudios said still holds. The very fact that you're transmitting your packets over wireless vs. wired doesn't make your https connection any more or less secure.
Good point pickle, I got a bit distracted and forgot what we started on.

In linux you can packet sniff any IP? or do you have to be on the same network?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: How secure is https over open wifi

Post by matthijs »

@volomike: yes, that's one way to be vulnerable. I read the same about Airport wifi security. So many people (especially businessmen) walk around on airports, trying to use wifi networks. You turn on your laptop, scan for networks, free or paid, log in and right there you could be compromised.
Post Reply