Page 1 of 1
How secure is https over open wifi
Posted: Sun Dec 14, 2008 4:45 am
by matthijs
When you're using an open wifi (with no WEP/WPA) in for example an internet cafe, but still using https to check email or do online banking, how (in)secure is that?
Re: How secure is https over open wifi
Posted: Sun Dec 14, 2008 5:11 am
by jaoudestudios
Just as secure as doing it over a LAN connection. All data packets are encrypted.
Re: How secure is https over open wifi
Posted: Mon Dec 15, 2008 2:13 pm
by volomike
Fairly secure. However, I hate to bust everyone's feeling of security, but...
1. When you do an https transaction, it's using something called SSL. Most browsers use SSLv3 now, and the same with most web servers. But you still see some SSLv2 out there. SSLv3 is, obviously, more secure. Unfortunately you are the mercy of your web browser's capabilities or the web server you are connecting to. If you use FF instead of IE, I can say that at least I know that FF uses SSLv3 and will drop down to SSLv2 if necessary unless you disable that in the "about:config" options for SSL on that browser. But then if you disable SSLv2, then you'll get an error page instead on websites that implement SSLv2 instead of v3.
2. When you do SSLv2 or SSLv3, they then have encryption strength levels. Some web servers go all the way. Some only go just a little. If all web servers went all the way with the strongest encryption, two things would happen: the entire web would suddenly slow down because the traffic would almost double, and your experience on https connections would get a good bit slower. Unfortunately I don't know of a tool that will tell you what encryption strength level is for your web browser and/or your web server to which you are connecting.
3. Anyone with a network scanner can sit outside the cafe, grab the https streams, and then take that back to a large server farm and run various decryption methods for several months. They just might be able to unencrypt your stuff. Of course, if you were only on SSLv2 with 40bit encryption, it might take these guys a mere week to decrypt this.
4. Now, take away the wireless aspect, and you are at the mercy of your ISP and your router hops. If anyone with a router on those hops is a bad guy who has the power to flip a switch and start logging packets, then they could do the same thing I mentioned in point # 3. There have been no known cases of this going on except by various governments trying to catch terrorists, political activists, etc.
5. I read once that if anyone tries to bring up a tap into the main or minor internet pipes and start filtering packets, a ton of security alarms would automatically go off and the guys at the telecom companies, perhaps under direction of the UN, would be jumping on this. Google on an article on Estonia, Wired, and network security and there's an article I once read in Wired magazine about these guys who protect our Internet.
6. A common scam with wireless Internet cafes, which actually is fairly easy to implement, unfortunately, is to do this:
a. Walk around the cafe a few days a week and identify what banking sites people usually go to.
b. Visit those sites and collect the HTML into a folder.
c. Bring up your own sites with this HTML, but this time with malicious PHP code that basically grab usernames and passwords.
d. Sit outside the cafe and host your own free wireless Internet connection, named almost the same as the other one inside the cafe.
e. Boost the signal with a booster so that it is more reliable and stronger than the one in the building.
f. Inundate the other wireless router so that it is busy and cannot service new requests.
g. New users will use your wireless service because it's available, and think they are connecting to the cafe's wireless Internet.
h. If the websites those users are visiting aren't the banking sites, just forward the traffic on. If they are intended for those websites, however, you redirect them to your laptop's web server.
i. They type in their username and password, thinking they are on the banking website, when they are not. You store these usernames and passwords and then post an error message, "Sorry, but you typed your password incorrectly. Click here to try again." Of course, when they click there, you direct them to the real banking site instead of the one on your laptop. But by then you have grabbed their username and password and they never detected a thing.
j. The hacker then takes the usernames and passwords and hacks into your account.
Re: How secure is https over open wifi
Posted: Mon Dec 15, 2008 2:50 pm
by pickle
That's all true, but what ~jaoudestudios said still holds. The very fact that you're transmitting your packets over wireless vs. wired doesn't make your https connection any more or less secure.
Re: How secure is https over open wifi
Posted: Mon Dec 15, 2008 2:52 pm
by jaoudestudios
Thanks for the info. Not too sure you should be giving people ideas though
That's all true, but what ~jaoudestudios said still holds. The very fact that you're transmitting your packets over wireless vs. wired doesn't make your https connection any more or less secure.
Good point
pickle, I got a bit distracted and forgot what we started on.
In linux you can packet sniff any IP? or do you have to be on the same network?
Re: How secure is https over open wifi
Posted: Tue Dec 16, 2008 2:11 am
by matthijs
@volomike: yes, that's one way to be vulnerable. I read the same about Airport wifi security. So many people (especially businessmen) walk around on airports, trying to use wifi networks. You turn on your laptop, scan for networks, free or paid, log in and right there you could be compromised.