2
   

Using an unsecured WiFi signal

 
 
DrewDad
 
  1  
Reply Fri 13 May, 2011 11:53 am
@Swimpy,
As Cyclo says, yes they can be intercepted the same way.

Honestly, though, it's easier to infect a machine and put keystoke logging software on it.
Swimpy
 
  1  
Reply Fri 13 May, 2011 11:59 am
@Cycloptichorn,
But transmitted via cellular signal, is that safer?
parados
  Selected Answer
 
  3  
Reply Fri 13 May, 2011 12:13 pm
@DrewDad,
DrewDad wrote:

As Cyclo says, yes they can be intercepted the same way.

Honestly, though, it's easier to infect a machine and put keystoke logging software on it.


It's probably easier to wait for they guy to go get a coffee refill and walk out with the device they left on the table.
Thomas
 
  3  
Reply Fri 13 May, 2011 12:20 pm
@Cycloptichorn,
Cycloptichorn wrote:
I really don't recommend logging into ANYTHING over an unsecured connection.

To expand on that: Back in the early 90s, when I studied physics an the internet was mostly universities-only, we had a rule of thumb about its use: Don't send anything over the internet that you wouldn't send on a postcard. I think this is still a good rule for unencrypted connections.
0 Replies
 
Swimpy
 
  1  
Reply Fri 13 May, 2011 12:40 pm
@parados,
I have to admit that I'm probably more at risk of having the damned thing stolen all together than I am of having someone wirelessly swipe my info. I've gottta passcode protect the bugger. Bad Swimpy!

Thanks for answering my questions, everybody.
0 Replies
 
Thomas
 
  1  
Reply Fri 13 May, 2011 01:29 pm
@Swimpy,
Swimpy wrote:
But transmitted via cellular signal, is that safer?

No. It's the same signal, possibly transmitted over a different wavelength.
Cycloptichorn
 
  1  
Reply Fri 13 May, 2011 03:14 pm
@Thomas,
Thomas wrote:

Swimpy wrote:
But transmitted via cellular signal, is that safer?

No. It's the same signal, possibly transmitted over a different wavelength.


It's somewhat safer though, in that it takes some specialized hardware to intercept cellular signals. All it takes to intercept wi-fi is a standard laptop and some hacking skills.

Cycloptichorn
maxdancona
 
  1  
Reply Fri 13 May, 2011 04:23 pm
OK, this thread has gone off in a strange direction. DrewDad is simply incorrect.

For all practical purposes, if used correctly, SSL is safe and secure even over an insecure network. This is true whether the connection is over WiFi or over a cellular connection.

Let me explain.

SSL was designed to prevent the type of Man in the Middle attacks that DrewDad is worried about with certificates.

When you connect with your bank, you receive a certificate that contains a bunch of information about the bank including its URL, and a public key. You can use this public key to send a message the only the bank can read (using public key cryptography which I can explain if anyone is interested). This allows you to send a secret (basically a random message) to the bank that the attacker can't read as well as your own public key. The bank sends you back your message (to prove that it is not being relayed be an attacker), and then a cryptographic key that is now guaranteed to be known only by you and the bank.

The key to these certificates are Certifying Authorities which are companies that everyone trusts to "sign" certificates of the reputable companies and websites they vouch for. Signing is a mathematical way to generate a message that can only be made by someone who knows a secret, but can be verified by all. If something is signed you can't change it without making the verification fail.

You can see these certificates if you go to a secure website (such as gmail). On my browser it is in two places, a little lock icon on the bottom right, and a colored var on the address bar. If you click on this, you will get a window that has a bunch of information that is registered with the certifying agency about that website.

I recently found a website with an invalid certificate (this was an error on the website's part, not anything sinister, but it gives an example of a bad certificate). Try this link https://email.godaddy.com to see what happens.

A man in the middle attacker will have trouble faking a valid certificate because they will be unable to create a digital signature.

If there is an invalid certificate, your browser will generate an error message. One obvious safety rule is Don't ignore such an error message.

There are some esoteric ways found by researchers to get around this protection. They are interesting to computer science geeks, but they aren't very practical for real would be criminals, and the browser companies respond pretty quickly anyway. And, because they rely on getting a certificate, it is very difficult for a criminal to do this without leaving a trail back to himself.

In short, doing banking over a secure connection on either your cell phone, or on a public wi-fi network is not risky at all.
Thomas
 
  1  
Reply Fri 13 May, 2011 04:27 pm
@Cycloptichorn,
Cycloptichorn wrote:
It's somewhat safer though, in that it takes some specialized hardware to intercept cellular signals.

... yeah, but Radio Shack sold those scanners until they were made illegal a few years ago. If a professional wants them, they're still easy to get.
0 Replies
 
Thomas
 
  3  
Reply Fri 13 May, 2011 04:36 pm
@maxdancona,
maxdancona wrote:
For all practical purposes, if used correctly, SSL is safe and secure even over an insecure network. This is true whether the connection is over WiFi or over a cellular connection.

"If used correctly". If an intermediate server claims to be the bank, Swimpy's Firefox will pop up its "do you trust this server?". And if she clicks "yes" because she's absent-minded and doesn't recognize the man-in-the-middle attack, she's on the attacker's hook. Nobody uses their equipment correctly all the time. And one incorrect use can be enough to give you a very bad time.
Cycloptichorn
 
  3  
Reply Fri 13 May, 2011 04:39 pm
@maxdancona,
Quote:


A man in the middle attacker will have trouble faking a valid certificate because they will be unable to create a digital signature.

If there is an invalid certificate, your browser will generate an error message. One obvious safety rule is Don't ignore such an error message.


Dude. Isn't it obvious that 99% of people who are connecting via an unsecured connection at a coffee house somewhere don't know what the **** a valid certificate is? They see pop-up **** on the internet constantly that they don't understand.

The certificates aren't worth **** if the people on the user end don't know what they mean, which they clearly don't for the most part. The vast majority of people would accept them anyway, because they don't understand and they need to access their data. You simply can't trust the modern user to 'use SSL correctly.'

You call this an 'obvious safety rule.' It's not obvious unless you know about the internet and how modern computing works, which frankly almost nobody does.

Not only that, but given the recent revelation that Comodo and others have allowed fake SSL certificates to be handed out - to criminals! - you simply can't trust them anymore. Not even a little. Doing any sort of banking business over a unsecured wifi network is, in the light of this, a stupid thing to do. Certainly not 'perfectly safe.'

Cycloptichorn
maxdancona
 
  1  
Reply Fri 13 May, 2011 04:41 pm
@Thomas,
I don't think that this is very dangerous. There are a couple of rules you have to follow, but it is not very risky for a reasonably well informed person. I use firefox which makes me click 3 times to override a bad certificate. The last click gives you big letters that say "You should not do this unless you know what you are doing".

The biggest problem in computer security is the fact that people use the same password for their bank and email and facebook account. This is much more dangerous then using public wi-fi.
0 Replies
 
maxdancona
 
  1  
Reply Fri 13 May, 2011 04:49 pm
@Cycloptichorn,
Yes, there is a problem with education. People should be educated to trust their browser messages. This is something I could teach someone in 5 or 10 minutes tops. Again browser companies are doing their part to make these messages more urgent (as I said above my browser makes me click through 3 dialog boxes with dire warnings before I can override a bad certificate).

No, there is not a realistic problem with fake certificates. And if there were, it would be as much a problem with your desktop as it is with wi-fi.

Quote:
Doing any sort of banking business over a unsecured wifi network is, in the light of this, a stupid thing to do. Certainly not 'perfectly safe.'


Sorry. This is simply incorrect. The rules for for being perfectly safe on an unsecured network are important, but not that difficult.

I worked on a program that had to be HIPAA compliant, meaning that medical privacy was at stake. Doctors are now using wireless devices to send confidential medical information. SSL is perfectly adequate for this task.

Cycloptichorn
 
  1  
Reply Fri 13 May, 2011 04:56 pm
@maxdancona,
maxdancona wrote:

Yes, there is a problem with education. People should be educated to trust their browser messages. This is something I could teach someone in 5 or 10 minutes tops. Again browser companies are doing their part to make these messages more urgent (as I said above it makes me click through 3 dialog boxes with dire warnings before I can override a bad certificate).


But, folks can't tell the difference between a valid browser message and a popup telling them that their computer is infected and 'click here' to clean it! You just gotta realize that the overwhelming majority of users don't understand even the most basic things about the internet or their computers, and in light of that, it's a bad idea to advertise sending data across an unsecured wireless network.
Quote:


No, there is not a realistic problem with fake certificates. And if there were, it would be as much a problem with your desktop as it is with wi-fi.


Bull. You're telling me that there's as much risk of a man in the middle attack using fake SSL in my house as there is over an unsecured, public wi-fi network? Where it's dead easy to spoof a wireless router? You're wrong. That's all I can say about that. One is exponentially higher risk than the other.

Not only that, but the fake certificates that have been CONFIRMED to have been handed out from Comodo:

* login.live.com
* mail.google.com
* www.google.com
* login.yahoo.com
* login.skype.com
* addons.mozilla.org

Don't you realize that for every incident like this that is found and admitted, there are many more that are not?

Quote:

Quote:
Doing any sort of banking business over a unsecured wifi network is, in the light of this, a stupid thing to do. Certainly not 'perfectly safe.'


Sorry. This is simply incorrect. The rules for for being perfectly safe on an unsecured network are important, but not that difficult.

I worked on a program that had to be HIPAA compliant, meaning that medical privacy was at stake. Doctors are now using wireless devices to send confidential medical information. SSL is perfectly adequate for this task.


Dollars to donuts they are doing it on secured wifi networks. Right?

I think you have a real perception gap regarding the amount of knowledge it takes to properly secure yourself on the internet versus the amount of knowledge users have. I would strongly recommend that you stop advising people to send personal data out across any unsecured wi-fi network, period. The folks who know what they are doing don't need our advice on the matter and the ones who don't won't know what an attack looks like.

Just as an example, here's an article describing how the gov't of Syria is currently implementing a gigantic man-in-the-middle attack against facebook using fake SSL certificates:

http://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

The key is that people don't know enough to stop using them. If we were in a perfect world and folks were educated, this wouldn't be an issue, I agree. But that's just not how things work in the real world.

Cycloptichorn
Cycloptichorn
 
  1  
Reply Fri 13 May, 2011 05:08 pm
@Cycloptichorn,
Not only that, I just thought of something else: do you always check, every single time, to make sure that pages that should utilize SSL are really giving you that connection? If the Gmail login screen, or your bank, one day didn't use it - would you notice? Every time? Most people breeze through these pages without looking at anything in particular.

If not - and I really think the answer is no, even for people who know what they are talking about, let alone average users - then a man-in-the-middle phishing attack becomes child's play.

Cycloptichorn
0 Replies
 
maxdancona
 
  1  
Reply Fri 13 May, 2011 05:39 pm
@Cycloptichorn,
Quote:

Not only that, but the fake certificates that have been CONFIRMED to have been handed out from Comodo:


The Comodo attack had nothing to do with wi-fi. This attack was on people using regular old wired internet. Pretty much any attack that that can be done on wi-fi can be done (with a little more effort) on a regular network.

Are you going to advise that no one do any banking on the internet?
Cycloptichorn
 
  1  
Reply Fri 13 May, 2011 05:45 pm
@maxdancona,
maxdancona wrote:

Quote:

Not only that, but the fake certificates that have been CONFIRMED to have been handed out from Comodo:


The Comodo attack had nothing to do with wi-fi. This attack was on people using regular old wired internet.


Nobody said that the Comodo certs had anything to do with wi-fi at all. However, they do show the weakness of the SSL system - and the fact that there ARE fake SSL certs running around out there. A sophisticated criminal can combine this with an unsecured network to do some serious phishing.

Quote:
Pretty much any attack that that can be done on wi-fi can be done (with a little more effort) on a regular network.


With a LOT more effort. Explain to me how you're going to physically hack into my home network and spoof my router, the same way you could do that to someone logging onto an unsecured wifi network at a coffee shop.

Quote:
Are you going to advise that no one do any banking on the internet?


Only over unsecured wi-fi connections, which you may recall, is what this whole thing is about.

Cycloptichorn
maxdancona
 
  1  
Reply Fri 13 May, 2011 06:01 pm
@Cycloptichorn,
Let's get real. You are being a bit paranoid.

"Sophisticated criminals" aren't hanging out at your local Starbucks to steal your bank numbers. Technically it could be done, maybe I guess. Someone who could do this would be better served doing something else for something this uncertain and with this much chance of being caught. It's not being done in any real frequency.

Those of us who deal with computer security simply aren't worried about this. SSL provides a perfectly adequate level of security.

It is the deadbolt on your house. It isn't Fort Knox. But for a house, a deadbolt is fine if you use it consistently. For personal banking or similar need for privacy, SSL is perfectly fine if you use it consistently.

I do this stuff for a living. I am not worried about using my bank on a public wi-fi. And I understand the technology and the risks well enough, after the 10 minutes of explanation I gave my mother about internet security, I am not worried about her either.

There are lots of things ways that people are being cheated on the Internet including viruses and phishing attacks. Public wi-fi doesn't add any significant risk.





Cycloptichorn
 
  1  
Reply Fri 13 May, 2011 06:19 pm
@maxdancona,
Quote:
"Sophisticated criminals" aren't hanging out at your local Starbucks to steal your bank numbers. Technically it could be done, maybe I guess. Someone who could do this would be better served doing something else for something this uncertain and with this much chance of being caught. It's not being done in any real frequency.


Three unproven assertions in this paragraph. It's not even hard to envision how a phishing attack in such a situation could capture MANY passwords from unsuspecting and uneducated users, who unfortunately make up the vast, vast majority of those who use the internet.

Quote:
It is the deadbolt on your house. It isn't Fort Knox. But for a house, a deadbolt is fine if you use it consistently. For personal banking or similar need for privacy, SSL is perfectly fine if you use it consistently.


But people don't know how to use it correctly and don't use it consistently. In fact, I'd say only a tiny amount of the people who use computers have even heard of SSL, let alone use it consistently. You ought to acknowledge this point.

It doesn't matter to me if you refer to me as paranoid; the fact is that you are recommending engaging in activities that are fundamentally unsafe for the vast majority of users.

I can't add anything more to the thread at this point other than to reiterate to others who are reading: do not conduct banking or personal business over unsecured wi-fi networks, whether it's on a computer or a mobile device.

Cycloptichorn
maxdancona
 
  2  
Reply Fri 13 May, 2011 06:31 pm
@Cycloptichorn,
Quote:
But people don't know how to use it correctly and don't use it consistently. In fact, I'd say only a tiny amount of the people who use computers have even heard of SSL, let alone use it consistently. You ought to acknowledge this point.


Sure, you have a point here. I am a big fan of education, which means teaching people how to use the internet securely whether or not they are on their own network, or on a public wi-fi.

Quote:
It doesn't matter to me if you refer to me as paranoid; the fact is that you are recommending engaging in activities that are fundamentally unsafe for the vast majority of users.


Scaring people is not education. What does "fundamentally unsafe" mean? I looked for statistics on how many people are victims because they do banking over SSL on a public wi-fi network (and they accept the risk if money is lost). The number must be very very low because banks, who end up paying for internet crime, continue to offer these services on mobile devices.

Would you consider driving to the Starbucks "fundamentally unsafe". I bet more people die in accidents driving to the Starbucks then there are victims of SSL hacking. And think about how ridiculous your fear is. Not only does someone have to have the skills to break SSL, they have to be willing to take the risk of being caught, and spend the time in Starbucks just waiting for someone to start banking. Seriously people with these skills who want to be criminals will find much easier, less risky and more profitable ways to get your money.

The fact is, if you lost money because of SSL, you would damn well report it. Where are the reports of the millions (or even hundreds) of people losing money because they banked at Starbucks?

The people in the industry (including the banks who have the most to lose) are not worried about this, in fact eTrade (my stock broker that manages lots of my money) advertises the fact that I can bank with them over my mobile phone even though they are liable for any losses..

Quote:

I can't add anything more to the thread at this point other than to reiterate to others who are reading: do not conduct banking or personal business over unsecured wi-fi networks, whether it's on a computer or a mobile device.


I don't know where you get your claim to expertise from.

Computer security is part of my job. You are exaggerating the risk to a ridiculous extent.
0 Replies
 
 

Related Topics

Recording Detector - Question by gollum
Bad picture on my Sharp LCD TV - Question by hydroplant
LCD TV. Help! - Question by kolinos4
p3 or 360 and why - Question by XxGWOPBOYZxX
Post your latest gizmos - Discussion by Chumly
IPOD OR ZUNE HD? - Discussion by detroittou
Giving up my iPod for a Walkman - Discussion by djjd62
Digital audio in your home sound system - Question by hingehead
 
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.1 seconds on 12/22/2024 at 04:46:13