Internet Security | High Speed Internet Connections for Travelers | Forums

This is a copy of a post from one of the forums that I am a member of.  It seems to conflict with information about https that I think I learned from you.  Could I request your comments about this and suggestions?

Quote

"There is a lot of misinformation about the safety and security of your computer
connecting to various types of networks. And since those of us in an RV spend a
lot of time traveling, we need to understand what is safe to use and what is
not.

First, a couple of disclaimers…
There is no such thing as absolutely secure and security is continuously
changing. Example: an encryption that is viewed as secure today might not be
secure tomorrow as computers grow in capability.
There are always some risks to security; some people are more comfortable with
risk than others.

So here are the typical networks we might encounter as we travel.

Open WIFI �" Just say no.
When you connect to an Open WIFI, you open yourself to all sorts of attacks.
Everyone else can see what you are doing and can attack your computer and
potentially your identity. (search for “firesheep”)
And you have to trust the owner of the WIFI network (I wouldn’t trust anyone
running an open WIFI).
Even https doesn’t provide adequate protection because your computer can be
attacked by others in the WIFI network (are you sure your computer is up to
date?) and the provider of the network can redirect requests via an attack
strategy called “man in the middle” (search for “man in the middle”).
And by the way, if you try to take advantage of an open WIFI you just happen to
“find” be aware that in some jurisdictions, that may be considered
“theft”.
I have a computer (yes, I carry multiple) that has no personal information and I
never connect to anything that requires a password with this computer. If
anything goes wrong with this machine, I wipe the disk and reinitialize. That is
the ONLY machine I would attach to an open WIFI and all I would do is check the
news, read online docs, listen to music, etc.

Encrypted WIFI �" Better but risky.
First, if the WIFI is encrypted with a security type of WEP, then it is not
really encrypted in a way that is safe. WEP WIFI networks are as dangerous as
open WIFI. WIFI must be encrypted with some form of WPA to be considered secure.
A WPA encrypted WIFI all but eliminates attacks from others that are on the same
WIFI network. But you still need to trust the provider of the network. For
example, how much do you want to trust Joe’s Pizza WIFI? (see “man in the
middle”)
I might read email on such a network but except in an extreme emergency I would
not perform financial transactions on such a network. And I would make certain
that my system was up to date and my personal firewall was functioning. And I
would make sure I had some level of trust in the provider of the network.

Your own encrypted WIFI via your own router �" the best answer
Use a router that connects to the cell network and provides a local WPA
encrypted WIFI (sometimes called a MIFI). No one else is on the network except
your machines. You control the router. You know the network provider (your cell
provider). And the added bonus is that the computers on this network are hidden
from the outside world all but preventing inbound attacks. This (see “network
address translation”) provides a very strong firewall.
When traveling, this is the only network on which I will perform financial
transactions.

Points of discussion:
Q: Doesn’t https provide a secure, encrypted connection?
A: Think of https as providing a very strong pipe from your computer to another
computer. In general, the pipe will not leak, that is, no one will be able to
pull data out of the pipe. This is all true. However, there are ways to redirect
the pipe so that it doesn’t really go where you expect it to go. So the
communication in the pipe is secure but it can get to the wrong organization /
person. (see “man in the middle”)
Also, if your computer has been previously compromised, https provides no
protection.

Q: Isn’t an encrypted WIFI as safe as data connections to cell networks (3G,
4G, ?)?
A: Not always. A cell network can be worse than a WPA encrypted WIFI or it can
be equivalent when it comes to communication (cell data networks are not in my
areas of expertise). But that isn’t the only issue. The good news with cell
networks is that you know who is on the other end (Verizon, ATT, Sprint, etc.).
When you use someone’s wireless, the answer might be less clear and you
probably do not have a financial connection with the provider. Again, I always
want to be sitting behind a router that I control."

End Quote

Thanks

Al Wilson

I have seen a reply to the post on the other forum and I thought I would post it here.

"I have had to think about how to answer this post.

I intended my original post for this group of Safari owners. Had I intended it
for a "geek" audience, I would have written it very differently.

It appears that I did not provide sufficient detail for MR Geek…
In order to connect securely to a web site two things are necessary: you need a
secure path and you need to connect to the correct site. While there are
sometimes attacks on encryption that involve sophisticated computing and
generally some luck, I have not heard in the various forums and literature that
I follow of any general attacks on the encryption used by https. At this point
in time, I assume that https has little or no risk. But does it connect to the
correct site? Consider the following example:

I expect that many of you have checked into an RV campsite that offers free
wireless and the office provides you the password (note: not the encryption
key!). You park your rig, start your computer and try to go to "weather.com".
You are surprised when it takes you to a browser page that asks you for the
password. This is the power of owning your router; you can ask for any internet
address you want, the router can redirect you as needed. Now imagine that
instead of providing you with the security page, a server (call it SERV) goes
to weather.com and provides your browser with the output. Your browser is
connected to SERV but it sure looks like weather.com. SERV can see what you type
to what you believe is weather.com and can see the output from weather.com as
well. This is what is called a man in the middle attack. Doing this in https is
more complicated but you get the idea.

https is a necessary but insufficient step for secure financial computing. That
is why I suggest that you be at an encrypted WIFI from a known vendor and then
be careful.

MRS Geek is pissed off…
There are technically knowledgeable people that can use open WIFI safely. But it
requires a significant understanding of what to do and what not to do. It
concerns me greatly when technical types presume that others have this
understanding (or they are unaware of their own level of understanding).

If all you ever do with your computer is connect to Facebook and read your email
and you are unconcerned about the consequences of your Facebook or email
identity being hijacked, then maybe you can be unconcerned with connecting with
an open WIFI. But if you ever intend to use the computer for financial
transactions or any transactions that you consider important, then an open WIFI
is a really bad idea.

But of course, each person needs to consider their own level of risk tolerance.

By the way, I do all of my financial work online but I follow my own
recommendations.

Good luck.

David (aka Mr. Doom & Gloom)"