Public Wifi and Security

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Public Wifi and Security

Dave Scocca
On Fri, Oct 21, 2016, at 01:20 PM, Fritz Mills wrote:

> Your email  credentials can be harvested if you check your email from a
> public wifi network like Starbucks,

OK--so I have a question about claims like this one, or oft-heard advice
about not doing things like banking on a public wifi network.

My understanding has always been that the security compromises and
limitations of wifi were ones which allowed someone to "overhear" your
IP traffic.  That is, having compromised wifi is equivalent to having
someone "listening on the line".

But when you are using a secured/encrypted connection, as when accessing
an HTTPS website, or when connecting to a mail server with an SSL
connection, there should never be any point at which unencrypted data
exists anywhere other than on your device and on the server at the other
end.  That is, that even the ability for someone to listen in on your
traffic does not include the ability to interpret that traffic or to
grab your credentials.

Are there actually wifi limitations that would somehow allow a secure
connection to be compromised when using wifi?  Or is the fear of public
wifi something that is overstated if you're actually connecting
securely?

Dave

--
  Dave Scocca
  [hidden email]


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Fritz Mills

> On Oct 21, 2016, at 1:00 PM, Dave Scocca <[hidden email]> wrote:
>
> But when you are using a secured/encrypted connection, as when accessing
> an HTTPS website, or when connecting to a mail server with an SSL
> connection, there should never be any point at which unencrypted data
> exists anywhere other than on your device and on the server at the other
> end.  That is, that even the ability for someone to listen in on your
> traffic does not include the ability to interpret that traffic or to
> grab your credentials.
>
> Are there actually wifi limitations that would somehow allow a secure
> connection to be compromised when using wifi?  Or is the fear of public
> wifi something that is overstated if you're actually connecting
> securely?
>
I don’t actually know the definitive answer to your question. But I do know that there used to be a plug-in for Firefox that let you eavesdrop on any connection anyone was making on the wifi network you were on. I don’t know how it worked and I don’t know whether HTTPS or SSL would defeat it. I have a VPN capability in my firewall, so I use that. And as I understand it, that’s one of the main reasons to use a VPN.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Al Varnell
In reply to this post by Dave Scocca
There are several different levels of encryption available for completing such connections and some are extremely weak and easily compromised. Most of these have been eliminated over time and are no longer being used by modern browsers/web sites. It's been a long time since I've read of an actual compromise involving an HTTPS connection.

There are still issues with a small number of sites that accept HTTP plain text logins before giving access to the encrypted site, but as long as you pay attention to the secure indicator (normally a padlock these days) that should not be a problem.

Sent from Janet's iPad

Al-

On Oct 21, 2016, at 11:00 AM, Dave Scocca wrote:
> when you are using a secured/encrypted connection, as when accessing
> an HTTPS website, or when connecting to a mail server with an SSL
> connection, there should never be any point at which unencrypted data
> exists anywhere other than on your device and on the server at the other
> end.  That is, that even the ability for someone to listen in on your
> traffic does not include the ability to interpret that traffic or to
> grab your credentials.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Randy B. Singer
In reply to this post by Dave Scocca

On Oct 21, 2016, at 11:00 AM, Dave Scocca wrote:

> OK--so I have a question about claims like this one, or oft-heard advice
> about not doing things like banking on a public wifi network.

This is probably a good time to mention that the latest version of Opera is not only a really nice, and speedy, free browser, but it now comes with a free ad-blocker, and especially pertinent to this discussion, a free built-in VPN service!

http://www.opera.com/computer/mac

___________________________________________
Randy B. Singer
Co-author of The Macintosh Bible (4th, 5th, and 6th editions)

Macintosh OS X Routine Maintenance
http://www.macattorney.com/ts.html
___________________________________________






____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Al Varnell
On Sat, Oct 22, 2016 at 05:23 AM, Randy B. Singer wrote:
>
> On Oct 21, 2016, at 11:00 AM, Dave Scocca wrote:
>> OK--so I have a question about claims like this one, or oft-heard advice
>> about not doing things like banking on a public wifi network.
>
> This is probably a good time to mention that the latest version of Opera is not only a really nice, and speedy, free browser, but it now comes with a free ad-blocker, and especially pertinent to this discussion, a free built-in VPN service!
>
> http://www.opera.com/computer/mac

And in July of this year, the Opera browser was sold to Qihoo 360 Technology Co. Ltd., a Chinese internet security company for $600 million.

-Al-
--
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

John Burt
In reply to this post by Dave Scocca
On Sat, Oct 22, 2016 at 5:29 AM, Al Varnell <[hidden email]> wrote:

> This is probably a good time to mention that the latest version of Opera is not only a really nice, and speedy, free browser, but it now comes with a free ad-blocker, and especially pertinent to this discussion, a free built-in VPN service!
>
> http://www.opera.com/computer/mac

And in July of this year, the Opera browser was sold to Qihoo 360 Technology Co. Ltd., a Chinese internet security company for $600 million.

Looks like we need to get a security expert's review of Opera.
 
--
John



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Neil Laubenthal
I would guess it will be compromised soon then. Not much happens in China without government approval and their distaste for privacy and dissent is well known. 

neil

The three kinds of stress…nuclear, cooking and a&&hole. Jello is the key to the relationship. 

On Oct 22, 2016, at 12:36, SciFiOneA . <[hidden email]> wrote:

And in July of this year, the Opera browser was sold to Qihoo 360 Technology Co. Ltd., a Chinese internet security company for $600 million.

Looks like we need to get a security expert's review of Opera.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

George Wade
Not much happens without any country's government approval, nor distaste for privacy and dissent.  So we rely on Apple to keep our secrets safe when they are able to.  As for what works in this case of Opera, or other web software certainly does need a round table of referees and testers.  Perhaps there could be a European distribution;  an Americas distro along with an Asian version that could work within the cultural standards of the regions concerned...!

Glad that you brought it up Neil.

George

On 22 Oct 2016, at 13:27, Neil Laubenthal wrote:

I would guess it will be compromised soon then. Not much happens in China without government approval and their distaste for privacy and dissent is well known. 

neil

The three kinds of stress…nuclear, cooking and a&&hole. Jello is the key to the relationship. 

On Oct 22, 2016, at 12:36, SciFiOneA . <[hidden email]> wrote:

And in July of this year, the Opera browser was sold to Qihoo 360 Technology Co. Ltd., a Chinese internet security company for $600 million.

Looks like we need to get a security expert's review of Opera.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Fritz Mills
In reply to this post by Al Varnell

> On Oct 22, 2016, at 7:29 AM, Al Varnell <[hidden email]> wrote:
>
>
> And in July of this year, the Opera browser was sold to Qihoo 360 Technology Co. Ltd., a Chinese internet security company for $600 million.
>

D’Oh!

That can’t be good for security!






____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

David Ross
In reply to this post by Dave Scocca
Everyone on the same WiFi connection can see all the bits of the others
on the connection. This is life. Moving on.....

If you are doing something in plain text then anyone with a bit of
expertise can read it. If your app is encrypting things before they
travel out of your computer then they have to first break the
encryption. As someone else mentioned this can be trivial or really hard
depending on the level of encryption used.

If you are using email via a web site such as Google's web based email
or most any banking site in the US their encryption is fairly good and
all but major state actors will be blind to what you are doing.
Passwords and all. Look for the encryption status or the https before
typing in passwords.

As mentioned by someone else if you are on web site which does not
encrypt then anyone with a bit of knowledge can read your passwords or
whatever.

As to apps such as Apple's Mail, Mozilla Thunderbird, Microsoft Outlook,
etc... you have to know if the email service they connect to uses
encryption or not. Ditto other apps.

On 10/21/16 1:00 PM, Dave Scocca wrote:

> On Fri, Oct 21, 2016, at 01:20 PM, Fritz Mills wrote:
>
>> Your email  credentials can be harvested if you check your email from a
>> public wifi network like Starbucks,
> OK--so I have a question about claims like this one, or oft-heard advice
> about not doing things like banking on a public wifi network.
>
> My understanding has always been that the security compromises and
> limitations of wifi were ones which allowed someone to "overhear" your
> IP traffic.  That is, having compromised wifi is equivalent to having
> someone "listening on the line".
>
> But when you are using a secured/encrypted connection, as when accessing
> an HTTPS website, or when connecting to a mail server with an SSL
> connection, there should never be any point at which unencrypted data
> exists anywhere other than on your device and on the server at the other
> end.  That is, that even the ability for someone to listen in on your
> traffic does not include the ability to interpret that traffic or to
> grab your credentials.
>
> Are there actually wifi limitations that would somehow allow a secure
> connection to be compromised when using wifi?  Or is the fear of public
> wifi something that is overstated if you're actually connecting
> securely?
>
> Dave
>



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Paul Chernoff
In reply to this post by Dave Scocca
There is a danger of a man-in-the-middle attack, where your traffic is intercepted before making the encrypted connection. This machine will put itself in the middle and you will have an encrypted line with the hacker, who in turn has an encrypted line with the server. In this case they are unencrypting your data, reading it, and then re-encrypting it to the server. This is a simplified explanation but you can think you have an encrypted connection to the server when in reality someone is reading all data going back and forth. Solutions include the public provider encrypting traffic and posting the Wifi password (you still wont be able to see other people's traffic) or connecting your device to the Internet via a VPN which will encrypt all Internet traffic and isn't vulnerable to a man-in-the-middle attack.

PAUL CHERNOFF
Director of Information Technology
W. 202.862.3504 
1828 L Street, NW, Suite 200, Washington, DC 20036


We are a WBENC Certified WBE/WOSB.

On Fri, Oct 21, 2016 at 2:00 PM, Dave Scocca <[hidden email]> wrote:
On Fri, Oct 21, 2016, at 01:20 PM, Fritz Mills wrote:

> Your email  credentials can be harvested if you check your email from a
> public wifi network like Starbucks,

OK--so I have a question about claims like this one, or oft-heard advice
about not doing things like banking on a public wifi network.

My understanding has always been that the security compromises and
limitations of wifi were ones which allowed someone to "overhear" your
IP traffic.  That is, having compromised wifi is equivalent to having
someone "listening on the line".

But when you are using a secured/encrypted connection, as when accessing
an HTTPS website, or when connecting to a mail server with an SSL
connection, there should never be any point at which unencrypted data
exists anywhere other than on your device and on the server at the other
end.  That is, that even the ability for someone to listen in on your
traffic does not include the ability to interpret that traffic or to
grab your credentials.

Are there actually wifi limitations that would somehow allow a secure
connection to be compromised when using wifi?  Or is the fear of public
wifi something that is overstated if you're actually connecting
securely?

Dave

--
  Dave Scocca
  [hidden email]


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Public Wifi and Security

Doug Miller

On Wed, Oct 26, 2016 at 10:31 AM, Paul Chernoff <[hidden email]> wrote:
There is a danger of a man-in-the-middle attack, where your traffic is intercepted before making the encrypted connection. This machine will put itself in the middle and you will have an encrypted line with the hacker, who in turn has an encrypted line with the server. In this case they are unencrypting your data, reading it, and then re-encrypting it to the server. This is a simplified explanation but you can think you have an encrypted connection to the server when in reality someone is reading all data going back and forth. Solutions include the public provider encrypting traffic and posting the Wifi password (you still wont be able to see other people's traffic) or connecting your device to the Internet via a VPN which will encrypt all Internet traffic and isn't vulnerable to a man-in-the-middle attack.

​This would only be a danger if you have a certificate trusting the MITM - which you almost surely do not - or you ignore any warnings about connecting with an untrusted certificate. There was a time last year when we learned about the MITM encryption downgrade attacks, like POODLE, but I think that those are now almost always patched on the server side. Also, surely checking Gmail (which was the original question) is completely encrypted, as Google will not allow unencrypted sessions, doesn't use the OpenSSL version that was susceptible to downgrade attacks, and uses certificate pinning, so a non-Google certificate tried by a MITM will fail even if you ignore trust warnings.



Doug



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____