Anne Wilson wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
This is part of my real-life job....
It is relatively easy to attempt a ARP poison attack on a wireless network. Even an encrypted one (of course the attacker has to be a legal user of said encrypted network).
Once the attacker has poisoned yours and the routers' ARP cache, he can then use a tool like DSNIFF to insert himself into your HTTP flows. Thing is he cannot fake web site certs, he has to use his own.
Be VERY restrictive on what you will accept as certs on a public wireless network. Actually look at their content, making sure who signed them. It is actually wise to store your bank's certs on your system, then only accept stored certs, even to excluding (or at least first reviewing) certs signed by trusted authorities like Verisign.
If you validate the cert, the man in the middle SSL attack fails.
BTW, at IETF conferences we have had people running bogus SSH servers through DSNIFF and other tools, and you had to watch the SSH fingerprints as well.