I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
Anne
Typically SSL secured sites will at least keep your login credentials safe. However, someone can still see where you're going by sniffing your traffic.
If you're very concerned, setup an OpenVPN tunnel that routes all of your traffic through it. Then, the only thing they'll see from the start is an SSL connection to somewhere, and that's it.
Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105
----- "Anne Wilson" cannewilson@googlemail.com wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
Anne
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wednesday 24 December 2008 14:54:00 Tim Nelson wrote:
Typically SSL secured sites will at least keep your login credentials safe. However, someone can still see where you're going by sniffing your traffic.
That's not too much of a concern, if they can't read the actual packets.
If you're very concerned, setup an OpenVPN tunnel that routes all of your traffic through it. Then, the only thing they'll see from the start is an SSL connection to somewhere, and that's it.
That's probably the next step, then, but it sounds as though I needn't worry too much. Thanks for answering
Anne
Anne Wilson wrote:
Typically SSL secured sites will at least keep your login credentials safe. However, someone can still see where you're going by sniffing your traffic.
That's not too much of a concern, if they can't read the actual packets.
If you're very concerned, setup an OpenVPN tunnel that routes all of your traffic through it. Then, the only thing they'll see from the start is an SSL connection to somewhere, and that's it.
That's probably the next step, then, but it sounds as though I needn't worry too much. Thanks for answering
Your main worry on an open network is that someone would hack into your system via ssh password-guessing or some remote vulnerability. Wireless doesn't change this much except that there can be people you don't expect connected with no additional firewall protection.
If someone gains root access to your system they can log unencrypted keystrokes before the web browser encrypts them.
On Wednesday 24 December 2008 17:06:48 Les Mikesell wrote:
Anne Wilson wrote:
Typically SSL secured sites will at least keep your login credentials safe. However, someone can still see where you're going by sniffing your traffic.
That's not too much of a concern, if they can't read the actual packets.
If you're very concerned, setup an OpenVPN tunnel that routes all of your traffic through it. Then, the only thing they'll see from the start is an SSL connection to somewhere, and that's it.
That's probably the next step, then, but it sounds as though I needn't worry too much. Thanks for answering
Your main worry on an open network is that someone would hack into your system via ssh password-guessing or some remote vulnerability. Wireless doesn't change this much except that there can be people you don't expect connected with no additional firewall protection.
I'm not worried that the passphrase will be guessed, and I'm completely aware of social engineering techniques. Vulnerabilities are something else - but keeping my system up to date is a reasonable precaution. I know that some poor soul gets caught on day1 of a vulnerability being known - I've forgotten the name for this - but that's just something that I have to accept. Do all I can, then stop worrying.
If someone gains root access to your system they can log unencrypted keystrokes before the web browser encrypts them.
But they have to get in first. I'm reasonably confident that they won't - accepting that no-one can ever be 100% certain.
In the past I have bought time on hotel systems rather than use a laptop on a public network for this job, but if you consider that an hotel employee could be a security hole, you are really no better off.
Anne
Anne Wilson wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
This is part of my real-life job....
It is relatively easy to attempt a ARP poison attack on a wireless network. Even an encrypted one (of course the attacker has to be a legal user of said encrypted network).
Once the attacker has poisoned yours and the routers' ARP cache, he can then use a tool like DSNIFF to insert himself into your HTTP flows. Thing is he cannot fake web site certs, he has to use his own.
Be VERY restrictive on what you will accept as certs on a public wireless network. Actually look at their content, making sure who signed them. It is actually wise to store your bank's certs on your system, then only accept stored certs, even to excluding (or at least first reviewing) certs signed by trusted authorities like Verisign.
If you validate the cert, the man in the middle SSL attack fails.
BTW, at IETF conferences we have had people running bogus SSH servers through DSNIFF and other tools, and you had to watch the SSH fingerprints as well.
On Wednesday 24 December 2008 16:30:58 Robert Moskowitz wrote:
Anne Wilson wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
This is part of my real-life job....
It is relatively easy to attempt a ARP poison attack on a wireless network. Even an encrypted one (of course the attacker has to be a legal user of said encrypted network).
Once the attacker has poisoned yours and the routers' ARP cache, he can then use a tool like DSNIFF to insert himself into your HTTP flows. Thing is he cannot fake web site certs, he has to use his own.
Be VERY restrictive on what you will accept as certs on a public wireless network. Actually look at their content, making sure who signed them. It is actually wise to store your bank's certs on your system, then only accept stored certs, even to excluding (or at least first reviewing) certs signed by trusted authorities like Verisign.
If you validate the cert, the man in the middle SSL attack fails.
BTW, at IETF conferences we have had people running bogus SSH servers through DSNIFF and other tools, and you had to watch the SSH fingerprints as well.
Hi, Robert. Thanks for answering.
My bank first requires an account number - which I don't store on the netbook - then it displays a picture chosen by them and a phrase chosen by me. Finally I give my login pin. I think they're being reasonably cautious and I don't think it would be easy for an intruder to send me false web pages during login. However, unlike some sites that I've visited, the certificates are not in clear view. Can you give me some guidance on how to view and validate their certificates? I like the idea of having a saved copy to validate against.
Anne
On Wed, Dec 24, 2008 at 9:46 AM, Anne Wilson cannewilson@googlemail.com wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
I would not consider using a Public terminal, without booting from my own Live CD. If you are bringing your Laptop, use as much encryption as is possible. There is risk and others have and will comment on that.
Lanny Marcus wrote:
On Wed, Dec 24, 2008 at 9:46 AM, Anne Wilson cannewilson@googlemail.com wrote:
I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid....
I would not consider using a Public terminal, without booting from my own Live CD. If you are bringing your Laptop, use as much encryption as is possible. There is risk and others have and will comment on that.
"as much encryption as is possible" Just strikes me all wrong.
"Use the RIGHT amount of intelligence."
I have pointed out a MITM attack where no amount of encryption is a protection, as you are social engineered to allow for a MITM listener.
My boss, Peter Tippet (author of the first antivirus tool), has long pointed out that your security cost is a product of a number of factors. If any of these factors are zero, your cost is zero. Your goal is thus to make one of the factgors you can control zero instead of running around trying to address every little security event.
ARGH, I am rambling here.....
On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Lanny Marcus wrote: "as much encryption as is possible" Just strikes me all wrong.
"Use the RIGHT amount of intelligence."
I agree with you, 100%. Not well written. The goal, obviously, is to be as safe as possible. If she is going to use a Public terminal, I believe my idea of booting from a Live CD is the best thing she can do. And, the easiest. No footprint left on the machine she uses, after she reboots it back to M$ Windows.
On Dec 25, 2008, at 5:43 PM, Lanny Marcus wrote:
On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz <rgm@htt- consult.com> wrote:
Lanny Marcus wrote: "as much encryption as is possible" Just strikes me all wrong.
"Use the RIGHT amount of intelligence."
I agree with you, 100%. Not well written. The goal, obviously, is to be as safe as possible. If she is going to use a Public terminal, I believe my idea of booting from a Live CD is the best thing she can do. And, the easiest. No footprint left on the machine she uses, after she reboots it back to M$ Windows
I am always careful when I travel, but I also realize that the main way that *my* information is *statistically* and *realistically* likely to be stolen is... someone stealing my paper mail.
If I were logging into client boxes while I travel that is a different concern of course.
B
Lanny Marcus wrote:
On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Lanny Marcus wrote: "as much encryption as is possible" Just strikes me all wrong.
"Use the RIGHT amount of intelligence."
I agree with you, 100%. Not well written. The goal, obviously, is to be as safe as possible. If she is going to use a Public terminal, I believe my idea of booting from a Live CD is the best thing she can do. And, the easiest. No footprint left on the machine she uses, after she reboots it back to M$ Windows.
The only way to begin to trust a public system.
-
Anne Wilson -
Brian -
Lanny Marcus -
Les Mikesell -
Robert Moskowitz -
Tim Nelson