Safe to use https over unsecured wifi hotspot?

Is it safe to use https to read my webmail over an unsecured public wifi
hotspot?

Thanks!

John wrote:
> Is it safe to use https to read my webmail over an unsecured public wifi
> hotspot?

What are you doing if you get a Browser Window saying:

"Unable to verify the identity of webmail.somedomain.com as a trusted site.
[Accept temporarily] [Accept permanently] [Cancel]"

If you would klick anything other then cancel you are insecury!

Also your computer is exposed to the everyone in the WLAN, so make sure to
use a firewall!

Thomas

> What are you doing if you get a Browser Window saying:
> "Unable to verify the identity of webmail.somedomain.com as a trusted
> site.
> [Accept temporarily] [Accept permanently] [Cancel]"
> If you would klick anything other then cancel you are insecury!

I would just like to know if https is using a stronger or weaker security
then wep/wpa, that's all...

In article <43f23daf$0$13318$(E-Mail Removed)>, "John" <(E-Mail Removed)> wrote:
>> What are you doing if you get a Browser Window saying:
>> "Unable to verify the identity of webmail.somedomain.com as a trusted
>> site.
>> [Accept temporarily] [Accept permanently] [Cancel]"
>> If you would klick anything other then cancel you are insecury!
>
>I would just like to know if https is using a stronger or weaker security
>then wep/wpa, that's all...

Sercure Socket Layer (the 'S' in httpS) is more secure then WEP and WPA.
For reading email https on an open network is plenty safe. Just remember
that all other communication could be subject to ease dropping. I think the
poster at the top also recommended using a firewall when in a coffee shop
/ McDonalds etc, he is right! THe one with WinXP sp2 is likely good enough
once you configure it properly. Default to deny is the rule. Much safer to
open a hole when you need it then close one after an attack.

fundamentalism, fundamentally wrong.

"John" <(E-Mail Removed)> wrote in message
news:43f22482$0$13343$(E-Mail Removed). ..
> Is it safe to use https to read my webmail over an unsecured public wifi
> hotspot?

Like everything in security, that depends. "Is this system secure?" is a
meaningless question in security.
It is, however, fair to say that the difference in security between https
over an unsecured wireless connection and a 'secured' one is very small.

There are basically eight ways (I can think of off the top of my head) to
impersonate the server or capture your data:
a) Have massive computational power - seems likely that the security
services can do this if they really want, but doubtful that they'd want to
expend the resources. (Anybody who doubts that should note that they've
consistently been about 20 years ahead of civilian cryptoanalysists in every
area that we've known about since WW2, but then again your guess is as good
as mine!)
b) Know of a vulnerability that makes the encryption easy to break (again -
governments etc. In this case though, once they've found the vulnerability,
attacks become cheap)
c) Control the computers of a certifying authority that you trust (or more
likely, your web browser trusts by default).
d) Exploit a vulnerability in your web browser.
e) Know of a vulnerability in the SSL protocol.
f) Take over the real server (by force, law, exploiting vulnerabilities,
etc), or otherwise steal its secret key.
g) TEMPEST attacks (everything from watching you typing in your password, to
monitoring EM transmissions to work out what you're doing).
h) Have already compromised your machine.

(I started off with 3, then it became 4, then 5, 6,7, 8... - I'm sure I've
still forgotten some, but you hopefully get the idea).

All the methods except H and F require significant power, but if you are
likely to be attacked by somebody with such power (a government, for
example) then you should not be reading your email through webmail! Anybody
who can manage one of those attacks isn't going to find it hard to intercept
the data going between the wifi point and your server.
In case H, the game is already over.
Anybody who can do F has access to the most secret information on your
provider's email server - so odds are that they already have your email.

(The answer you probably wanted was: Yes) :-)

Alun Harford

John wrote:
>>What are you doing if you get a Browser Window saying:
>>"Unable to verify the identity of webmail.somedomain.com as a trusted
>>site.
>>[Accept temporarily] [Accept permanently] [Cancel]"
>>If you would klick anything other then cancel you are insecury!
>
>
> I would just like to know if https is using a stronger or weaker security
> then wep/wpa, that's all...
>
>

HTTPS is used on the Internet for secure encrypted traffic between the
Web site and the client machine such as accessing a bank to do
transactions as an example. So that type of connection is secured to
begin with and WEP and WPA is just icing on the cake if you're using it
with a HTTPS connection.

Duane

"Rico" <(E-Mail Removed)> wrote in message
news:u%rIf.11722$(E-Mail Removed)...
> In article <43f23daf$0$13318$(E-Mail Removed)>, "John"
<(E-Mail Removed)> wrote:
> >> What are you doing if you get a Browser Window saying:
> >> "Unable to verify the identity of webmail.somedomain.com as a trusted
> >> site.
> >> [Accept temporarily] [Accept permanently] [Cancel]"
> >> If you would klick anything other then cancel you are insecury!
> >
> >I would just like to know if https is using a stronger or weaker security
> >then wep/wpa, that's all...
>
> Sercure Socket Layer (the 'S' in httpS) is more secure then WEP and WPA.

Since you can make an X.509 certificate with an RC4 key - or even DES, this
isn't exactly a sensible statement!
It's all a case of "it depends"!

Alun Harford

From: John - view profile
Date: Tues, Feb 14 2006 2:29 pm
Email: "John" <j...@nospamplease.com>
Groups: alt.internet.wireless
Not yet rated
Rating:
show options

Reply | Reply to Author | Forward | Print | Individual Message | Show
original | Report Abuse | Find messages by this author

>> What are you doing if you get a Browser Window saying:
>> "Unable to verify the identity of webmail.somedomain.com as a trusted
>> site.
>> [Accept temporarily] [Accept permanently] [Cancel]"
>> If you would klick anything other then cancel you are insecury!

>I would just like to know if https is using a stronger or weaker security
>then wep/wpa, that's all...


Both WEP and SSL uses the RC4 encryption algorithm.. WEP weakness is in
the keying distribution algorithm ( or lack there of). SSL uses X509
certificaticates to authenticate the server through a trusted third
party to the client... once authenticated then the client creates a
shared secret session key and sends tot he server encrypted withe the
server's public key obrtained from the certificate - as long as the
chain of trust is intact for the servers certificate, then it is
resonablely safe. WPA uses the RC4 encryption as well but is head and
shoulders above WEP because it uses the Temporal Key Integrity Protocol
(TKIP) for an actual key derivation and schedualing algorithm. Only
known feasible attack is when using WPA with a PreShared key - it is
subject to a dictionary attack - so use good "pass phrase" selection
techniques and it should be reasonable secure.

The above applies to transmission only - once on your machine as
another poster states, you need to protect with a good firewall ect.

So to answer your question WEP - no good WPA - good HTTPS - good WPA
+ HTTPS = better WPA + HTTPS + VPN = best

Thomas Krüger wrote:

> John wrote:
>> Is it safe to use https to read my webmail over an unsecured public wifi
>> hotspot?
>
> What are you doing if you get a Browser Window saying:
>
> "Unable to verify the identity of webmail.somedomain.com as a trusted
> site.
> [Accept temporarily] [Accept permanently] [Cancel]"
>
> If you would klick anything other then cancel you are insecury!
>
While I agree, it's pretty common to come across websites that you pretty
much have to "Accept". Microsoft insists on using self-signed
certificates. My recent version of Firefox won't accept them, though
(surprise!) Internet Explorer always does.
--
derek

On Tue, 14 Feb 2006 21:29:57 +0100, in alt.internet.wireless , "John"
<(E-Mail Removed)> wrote:

>> What are you doing if you get a Browser Window saying:
>> "Unable to verify the identity of webmail.somedomain.com as a trusted
>> site.
>> [Accept temporarily] [Accept permanently] [Cancel]"
>> If you would klick anything other then cancel you are insecury!
>
>I would just like to know if https is using a stronger or weaker security
>then wep/wpa, that's all...

Its at a different level in the protocol stack. https is
application-level encryption, and is as strong as the keysize and type
used by the server (often 128-bit, sometimes larger). Wep/wpa are much
lower down the stack, and WEP in particular is not terribly secure.
Mark McIntyre
--

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----