How secure is a public hotspot?

Sorry gang..... I know the question has been asked a thousand times before,
but with changes in technology maybe the answer gets changed. What's the
latest on public hotspot security? If I go into my library (yeah - free
wifi !!!), can I feel secure logging onto my bank or brokerage account? How
about Starbucks at nine bucks a day?

Is there anything I can do to increase my level of security if I am surfing
on a public hotspot? Just what are the weaknesses I may encounter?

If a hacker gets interested in trying to get information transmitted in a
local coffee shop with a wifi for patrons, just what is he doing that he
might get something useful? So he could log into the portal too..... big
deal, I don't think he is logging into my computer and I have my Windows
firwall turned on anyway.

Jim

Jim Sant wrote:

> Sorry gang..... I know the question has been asked a thousand times
> before,
> but with changes in technology maybe the answer gets changed. What's the
> latest on public hotspot security? If I go into my library (yeah - free
> wifi !!!), can I feel secure logging onto my bank or brokerage account?
> How about Starbucks at nine bucks a day?
>
> Is there anything I can do to increase my level of security if I am
> surfing
> on a public hotspot? Just what are the weaknesses I may encounter?
>
> If a hacker gets interested in trying to get information transmitted in a
> local coffee shop with a wifi for patrons, just what is he doing that he
> might get something useful? So he could log into the portal too..... big
> deal, I don't think he is logging into my computer and I have my Windows
> firwall turned on anyway.
>
> Jim
As long as the conversation is https it is encrypted end-to-end, i.e. from
your browser to the server. So however insecure the transmission media the
content is as secure as the level of encryption that is used. Most banks
and the like use decent levels of encryption. You can check the type of
encryption and the key lengths on most browsers (on mine a little padlock
appears and by clicking on it I get to see the parameters).

David

David Goodenough wrote:
> Jim Sant wrote:
>
>> Sorry gang..... I know the question has been asked a thousand times
>> before,
>> but with changes in technology maybe the answer gets changed. What's the
>> latest on public hotspot security? If I go into my library (yeah - free
>> wifi !!!), can I feel secure logging onto my bank or brokerage account?
>> How about Starbucks at nine bucks a day?
>>
>> Is there anything I can do to increase my level of security if I am
>> surfing
>> on a public hotspot? Just what are the weaknesses I may encounter?
>>
>> If a hacker gets interested in trying to get information transmitted in a
>> local coffee shop with a wifi for patrons, just what is he doing that he
>> might get something useful? So he could log into the portal too..... big
>> deal, I don't think he is logging into my computer and I have my Windows
>> firwall turned on anyway.
>>
>> Jim
> As long as the conversation is https it is encrypted end-to-end, i.e. from
> your browser to the server. So however insecure the transmission media the
> content is as secure as the level of encryption that is used. Most banks
> and the like use decent levels of encryption. You can check the type of
> encryption and the key lengths on most browsers (on mine a little padlock
> appears and by clicking on it I get to see the parameters).
>
> David

Unfortunately, many sites do NOT have the login page as an https and it
is therefore NOT secure.

> As long as the conversation is https it is encrypted end-to-end, i.e. from
> your browser to the server. So however insecure the transmission media the

I know what you're getting at but just to be awfully pedantic, https is
secure between one endpoint and another. A hacker could potentially
play a man in the middle and send you his certificate in place of that
of the bank. The traffic is then decrypted at his machine and re-
encrypted on the way to the bank.

Of course, this would require that the user click OK on the warning that
says that this certificate is not from a site that you trust etc but
could easily catch an unknowing user that doesn't bother to check the
validity of the certificate offered.

> encryption and the key lengths on most browsers (on mine a little padlock
> appears and by clicking on it I get to see the parameters).

and equally importantly, the certificate trust chain and site name. The
level of key length is rather arbitrary if the certificate isn't from
whom it should be!

Lots of if's in the above but that was the question.

David.

In article <2-(E-Mail Removed)>, ken <(E-Mail Removed)> wrote:
>David Goodenough wrote:
>> Jim Sant wrote:
>>
>>> Sorry gang..... I know the question has been asked a thousand times
>>> before,
>>> but with changes in technology maybe the answer gets changed. What's the
>>> latest on public hotspot security? If I go into my library (yeah - free
>>> wifi !!!), can I feel secure logging onto my bank or brokerage account?
>>> How about Starbucks at nine bucks a day?
>>>
>>> Is there anything I can do to increase my level of security if I am
>>> surfing
>>> on a public hotspot? Just what are the weaknesses I may encounter?
>>>
>>> If a hacker gets interested in trying to get information transmitted in a
>>> local coffee shop with a wifi for patrons, just what is he doing that he
>>> might get something useful? So he could log into the portal too..... big
>>> deal, I don't think he is logging into my computer and I have my Windows
>>> firwall turned on anyway.
>>>
>>> Jim
>> As long as the conversation is https it is encrypted end-to-end, i.e. from
>> your browser to the server. So however insecure the transmission media the
>> content is as secure as the level of encryption that is used. Most banks
>> and the like use decent levels of encryption. You can check the type of
>> encryption and the key lengths on most browsers (on mine a little padlock
>> appears and by clicking on it I get to see the parameters).
>>
>> David
>
>Unfortunately, many sites do NOT have the login page as an https and it
>is therefore NOT secure.

So true, but then that isn't a hotspot problem per se, more a problem of
the data is in the clear in the internet itself. But certainly the fellow
at the next table sipping a latte code intercept as well.

fundamentalism, fundamentally wrong.

In article <ArZag.53432$(E-Mail Removed)>, "Jim Sant" <(E-Mail Removed)> wrote:
>Sorry gang..... I know the question has been asked a thousand times before,
>but with changes in technology maybe the answer gets changed. What's the
>latest on public hotspot security? If I go into my library (yeah - free
>wifi !!!), can I feel secure logging onto my bank or brokerage account? How
>about Starbucks at nine bucks a day?
>
>Is there anything I can do to increase my level of security if I am surfing
>on a public hotspot? Just what are the weaknesses I may encounter?
>
>If a hacker gets interested in trying to get information transmitted in a
>local coffee shop with a wifi for patrons, just what is he doing that he
>might get something useful? So he could log into the portal too..... big
>deal, I don't think he is logging into my computer and I have my Windows
>firwall turned on anyway.
>
>Jim
>
>

One option is one of the public vpn servers. You visit the hotpspot and log
into what ever vpn 'service' you are signed up for. This would keep
snoopers sharing the hotspot out yf your traffic (at a cost of some added
latency)
As to your banking, https (secure socket) should have you covered. At least
as secure as you can be on the internet. Note warnings by others in the
thread.

fundamentalism, fundamentally wrong.

>ken <(E-Mail Removed)> wrote:

>> content is as secure as the level of encryption that is used. Most banks
>> and the like use decent levels of encryption. You can check the type of
>> encryption and the key lengths on most browsers (on mine a little padlock
>> appears and by clicking on it I get to see the parameters).
>>
>> David
>
>Unfortunately, many sites do NOT have the login page as an https and it
>is therefore NOT secure.

"Many" financial sites with a nonsecure login page? Can you name a few?

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <ArZag.53432$(E-Mail Removed)> on Thu, 18 May 2006 08:07:04
-0400, "Jim Sant" <(E-Mail Removed)> wrote:

>Sorry gang..... I know the question has been asked a thousand times before,
>but with changes in technology maybe the answer gets changed.

Nope.

>What's the
>latest on public hotspot security?

There is no security.

>If I go into my library (yeah - free
>wifi !!!), can I feel secure logging onto my bank or brokerage account?

Only if the connection is protected with a security layer (e.g., SSL). But
even with that you won't be protected on a public computer, because it could
be infected with a virus that captures sensitive info before it's encrypted
(e.g., keystroke logger).

>How
>about Starbucks at nine bucks a day?

No better.

>Is there anything I can do to increase my level of security if I am surfing
>on a public hotspot?

Sure -- sign up for secure VPN service with a trusted provider.

>Just what are the weaknesses I may encounter?

Assume that everything in the clear is being snooped.

>If a hacker gets interested in trying to get information transmitted in a
>local coffee shop with a wifi for patrons, just what is he doing that he
>might get something useful?

Capturing sensitive information on the wireless. Hacking into wireless
machines by exploiting weaknesses, especially when there isn't an effective
firewall.

>So he could log into the portal too..... big
>deal, I don't think he is logging into my computer and I have my Windows
>firwall turned on anyway.

Windows has a long history of exploitable vulnerabilities, and there are
undoubtedly more that haven't been discovered and plugged.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

David Taylor wrote:

>> As long as the conversation is https it is encrypted end-to-end, i.e.
>> from
>> your browser to the server. So however insecure the transmission media
>> the
>
> I know what you're getting at but just to be awfully pedantic, https is
> secure between one endpoint and another. A hacker could potentially
> play a man in the middle and send you his certificate in place of that
> of the bank. The traffic is then decrypted at his machine and re-
> encrypted on the way to the bank.
>
> Of course, this would require that the user click OK on the warning that
> says that this certificate is not from a site that you trust etc but

Is IE showing that message by default these days? I know that a number of
sites I use regularly, that have improperly constructed certificates, give
me that message in Firefox & Konqueror, but IE doesn't. But then I usually
only use IE when I hit a website that only works for IE.

> could easily catch an unknowing user that doesn't bother to check the
> validity of the certificate offered.

It's pretty much standard practice for users to click right through those
messages. Of course, the large number of sites that don't realize you
can't just move these certificates from host to host doesn't help.
--
derek

Dave Rudisill wrote:

>>ken <(E-Mail Removed)> wrote:
>
>>> content is as secure as the level of encryption that is used. Most
>>> banks
>>> and the like use decent levels of encryption. You can check the type of
>>> encryption and the key lengths on most browsers (on mine a little
>>> padlock appears and by clicking on it I get to see the parameters).
>>>
>>Unfortunately, many sites do NOT have the login page as an https and it
>>is therefore NOT secure.
>
> "Many" financial sites with a nonsecure login page? Can you name a few?

Don't know if David really meant financial - just sites with login pages.
ime, most ISP's webmail pages don't provide HTTPS login pages (as opposed
to the big boys like gmail, hotmail and yahoo-mail - though hotmail and
yahoo, at least, don't even force you to login through https, and none of
them give you the option of doing all your webmail over https). Mine
explicitly refused to do so, or to get a proper certificate for their POP
server. They said they couldn't provide that unless one was willing to
upgrade to a business account. I pointed out that they already _are_
providing TLS on the pop server, just with a b0rked certificate. They
responded by quietly breaking the certificate by replacing it with an even
worse one!
--
derek