[DeelyBopper]

Do you happily sign onto public wi-fi such as mcdonalds and starbucks?

I'm cautious about security. If I need to rely on wi-fi for internet access apart from the obvious considerations like not doing banking etc, is it safe? Or should I really use some sort of paid vpn service for peace of mind?

Also, given a choice of using wi-fi or 3g, which is quickest? Always use wi-fi when available to save costs?

[soulboy77]

As long as you have decent protection on your laptop then it shouldn't be a problem unless you do stupid things on line.

[DeelyBopper]

I usually use MSE.

[chrisjr]

The WiFi security you use at home only protects the WiFi link, it has zero effect on security out to the wider interweb. So it doesn't matter what, if any, security you use on the WiFi if the site you visit is infested with all sorts of malware or has been hacked to pieces to harvest sensitive data.

Not having any WiFi security might be a risk if someone is eavesdropping on the WiFi communication and sucking the relevant data out of that. Not sure I've ever heard of that being done though.

As for which is quicker, WiFi or 3G. How long is that piece of string? Impossible to answer.

It all depends on the speed of the connection to the internet that you are tapping into with the WiFi. That could be slower, equal to or faster than 3G. So neither is inherently faster or slower than the other.

[Stig]

Quote:

Originally Posted by DeelyBopper

Do you happily sign onto public wi-fi such as mcdonalds and starbucks?

I'm cautious about security. If I need to rely on wi-fi for internet access apart from the obvious considerations like not doing banking etc, is it safe? Or should I really use some sort of paid vpn service for peace of mind?

Also, given a choice of using wi-fi or 3g, which is quickest? Always use wi-fi when available to save costs?

Online backing is encrypted using SSL, so actually it's safe.

How paranoid do you want to be? Unless you are sending your credit card and PIN number via an unencrypted email you will be fine.

[flagpole]

in public wifi all data packets sent can be clearly read by anyone else on the network. that is the first thing.

additionally you have no way of knowing that you are actually connected to the access point you think you are so traffic can be redirected. as in when you type hsbc.co.uk you could be sent anywhere.

however life is not so bad as that sounds.

all data packets that are encrypted with https are secure. even if they are read they will be meaningless. and that should cover the sensitive stuff. if your device has email for example you need to make sure that is encrypted too.

as for redirection. if you go to hsbc, or gmail or whatever once you get to the secure pages there will be a certificate issued for the encryption. you can see this on the left of your address bar. if that certificate checks out then there is very little chance that it is not hsbc.

what else could i do, well if i can redirect you i guess i could redirect any downloads you might try, any programs i mean, to something of mine that is nasty and you would think was the app you intended to download. i've never heard of this being done.

i'm sure those are not the only risks. but if you accept that any unencrypted data can be read. and check that sites that should be encrypted are. you should be ok.

[Robert_Crowther]

You could always use a VPN

[cnbcwatcher]

I often use public wifi but if I have to do anything that involves entering my credit card details or other private data then I'll wait until I'm at home or use a mobile dongle or my phone.

[DeelyBopper]

Quote:

Originally Posted by Robert_Crowther

You could always use a VPN

YOu're Back!!! Hooray.

[tealady]

Quote:

Originally Posted by Robert_Crowther

You could always use a VPN

Really subtle new username.

[DeelyBopper]

Quote:

Originally Posted by Stig

Online backing is encrypted using SSL, so actually it's safe.

How paranoid do you want to be? Unless you are sending your credit card and PIN number via an unencrypted email you will be fine.

I'm only slightly paranoid but do like to be safe.

I was asking out of safety rather than paranoia as I have no idea what I should be doing.

If the consensus is that most people do log into public wi-fi hotspots without worry then that's fine with me.

I'll just make sure that whatever I'm browsing is something I'd be happy to browse even if a stranger was sat next to me watching.

I'll leave the banking and jodhpursaresexy.com to when I'm safely tethered using 3g.

Is using a vpn overkill then?

[Stig]

Quote:

Originally Posted by DeelyBopper

YOu're Back!!! Hooray.

But not back for long. Such arrogance...

[chrisjr]

Banking uses (or should use) secure encryption. This is applied by your laptop to the data it exchanges with the internet. So even is someone was snooping on your WiFi link what they receive would be useless to them.

So your biggest danger could be someone peering over your shoulder memorising what you type. Or a keylogger secretly installed on your machine that records everything you type. That would get round any form of WiFi security or using a 3G dongle.

[flagpole]

Quote:

Originally Posted by chrisjr

Banking uses (or should use) secure encryption. This is applied by your laptop to the data it exchanges with the internet. So even is someone was snooping on your WiFi link what they receive would be useless to them.

So your biggest danger could be someone peering over your shoulder memorising what you type. Or a keylogger secretly installed on your machine that records everything you type. That would get round any form of WiFi security or using a 3G dongle.

Like I said in post #6 it is possible for someone to set up an access point called something like McDonalds.WiFi that will just relay traffic unless you got to a secure site of some sort when it would redirect to it's own version of the page and capture your login.

[ibatten]

Quote:

Originally Posted by flagpole

Like I said in post #6 it is possible for someone to set up an access point called something like McDonalds.WiFi that will just relay traffic unless you got to a secure site of some sort when it would redirect to it's own version of the page and capture your login.

But then the certificate checking would fail. A really, really skilled attacker would have obtained a certificate for hsbc.co.uk or whatever from a certificate authority who was (a) solid enough to be included in the list of root CAs and (b) flakey enough to issue such a certificate to a random bystander. There are a proposals to deal with that scenario (certificate pinning and the like). But an attacker with the capability to do that wouldn't be wasting their time doing it for small WiFi networks, they would be making millions much deeper into the network.

[flagpole]

Quote:

Originally Posted by ibatten

But then the certificate checking would fail. A really, really skilled attacker would have obtained a certificate for hsbc.co.uk or whatever from a certificate authority who was (a) solid enough to be included in the list of root CAs and (b) flakey enough to issue such a certificate to a random bystander. There are a proposals to deal with that scenario (certificate pinning and the like). But an attacker with the capability to do that wouldn't be wasting their time doing it for small WiFi networks, they would be making millions much deeper into the network.

You just don't encrypt it. Your custom access point grabs the encrypted page. Pushes an identical page with the correct domain in the browser because you're using a custom DNS server. Hardly anyone checks that a page is actually encrypted. They just assume it will be.

You use the actual access point for the real bandwidth. No special skills required, just download the tool.

[Matt D]

Quote:

Originally Posted by flagpole

Like I said in post #6 it is possible for someone to set up an access point called something like McDonalds.WiFi that will just relay traffic unless you got to a secure site of some sort when it would redirect to it's own version of the page and capture your login.

IIRC there was a TV show that demonstrated this a few years ago..."The Real Hustle"? They set up a fake WiFi hotspot in an airport and waited to see how many people fell for it...

[DeelyBopper]

Quote:

Originally Posted by Matt D

IIRC there was a TV show that demonstrated this a few years ago..."The Real Hustle"? They set up a fake WiFi hotspot in an airport and waited to see how many people fell for it...

Good show, shame she went down the route of plastic surgery and tattoos, but each to their own!

[flagpole]

Quote:

Originally Posted by DeelyBopper

Good show, shame she went down the route of plastic surgery and tattoos, but each to their own!

if you look hard enough there are pictures of her with her bat out from before that.

[DeelyBopper]

Quote:

Originally Posted by flagpole

if you look hard enough there are pictures of her with her bat out from before that.

I'm afraid to ask, bat?

[RobinOfLoxley]

The first few articles here are pretty comprehensive and understandable.

https://www.google.co.uk/search?pws=...+wifi+securely

[flagpole]

Quote:

Originally Posted by DeelyBopper

I'm afraid to ask, bat?

when seeking euphemisms for lady parts i just insert any noun.

[DeelyBopper]

Quote:

Originally Posted by RobinOfLoxley

The first few articles here are pretty comprehensive and understandable.

https://www.google.co.uk/search?pws=...+wifi+securely

Thanks and to everyone else that has taken time out to post. I'll do some more reading.

Quote:

Originally Posted by flagpole

when seeking euphemisms for lady parts i just insert any noun.

I feel the urge to look for said bat pics.

So far as Wi-Fi is concerned I think I'm going to use 3g as much as possible and only use wifi when absolutely necessary.

I had an image of me using a netbook in McD's / Starbucks / library but I think the reality is I prolly won't need to so long as I can get online properly once a day. Which I'll be able to do where I'm based.

[ibatten]

Quote:

Originally Posted by flagpole

You just don't encrypt it. Your custom access point grabs the encrypted page. Pushes an identical page with the correct domain in the browser because you're using a custom DNS server. Hardly anyone checks that a page is actually encrypted. They just assume it will be.

Sorry, could you run that by me again? Client attempts to connect to https://foo.bar, on port 443, using SSL. What happens next? Before the man in the middle can send any data, it has to present a certificate, as otherwise the SSL negotiation will fail. What does it do at that point? Be as technical as you like. Because if what you say is possible, SSL is completely broken, and it would be a very important result that should be in the literature.

[flagpole]

Quote:

Originally Posted by ibatten

Sorry, could you run that by me again? Client attempts to connect to https://foo.bar, on port 443, using SSL. What happens next? Before the man in the middle can send any data, it has to present a certificate, as otherwise the SSL negotiation will fail. What does it do at that point? Be as technical as you like. Because if what you say is possible, SSL is completely broken, and it would be a very important result that should be in the literature.

the ssl is never engaged to the end client. only between the MitM and the real server.

the man in the middle see the request for https://foo.bar, or more likely a lookup on foo.bar and redirects it locally. the MitM retrieves https://foo.bar itself. and represents it to the end user with a redirect as http://foo.bar the process continues around foo.bar

why is that hard?