Re: Wifi security in Hotels?|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Jeff Liebermann on July 4, 2009, 9:57 pm
Please log in for more thread options
Most financial and banking web sites offer SSL (secure socket layer) encryption between your browser and the bank. The degree of encryption varies among banks. Some encrypt the entire session. Others only encrypt logins and specific sessions. Despite SSL and authentication, there are still problems: <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652>
These problems are not unique to wireless and can also ocurr with a
wired internet connection. All I can offer is the usual "be careful" warning. The one that worries me is where banks place a secure login box in the middle of an unencrypted web page. That's an open invitation to a man-in-the-middle exploit. Wells Fargo, my bank, is a prime culprit. A real danger in wireless online banking using Wi-Fi is a spoofed or faked web site designed to trick you into logging in with your login and password. Banks use various measures to avoid fraudulent web sites, but all rely on the user recognizing the difference between the real site and the fake. That's not really reliable. If you're paranoid, discuss using x.509 certificates and a one time password generator (S/key) dongle with your bank. They may not do anything, but they might recognize that there's a problem and therefore a demand for such devices. For example: <http://www.aladdin.com/etoken/devices/pass.aspx>
Most banks already use these for their employees and inside
<http://www.rsa.com/node.aspx?id=1158> transactions. Despite SSL and authentication, there are still problems: <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652>
These problems are not unique to wireless and can also ocurr with a
wired internet connection. All I can offer is the usual "be careful" warning. You could also use a VPN service, which would encrypt everything between your laptop and the proxy server. Sniffing would be impossible. <http://wireless.navas.us/wiki/Wi-Fi#VPN_Service_Providers>
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 | |||||||||||||||||||||||||
|
Posted by Justin on July 5, 2009, 12:14 am
Please log in for more thread options > On Sat, 04 Jul 2009 20:37:44 -0400, Justin
> >> I understand network shares and securing that.
>> But what about wireless and paying my bills online? Can somebody see >> all that information even if the page is encrypted? >
> Most financial and banking web sites offer SSL (secure socket layer) > encryption between your browser and the bank. The degree of > encryption varies among banks. Some encrypt the entire session. > Others only encrypt logins and specific sessions. > > Despite SSL and authentication, there are still problems: > <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652> > These problems are not unique to wireless and can also ocurr with a > wired internet connection. All I can offer is the usual "be careful" > warning. > > The one that worries me is where banks place a secure login box in the > middle of an unencrypted web page. That's an open invitation to a > man-in-the-middle exploit. Wells Fargo, my bank, is a prime culprit. > > A real danger in wireless online banking using Wi-Fi is a spoofed or > faked web site designed to trick you into logging in with your login > and password. Banks use various measures to avoid fraudulent web > sites, but all rely on the user recognizing the difference between the > real site and the fake. That's not really reliable. > > If you're paranoid, discuss using x.509 certificates and a one time > password generator (S/key) dongle with your bank. They may not do > anything, but they might recognize that there's a problem and > therefore a demand for such devices. For example: > <http://www.aladdin.com/etoken/devices/pass.aspx> > <http://www.rsa.com/node.aspx?id=1158> > Most banks already use these for their employees and inside > transactions. > > Despite SSL and authentication, there are still problems: > <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652> > These problems are not unique to wireless and can also ocurr with a > wired internet connection. All I can offer is the usual "be careful" > warning. > > You could also use a VPN service, which would encrypt everything > between your laptop and the proxy server. Sniffing would be > impossible. > <http://wireless.navas.us/wiki/Wi-Fi#VPN_Service_Providers> > OK, I think I understand. I use Citizens Bank https://www.citizensbankonline.com/ does that look OK to you? | |||||||||||||||||||||||||
|
Posted by Jeff Liebermann on July 5, 2009, 12:38 am
Please log in for more thread options On Sun, 05 Jul 2009 00:14:18 -0400, Justin
>OK, I think I understand.
>I use Citizens Bank >https://www.citizensbankonline.com/ >does that look OK to you? Yep. SSL on all pages. Certificate issued and verified by VeriSign. Yeah, looks good enough. I can't tell if there are additional anti-spoofing features because I can't login. Be advised that it is still possible to perform a man in the middle attack with SSL. <http://www.sans.org/reading_room/whitepapers/threats/ssl_maninthemiddle_attacks_480>
Note that IE 6.0 and before have a problem handling SSL properly. I
consider this exploit unlikely, but still possible. -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 | |||||||||||||||||||||||||
|
Posted by Justin on July 5, 2009, 1:19 am
Please log in for more thread options Jeff Liebermann wrote:
> On Sun, 05 Jul 2009 00:14:18 -0400, Justin
> >> OK, I think I understand.
>> I use Citizens Bank >> https://www.citizensbankonline.com/ >> does that look OK to you? >
> Yep. SSL on all pages. Certificate issued and verified by VeriSign. > Yeah, looks good enough. I can't tell if there are additional > anti-spoofing features because I can't login. > > Be advised that it is still possible to perform a man in the middle > attack with SSL. > <http://www.sans.org/reading_room/whitepapers/threats/ssl_maninthemiddle_attacks_480> > Note that IE 6.0 and before have a problem handling SSL properly. I > consider this exploit unlikely, but still possible. > I think I understand. If I'm on a unverified network, or one I know can possibly be compromised (college?) do my banking from the computer lab... | |||||||||||||||||||||||||
|
Posted by Rico on July 7, 2009, 9:28 am
Please log in for more thread options I know odd question but has anyone seen or run across an wifi (g)
thermometer that can be accessed via a LAN or for that mater an IP thermometer? Plenty of wireless ones via Google but have a need to place one outside and have it readable from the LAN if possible. Thanks for hints or suggestions fundamentalism, fundamentally wrong. | |||||||||||||||||||||||||
| Similar Threads | Posted |
| Re: Wifi security in Hotels? | July 4, 2009, 1:18 pm |
| Re: Wifi security in Hotels? | July 4, 2009, 9:57 pm |
| Re: Wifi security in Hotels? | July 5, 2009, 1:44 am |
| Wireless for hotels and motels | November 6, 2004, 4:04 pm |
| Share hotels wireless connection | July 13, 2007, 1:37 pm |
| WiFi Security | November 13, 2006, 4:34 pm |
| wifi router security | August 24, 2006, 2:32 pm |
| wifi client security | September 2, 2006, 1:55 am |
| Public Access WIFI Security | September 29, 2005, 1:06 am |
| Basic WiFi Security for Vista | April 20, 2007, 6:42 am |
| wifi print server security | September 12, 2007, 2:01 pm |
| Basic WiFi Security question | July 20, 2009, 12:10 pm |
| WiFi Security for Semi-Public locations ? | December 12, 2004, 6:05 pm |
| Wifi - connection drops when any security is enabled | January 6, 2005, 5:59 pm |
| Big (not long) question about WIFI security from the recieving end. | January 8, 2008, 5:05 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>But what about wireless and paying my bills online? Can somebody see
>all that information even if the page is encrypted?