Safe to use https over unsecured wifi hotspot?

Is it safe to use https to read my webmail over an unsecured public wifi hotspot?

Thanks!

Reply to
John
Loading thread data ...

What are you doing if you get a Browser Window saying:

"Unable to verify the identity of webmail.somedomain.com as a trusted site. [Accept temporarily] [Accept permanently] [Cancel]"

If you would klick anything other then cancel you are insecury!

Also your computer is exposed to the everyone in the WLAN, so make sure to use a firewall!

Thomas

Reply to
Thomas Krüger

I would just like to know if https is using a stronger or weaker security then wep/wpa, that's all...

Reply to
John

Sercure Socket Layer (the 'S' in httpS) is more secure then WEP and WPA. For reading email https on an open network is plenty safe. Just remember that all other communication could be subject to ease dropping. I think the poster at the top also recommended using a firewall when in a coffee shop / McDonalds etc, he is right! THe one with WinXP sp2 is likely good enough once you configure it properly. Default to deny is the rule. Much safer to open a hole when you need it then close one after an attack.

fundamentalism, fundamentally wrong.

Reply to
Rico

Like everything in security, that depends. "Is this system secure?" is a meaningless question in security. It is, however, fair to say that the difference in security between https over an unsecured wireless connection and a 'secured' one is very small.

There are basically eight ways (I can think of off the top of my head) to impersonate the server or capture your data: a) Have massive computational power - seems likely that the security services can do this if they really want, but doubtful that they'd want to expend the resources. (Anybody who doubts that should note that they've consistently been about 20 years ahead of civilian cryptoanalysists in every area that we've known about since WW2, but then again your guess is as good as mine!) b) Know of a vulnerability that makes the encryption easy to break (again - governments etc. In this case though, once they've found the vulnerability, attacks become cheap) c) Control the computers of a certifying authority that you trust (or more likely, your web browser trusts by default). d) Exploit a vulnerability in your web browser. e) Know of a vulnerability in the SSL protocol. f) Take over the real server (by force, law, exploiting vulnerabilities, etc), or otherwise steal its secret key. g) TEMPEST attacks (everything from watching you typing in your password, to monitoring EM transmissions to work out what you're doing). h) Have already compromised your machine.

(I started off with 3, then it became 4, then 5, 6,7, 8... - I'm sure I've still forgotten some, but you hopefully get the idea).

All the methods except H and F require significant power, but if you are likely to be attacked by somebody with such power (a government, for example) then you should not be reading your email through webmail! Anybody who can manage one of those attacks isn't going to find it hard to intercept the data going between the wifi point and your server. In case H, the game is already over. Anybody who can do F has access to the most secret information on your provider's email server - so odds are that they already have your email.

(The answer you probably wanted was: Yes) :-)

Alun Harford

Reply to
Alun Harford

HTTPS is used on the Internet for secure encrypted traffic between the Web site and the client machine such as accessing a bank to do transactions as an example. So that type of connection is secured to begin with and WEP and WPA is just icing on the cake if you're using it with a HTTPS connection.

Duane :)

Reply to
Duane Arnold

Since you can make an X.509 certificate with an RC4 key - or even DES, this isn't exactly a sensible statement! It's all a case of "it depends"!

Alun Harford

Reply to
Alun Harford

From: John - view profile Date: Tues, Feb 14 2006 2:29 pm Email: "John" Groups: alt.internet.wireless Not yet rated Rating: show options

Reply | Reply to Author | Forward | Print | Individual Message | Show original | Report Abuse | Find messages by this author

Both WEP and SSL uses the RC4 encryption algorithm.. WEP weakness is in the keying distribution algorithm ( or lack there of). SSL uses X509 certificaticates to authenticate the server through a trusted third party to the client... once authenticated then the client creates a shared secret session key and sends tot he server encrypted withe the server's public key obrtained from the certificate - as long as the chain of trust is intact for the servers certificate, then it is resonablely safe. WPA uses the RC4 encryption as well but is head and shoulders above WEP because it uses the Temporal Key Integrity Protocol (TKIP) for an actual key derivation and schedualing algorithm. Only known feasible attack is when using WPA with a PreShared key - it is subject to a dictionary attack - so use good "pass phrase" selection techniques and it should be reasonable secure.

The above applies to transmission only - once on your machine as another poster states, you need to protect with a good firewall ect.

So to answer your question WEP - no good WPA - good HTTPS - good WPA

  • HTTPS = better WPA + HTTPS + VPN = best
Reply to
jrhick

While I agree, it's pretty common to come across websites that you pretty much have to "Accept". Microsoft insists on using self-signed certificates. My recent version of Firefox won't accept them, though (surprise!) Internet Explorer always does.

Reply to
Derek Broughton

Its at a different level in the protocol stack. https is application-level encryption, and is as strong as the keysize and type used by the server (often 128-bit, sometimes larger). Wep/wpa are much lower down the stack, and WEP in particular is not terribly secure. Mark McIntyre

Reply to
Mark McIntyre

I've never had an unverified certificate not pop up a Window in IE, but I'm sure you have so OK.

fundamentalism, fundamentally wrong.

Reply to
Rico

In that case, you're choosing to trust the certificate. The fact that IE implements it badly (by making it really easy for the user to do really dumb things) doesn't weaken SSL in any way.

Alun Harford

Reply to
Alun Harford

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.