I go to a public hotspot and sign on using MY computer. I want to go to my bank which has SSL. Do I have any security concerns in this scenario. The bank has me on SSL from the very first so even my password is sent encrypted.
You still have the possibility of a man in the middle attack if you aren't careful about verifying SSL certificate warnings.
You could unwittingly join someone's private access point on their laptop in the cafe who set the BSSID the same as the cafe's official access point. From there, a few attack scenarios are possible. One is if you accepted an SSLv2 certificate from the bank, that version has known crypto weaknesses and is crackable. Unlikely someone would go through that effort though. Easier still, the access point owner could shim in a proxy server between you and the bank and depending on the settings of your browser and your own penchant for clicking warning boxes to make them go away, many usrsr could be lured into accepting the proxy's SSL certificate despite it not matching the bank's domain name. Result: proxy owner sees all your traffic in the clear. A third scenario, the access point owner redirects your bank request to an error page or something that looks official enough, but it's running on a web server on his laptop, and he grabs username password from ya directly in a kind of phishing attempt.
So... if you are careful to verify certificates and have your web browser config'd to not accept sslv2 certs I'd say yer secure enough. Have your guard up.
Another worry is your workstation's external security posture. If you're vulnerable to getting owned by someone on the local network because of a lack of patching, or open shares or what not, you'll want to protect against these so your local workstaiton doesn't get quickly owned and fitted with keylogging software.
Best Regards,
So, if I get a certificate is expired or not what it is supposed to be warning I just run in the opposite direction? Especially if they aren't showing up at home.
Anything special with a MacBook, or should I go ask this question on one of the Apple groups?
Thanks for all your help.
Kurt
Right.
They do pretty well so long as you have been applying the loads of patches apple's been issuing. There are low level wireless issues with mac's and pc's as well that got a lot of press at the security cons last year and I think those have been patched, though that's not to say that 0day exploits on similar vulns aren't out there, your odds of getting hit with one at a tpyical cafe are fairly low.
The security of SSL relies a lot of the user doing smart things with security warnings, so be diligent. :-) So many folks just click to make dialog boxes happy and don't read anything, and in that there are problems. :-)
Thanks. I generally worry about certificate stuff even when I am home and non-wireless directly into the modem. Paranoia runs VERY deep outside the house. (g).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.