How secure is a public hotspot?

As long as the conversation is https it is encrypted end-to-end, i.e. from your browser to the server. So however insecure the transmission media the content is as secure as the level of encryption that is used. Most banks and the like use decent levels of encryption. You can check the type of encryption and the key lengths on most browsers (on mine a little padlock appears and by clicking on it I get to see the parameters).

David

Unfortunately, many sites do NOT have the login page as an https and it is therefore NOT secure.

I know what you're getting at but just to be awfully pedantic, https is secure between one endpoint and another. A hacker could potentially play a man in the middle and send you his certificate in place of that of the bank. The traffic is then decrypted at his machine and re- encrypted on the way to the bank.

Of course, this would require that the user click OK on the warning that says that this certificate is not from a site that you trust etc but could easily catch an unknowing user that doesn't bother to check the validity of the certificate offered.

and equally importantly, the certificate trust chain and site name. The level of key length is rather arbitrary if the certificate isn't from whom it should be!

Lots of if's in the above but that was the question.

David.

So true, but then that isn't a hotspot problem per se, more a problem of the data is in the clear in the internet itself. But certainly the fellow at the next table sipping a latte code intercept as well.

fundamentalism, fundamentally wrong.

One option is one of the public vpn servers. You visit the hotpspot and log into what ever vpn 'service' you are signed up for. This would keep snoopers sharing the hotspot out yf your traffic (at a cost of some added latency) As to your banking, https (secure socket) should have you covered. At least as secure as you can be on the internet. Note warnings by others in the thread.

fundamentalism, fundamentally wrong.

"Many" financial sites with a nonsecure login page? Can you name a few?

Nope.

There is no security.

Only if the connection is protected with a security layer (e.g., SSL). But even with that you won't be protected on a public computer, because it could be infected with a virus that captures sensitive info before it's encrypted (e.g., keystroke logger).

No better.

Sure -- sign up for secure VPN service with a trusted provider.

Assume that everything in the clear is being snooped.

Capturing sensitive information on the wireless. Hacking into wireless machines by exploiting weaknesses, especially when there isn't an effective firewall.

Windows has a long history of exploitable vulnerabilities, and there are undoubtedly more that haven't been discovered and plugged.

Is IE showing that message by default these days? I know that a number of sites I use regularly, that have improperly constructed certificates, give me that message in Firefox & Konqueror, but IE doesn't. But then I usually only use IE when I hit a website that only works for IE.

It's pretty much standard practice for users to click right through those messages. Of course, the large number of sites that don't realize you can't just move these certificates from host to host doesn't help.

Don't know if David really meant financial - just sites with login pages. ime, most ISP's webmail pages don't provide HTTPS login pages (as opposed to the big boys like gmail, hotmail and yahoo-mail - though hotmail and yahoo, at least, don't even force you to login through https, and none of them give you the option of doing all your webmail over https). Mine explicitly refused to do so, or to get a proper certificate for their POP server. They said they couldn't provide that unless one was willing to upgrade to a business account. I pointed out that they already _are_ providing TLS on the pop server, just with a b0rked certificate. They responded by quietly breaking the certificate by replacing it with an even worse one!

Don't know, not sure if there's a setting in IE to automatically accept untrusted certs?

Exactly.

David.

It would be insane to use any online banking login page that's not HTTPS from your home cable connection let alone wireless. Any bank not encrypting the login details has absolutely no regard for security and I wouldn't have any confidence in the rest of their online security.

BernieM

Amen!

It was always the default in IE, you must have changed it at some point in the past or maybe it was altered for some intranet stuff at the office and never set back.

fundamentalism, fundamentally wrong.