Web Surfing in Public Places Is A Way to Court Trouble 274
We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?
Public websurfing (Score:5, Informative)
http://www.grc.com/nat/arp.htm [grc.com]
It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.
TFA is uninformed (Score:5, Informative)
When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.
Comment removed (Score:2, Informative)
Virtual *Private* Network (Score:5, Informative)
Re:Denver Airport (Score:5, Informative)
Re:Interesting question (Score:3, Informative)
Re:Public computers (Score:3, Informative)
Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.
Re:Utter garbage, Redux (Score:3, Informative)
From SANS WhitePaper:
"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."
So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.
But there is some truth to your assertion, if you are of the Windows Ilk:
"One faulty SSL client implementation, Microsoft's Internet Explorer, allows for transparent SSL MITM attacks when the attacker has any CA-signed certificate."
Sweet! ANOTHER reason I can't wait to run Boot Camp and install Windows.
Consider the three basic VPN security methods (Score:5, Informative)
IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.
SSL uses a nice scheme that's difficult to crunch.
NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.
Re:Denver Airport (Score:3, Informative)
and people don't realize it (Score:4, Informative)
My answer was of course: neither
Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).
The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.
Re:Utter garbage (Score:2, Informative)
Re:It's not the security I'm worried about.... (Score:2, Informative)
Hotel and Airport hygiene (Score:2, Informative)
At public computers: I assume that the machine has a keystroke logger. Never enter anything remotely sensitive on such machines. Never login to anything from a public computer.
Now, I often want to print a boarding pass or a document of mine. Here's my routine: Print to PDF on my laptop, upload the PDF from my laptop to my own web server with sftp. Name these a.pdf,, b.pdf, etc. The web server is set up so no one can get a file list for any directory. On the public machine, point the browser to www.mydomain.com/a.pdf and print. Later, from my laptop I'll login and delete the files.
Most airlines let you get a boarding pass with conf number and name, no login required. The confirmation number is like a one-time password. Someone was thinking.
-- Sally