Unsecured wifi

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities

Re: Unsecured wifi

Postby jupiter_man » Fri May 03, 2013 9:41 pm

"https" was designed to be end to end secure, so only your computer browser and the "Internet Site" can decrypt the data. HTTPS prevents anybody in the middle to decrypt the data. Mathematically there is no way for someone to decrypt the information. I know the OP is concerned about the "unsecured WiFi" but in general even if the WiFi is secured, the packets go through multiple routers and after the WiFi interface to reach the destination site. HTTPs prevents data to be sniffed and decoded from this middle routers as well.

Another suggestion, even if you have visited your financial site hundreds of times, and know the url by heart, please use google or bing search engines to type the site name. These search engines will provide the real site most likely on the first line or first search result. ALso you may see the "Official site" that the financial institution is paying for appearing on the top and google or bing have verified the authenticity of the URL ; and right below the same site may appear again which has been indexed by the search engine. Use either of these URLS to go the Financial site.

Never type the url of the Financial site yourself, there is a very small but finite chance that the phishing site could get a https url with a small typo, and you won't notice it, please use the search engines to go to the site from ANY internet connection (unsecured WiFi, Secured WiFi, home WiFi, Office etc ).

Cheers !
User avatar
jupiter_man
 
Posts: 53
Joined: Fri May 03, 2013 9:02 pm

Re: Unsecured wifi

Postby jimmy » Fri May 03, 2013 11:27 pm

You're on vacation, leave your portfolio alone. I'm not a tech guy so this is the best advise I can give you.. :happy
jimmy
 
Posts: 27
Joined: Sat Apr 27, 2013 2:29 am

Re: Unsecured wifi

Postby kwan2 » Fri Jul 19, 2013 3:51 am

if you do stuff off https, a vpn is $55/year, or just don't use sbux wifi imho
The best lack all conviction, while the worst | Are full of passionate intensity-Yeats 1919;Out of every fruition of success,no matter what, comes forth something to make a new effort necessary -Whitman
User avatar
kwan2
 
Posts: 243
Joined: Thu Jun 14, 2012 10:13 pm

Re: Unsecured wifi

Postby Rich in Michigan » Fri Jul 19, 2013 6:04 am

Somebody mentioned "what are they going to do, change your asset allocation?"

Before you laugh, consider the slippery slope. First they change your AA....you are 28 years old and now you hold 97% bonds. You are going to have to work until age 95 buddy before your nest egg is big enough to retire. Or maybe you are retired and the crook has you withdraw 7% per year. You think things are going to be hunky dory when you are 105? Well, considering that you depleted your nest egg when you were 77, not likely.

Then you have to consider that the crook has never had access to this large a sum before. He gets nervous and starts subscribing to financial magazines. He learns about technical analysis. Pretty soon he is reading that the next big thing is companies that make push button gearshift changers like on a 1963 Plymouth Valiant. So he moves all your money into an actively managed fund of those things. With an enormous expense ratio, by the way. He buys and sells like crazy in order to time the market just right. He rejects diversification. He does not stay the course.

Well, before you know it he is also buying you whole life insurance policies and variable annuities and there's no getting around that.

Your days as a Boglehead are pretty much over but at least he will be buying you expensive watches, expensive cars, and getting your oil changed every 3000 miles....
Rich in Michigan
 
Posts: 107
Joined: Mon Jun 11, 2012 2:27 pm

Re: Unsecured wifi

Postby buckstar » Fri Jul 19, 2013 11:38 am

I used to think that the safest way to check was through the cellular network on my phone, but I recently saw this: http://www.npr.org/blogs/alltechconside ... ne-For-250.

I've started using WiTopia (personal VPN), because for about $50/yr it's a cheap and easy way to ease my mind. Certainly for someone like the OP who is away from home for several months at a time, it would be worth considering.

If you don't use anything other than SSL when connecting to websites, make sure your email client (if you don't use web-based clients) connects using SSL. Once someone gets access to your email accounts, it's potentially very easy to gain access to password resets, etc....
User avatar
buckstar
 
Posts: 147
Joined: Wed Jul 06, 2011 10:38 am

Re: Unsecured wifi

Postby Bob.Beeman » Fri Jul 19, 2013 2:55 pm

Sites can FORCE you to use a secure connection. For example I use this for some things on my site.

I DEFY you to get to the following page without being on a secure connection:
http://www.bee-man.us/security_test.php

Of course it only works if you get to the right place, but it protects people from themselves once they get there.

- Bob Beeman.
Bob.Beeman
 
Posts: 59
Joined: Mon Dec 12, 2011 6:32 pm

Re: Unsecured wifi

Postby LadyGeek » Fri Jul 19, 2013 3:05 pm

Do I get credit for this path? Error- 404 - File Not Found
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
LadyGeek
Site Admin
 
Posts: 19583
Joined: Sat Dec 20, 2008 6:34 pm
Location: Philadelphia

Re: Unsecured wifi

Postby btraven » Fri Jul 19, 2013 3:08 pm

You can also get a VPN service like http://www.boxpn.com and have a secure connection from your device to a website for about $4 a month. With most VPN's, you can even appear like you are in the US because you can connect to servers with a US IP address, and access US services like Netflix.
btraven
 
Posts: 33
Joined: Tue Jul 02, 2013 4:27 pm

Re: Unsecured wifi

Postby Bob.Beeman » Fri Jul 19, 2013 3:14 pm

Very Clever Lady Geek.

But note that this page does not pose a threat to anyone, as it has no content. It will always have no content because the page won't load content over http:

Still, that's clever.

- Bob Beeman.
Bob.Beeman
 
Posts: 59
Joined: Mon Dec 12, 2011 6:32 pm

Re: Unsecured wifi

Postby protagonist » Fri Jul 19, 2013 6:51 pm

Fidelity uses a 6 digit password.
If somebody hacked into your account to drain your funds (malicious intent),wouldn't the likelihood of a random guy anywhere in the world getting in via a bot that rapidly goes through a million permutations be more likely than getting attacked by a neighbor on an unsecured line?
protagonist
 
Posts: 2390
Joined: Sun Dec 26, 2010 1:47 pm

Re: Unsecured wifi

Postby ogd » Fri Jul 19, 2013 8:32 pm

protagonist: no, because Fidelity locks you out (or should, I haven't checked their exact policy) after a few password attempts. So the bot gets one or two attempts, maybe a few more per month if they can time them to be between your legitimate logins (somehow).

The real threat is if a hacker gets access to Fidelity's internal password validation data. Then the "attempts" can be done with off-line computation. This is much harder to achieve and recovering the password can be made difficult by making the "validation" very expensive, but it's still a threat. In general, password length is a lesser worry than it's sometimes made out to be.

That said, at only six digits long, Fidelity would be pushing it and it seems hard to believe that that's all they allow. I looked it up and the password policy seems to be much more reasonable. http://www.fidelity.com/psw/WS_PSW_Body ... MS,00.html
User avatar
ogd
 
Posts: 2591
Joined: Fri Jun 15, 2012 12:43 am

Re: Unsecured wifi

Postby Mudpuppy » Sat Jul 20, 2013 12:46 am

protagonist wrote:Fidelity uses a 6 digit password.
If somebody hacked into your account to drain your funds (malicious intent),wouldn't the likelihood of a random guy anywhere in the world getting in via a bot that rapidly goes through a million permutations be more likely than getting attacked by a neighbor on an unsecured line?

The only way an attacker can try millions (now billions for the popular password algorithms) of guesses per second is if they have obtained the hashed passwords. They would have to compromise Fidelity to obtain the hashed passwords, so you would be protected by the standard consumer protections that would kick in when the finance company is the source of the compromise.

Using an unsecured line on the other hand is a consumer mistake, so you might find the protections are limited because there is almost always a clause that says that the consumer must exercise due diligence to protect his/her account information. Using an unsecured line could be construed as not exercising due diligence, even if one used HTTPS (SSL/TLS encryption) to interact with the financial institution.
Mudpuppy
 
Posts: 2683
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Unsecured wifi

Postby mnaspbh » Sat Jul 20, 2013 1:17 am

johnubc wrote:The misinformation here is surprising.

At long as you are using HTTPS, you will be ok wrt the username and password (as well as the data). Make sure that the site actually uses HTTPS for the login - most sites that use 'advanced' authentication will prompt for the password on a second web page, not on the initial page.


Unfortunately, this is true if and only if you're using HTTPS to connect to the actual site you think you're connecting to. It's not hard to set up a man-in-the-middle attack even for HTTPS, where the victim types "https://www.fidelity.com" in their browser, but because the domain name lookup has been compromised, their computer connects to "https://badsite.example.com" that has what looks like a valid certificate for "https://www.fidelity.com" (see how easy it was for criminals to get valid certs for sites like Hotmail, Google Mail, Yahoo, and Skype through a Comodo cert agent, for example). The browser will show the "lock" icon with the expected site name, but the details will differ (e.g., the certifying authority will be different than the one used by the real site). People I've worked with in the security industry say that this kind of compromise is actually surprisingly common, though mostly outside the US, and is usually either highly targeted or conducted by government agencies.

Some modern web browsers like Chrome implement "certificate pinning" so the browser itself will reject what are otherwise valid certs if they don't match some criteria. This is usually limited to a very small number of sites (e.g., Chrome uses it for Google's certs only, I believe) so it's not a general-purpose solution. The "chain of trust" model required by SSL certs is fundamentally broken.
mnaspbh
 
Posts: 58
Joined: Fri Sep 09, 2011 1:26 pm

Re: Unsecured wifi

Postby kwan2 » Sat Jul 20, 2013 2:25 am

The best lack all conviction, while the worst | Are full of passionate intensity-Yeats 1919;Out of every fruition of success,no matter what, comes forth something to make a new effort necessary -Whitman
User avatar
kwan2
 
Posts: 243
Joined: Thu Jun 14, 2012 10:13 pm

Re: Unsecured wifi

Postby magellan » Sat Jul 20, 2013 8:33 am

mnaspbh wrote:(see how easy it was for criminals to get valid certs for sites like Hotmail, Google Mail, Yahoo, and Skype through a Comodo cert agent, for example).

I'm not sure I'd agree that it was easy. The incidents from 2011 haven't yet been repeated that I know of and most think Iran was behind the attacks. The attacks required having control of Iran's DNS infrastructure, which is how the certificate authorities were tricked into issuing the certificates. That's not something anyone can easily pull off.

http://www.pcpro.co.uk/news/security/36 ... e-ssl-hack

http://www.computerworld.com/s/article/ ... geNumber=2

I do agree that establishing an SSL session with an entity presenting a valid certificate isn't a 100% guarantee that you're actually connected to the entity you think you're connected to. However, I'd say it's very close to 100% as long as we're not talking about the actions of governments (as you mentioned above). OTOH, I wouldn't be completely shocked if the US government could easily trick you into thinking you're connected directly to google when you're actually connected through the NSA.

Jim
User avatar
magellan
 
Posts: 2892
Joined: Fri Mar 09, 2007 5:12 pm

Re: Unsecured wifi

Postby Mudpuppy » Sat Jul 20, 2013 2:37 pm

kwan2 wrote:https://www.opendns.com/technology/dnscrypt/

DNSCrypt is just a protocol to encrypt the transaction between your computer and the ISP, so it only prevents DNS cache poisoning between your computer and the ISP. It does absolutely nothing to prevent bad resource records from being returned to the ISP and poisoning the results the ISP gives back to your computer. I think the technology you were looking for is DNSSEC, which provides digital certificates for the DNS resource records: http://en.wikipedia.org/wiki/Domain_Nam ... Extensions

While encrypted DNS is a great idea, it has to be used universally to get the sort of security that would allow one to stop having to worry about malicious websites masquerading as real websites via DNS poisoning. Unfortunately, we have no control over how quickly companies adopt that technology, other than standard consumer pressures that one can exert on a company to get the company to make a decision. If the domain (or any one domain along the DNS authentication chain) does not support DNSSEC, then your ISP falls back to plain old plaintext DNS to look up the IP address for the domain name, so the ISP is still subject to the same DNS cache poisoning attacks.

As an analogy, consider regular websites (e.g. plain old DNS) and encrypted websites (e.g. DNSSEC). Your computer understands how to communicate with an encrypted website, but you have to go to an encrypted website (e.g. a domain with DNSSEC) for that to work. And the website has to be fully encrypted (e.g. the entire DNS authentication chain has to support DNSSEC) for all your transactions to be fully "secured" (in the sense that "security" here means everything is encrypted).
Mudpuppy
 
Posts: 2683
Joined: Sat Aug 27, 2011 3:26 am
Location: Sunny California

Re: Unsecured wifi

Postby Rainier » Sat Jul 20, 2013 3:50 pm

I would do it without thinking twice.

I wonder what the responses are by age.

This mis-information here is truly astonishing. Too many other things to worry about.
- Bill
User avatar
Rainier
 
Posts: 875
Joined: Thu Jun 14, 2012 6:59 am

Previous

Return to Personal Consumer Issues

Who is online

Users browsing this forum: cherijoh, dgdevil, fasteddie911, jtaylor4818, MrBachelor, stan1, StarbuxInvestor, tjwolf and 54 guests