Unsecured wifi

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
jupiter_man
Posts: 69
Joined: Fri May 03, 2013 8:02 pm

Re: Unsecured wifi

Post by jupiter_man »

"https" was designed to be end to end secure, so only your computer browser and the "Internet Site" can decrypt the data. HTTPS prevents anybody in the middle to decrypt the data. Mathematically there is no way for someone to decrypt the information. I know the OP is concerned about the "unsecured WiFi" but in general even if the WiFi is secured, the packets go through multiple routers and after the WiFi interface to reach the destination site. HTTPs prevents data to be sniffed and decoded from this middle routers as well.

Another suggestion, even if you have visited your financial site hundreds of times, and know the url by heart, please use google or bing search engines to type the site name. These search engines will provide the real site most likely on the first line or first search result. ALso you may see the "Official site" that the financial institution is paying for appearing on the top and google or bing have verified the authenticity of the URL ; and right below the same site may appear again which has been indexed by the search engine. Use either of these URLS to go the Financial site.

Never type the url of the Financial site yourself, there is a very small but finite chance that the phishing site could get a https url with a small typo, and you won't notice it, please use the search engines to go to the site from ANY internet connection (unsecured WiFi, Secured WiFi, home WiFi, Office etc ).

Cheers !
jimmy
Posts: 69
Joined: Sat Apr 27, 2013 1:29 am

Re: Unsecured wifi

Post by jimmy »

You're on vacation, leave your portfolio alone. I'm not a tech guy so this is the best advise I can give you.. :happy
User avatar
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: Unsecured wifi

Post by kwan2 »

if you do stuff off https, a vpn is $55/year, or just don't use sbux wifi imho
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
Rich in Michigan
Posts: 181
Joined: Mon Jun 11, 2012 1:27 pm

Re: Unsecured wifi

Post by Rich in Michigan »

Somebody mentioned "what are they going to do, change your asset allocation?"

Before you laugh, consider the slippery slope. First they change your AA....you are 28 years old and now you hold 97% bonds. You are going to have to work until age 95 buddy before your nest egg is big enough to retire. Or maybe you are retired and the crook has you withdraw 7% per year. You think things are going to be hunky dory when you are 105? Well, considering that you depleted your nest egg when you were 77, not likely.

Then you have to consider that the crook has never had access to this large a sum before. He gets nervous and starts subscribing to financial magazines. He learns about technical analysis. Pretty soon he is reading that the next big thing is companies that make push button gearshift changers like on a 1963 Plymouth Valiant. So he moves all your money into an actively managed fund of those things. With an enormous expense ratio, by the way. He buys and sells like crazy in order to time the market just right. He rejects diversification. He does not stay the course.

Well, before you know it he is also buying you whole life insurance policies and variable annuities and there's no getting around that.

Your days as a Boglehead are pretty much over but at least he will be buying you expensive watches, expensive cars, and getting your oil changed every 3000 miles....
buckstar
Posts: 231
Joined: Wed Jul 06, 2011 9:38 am

Re: Unsecured wifi

Post by buckstar »

I used to think that the safest way to check was through the cellular network on my phone, but I recently saw this: http://www.npr.org/blogs/alltechconside ... ne-For-250.

I've started using WiTopia (personal VPN), because for about $50/yr it's a cheap and easy way to ease my mind. Certainly for someone like the OP who is away from home for several months at a time, it would be worth considering.

If you don't use anything other than SSL when connecting to websites, make sure your email client (if you don't use web-based clients) connects using SSL. Once someone gets access to your email accounts, it's potentially very easy to gain access to password resets, etc....
Bob.Beeman

Re: Unsecured wifi

Post by Bob.Beeman »

Sites can FORCE you to use a secure connection. For example I use this for some things on my site.

I DEFY you to get to the following page without being on a secure connection:
http://www.bee-man.us/security_test.php

Of course it only works if you get to the right place, but it protects people from themselves once they get there.

- Bob Beeman.
User avatar
LadyGeek
Site Admin
Posts: 95696
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Unsecured wifi

Post by LadyGeek »

Do I get credit for this path? Error- 404 - File Not Found
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
btraven
Posts: 105
Joined: Tue Jul 02, 2013 3:27 pm

Re: Unsecured wifi

Post by btraven »

You can also get a VPN service like http://www.boxpn.com and have a secure connection from your device to a website for about $4 a month. With most VPN's, you can even appear like you are in the US because you can connect to servers with a US IP address, and access US services like Netflix.
Bob.Beeman

Re: Unsecured wifi

Post by Bob.Beeman »

Very Clever Lady Geek.

But note that this page does not pose a threat to anyone, as it has no content. It will always have no content because the page won't load content over http:

Still, that's clever.

- Bob Beeman.
protagonist
Posts: 9277
Joined: Sun Dec 26, 2010 11:47 am

Re: Unsecured wifi

Post by protagonist »

Fidelity uses a 6 digit password.
If somebody hacked into your account to drain your funds (malicious intent),wouldn't the likelihood of a random guy anywhere in the world getting in via a bot that rapidly goes through a million permutations be more likely than getting attacked by a neighbor on an unsecured line?
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Unsecured wifi

Post by ogd »

protagonist: no, because Fidelity locks you out (or should, I haven't checked their exact policy) after a few password attempts. So the bot gets one or two attempts, maybe a few more per month if they can time them to be between your legitimate logins (somehow).

The real threat is if a hacker gets access to Fidelity's internal password validation data. Then the "attempts" can be done with off-line computation. This is much harder to achieve and recovering the password can be made difficult by making the "validation" very expensive, but it's still a threat. In general, password length is a lesser worry than it's sometimes made out to be.

That said, at only six digits long, Fidelity would be pushing it and it seems hard to believe that that's all they allow. I looked it up and the password policy seems to be much more reasonable. http://www.fidelity.com/psw/WS_PSW_Body ... MS,00.html
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Unsecured wifi

Post by Mudpuppy »

protagonist wrote:Fidelity uses a 6 digit password.
If somebody hacked into your account to drain your funds (malicious intent),wouldn't the likelihood of a random guy anywhere in the world getting in via a bot that rapidly goes through a million permutations be more likely than getting attacked by a neighbor on an unsecured line?
The only way an attacker can try millions (now billions for the popular password algorithms) of guesses per second is if they have obtained the hashed passwords. They would have to compromise Fidelity to obtain the hashed passwords, so you would be protected by the standard consumer protections that would kick in when the finance company is the source of the compromise.

Using an unsecured line on the other hand is a consumer mistake, so you might find the protections are limited because there is almost always a clause that says that the consumer must exercise due diligence to protect his/her account information. Using an unsecured line could be construed as not exercising due diligence, even if one used HTTPS (SSL/TLS encryption) to interact with the financial institution.
mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: Unsecured wifi

Post by mnaspbh »

johnubc wrote:The misinformation here is surprising.

At long as you are using HTTPS, you will be ok wrt the username and password (as well as the data). Make sure that the site actually uses HTTPS for the login - most sites that use 'advanced' authentication will prompt for the password on a second web page, not on the initial page.
Unfortunately, this is true if and only if you're using HTTPS to connect to the actual site you think you're connecting to. It's not hard to set up a man-in-the-middle attack even for HTTPS, where the victim types "https://www.fidelity.com" in their browser, but because the domain name lookup has been compromised, their computer connects to "https://badsite.example.com" that has what looks like a valid certificate for "https://www.fidelity.com" (see how easy it was for criminals to get valid certs for sites like Hotmail, Google Mail, Yahoo, and Skype through a Comodo cert agent, for example). The browser will show the "lock" icon with the expected site name, but the details will differ (e.g., the certifying authority will be different than the one used by the real site). People I've worked with in the security industry say that this kind of compromise is actually surprisingly common, though mostly outside the US, and is usually either highly targeted or conducted by government agencies.

Some modern web browsers like Chrome implement "certificate pinning" so the browser itself will reject what are otherwise valid certs if they don't match some criteria. This is usually limited to a very small number of sites (e.g., Chrome uses it for Google's certs only, I believe) so it's not a general-purpose solution. The "chain of trust" model required by SSL certs is fundamentally broken.
User avatar
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: Unsecured wifi

Post by kwan2 »

“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: Unsecured wifi

Post by magellan »

mnaspbh wrote:(see how easy it was for criminals to get valid certs for sites like Hotmail, Google Mail, Yahoo, and Skype through a Comodo cert agent, for example).
I'm not sure I'd agree that it was easy. The incidents from 2011 haven't yet been repeated that I know of and most think Iran was behind the attacks. The attacks required having control of Iran's DNS infrastructure, which is how the certificate authorities were tricked into issuing the certificates. That's not something anyone can easily pull off.

http://www.pcpro.co.uk/news/security/36 ... e-ssl-hack

http://www.computerworld.com/s/article/ ... geNumber=2

I do agree that establishing an SSL session with an entity presenting a valid certificate isn't a 100% guarantee that you're actually connected to the entity you think you're connected to. However, I'd say it's very close to 100% as long as we're not talking about the actions of governments (as you mentioned above). OTOH, I wouldn't be completely shocked if the US government could easily trick you into thinking you're connected directly to google when you're actually connected through the NSA.

Jim
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Unsecured wifi

Post by Mudpuppy »

DNSCrypt is just a protocol to encrypt the transaction between your computer and the ISP, so it only prevents DNS cache poisoning between your computer and the ISP. It does absolutely nothing to prevent bad resource records from being returned to the ISP and poisoning the results the ISP gives back to your computer. I think the technology you were looking for is DNSSEC, which provides digital certificates for the DNS resource records: http://en.wikipedia.org/wiki/Domain_Nam ... Extensions

While encrypted DNS is a great idea, it has to be used universally to get the sort of security that would allow one to stop having to worry about malicious websites masquerading as real websites via DNS poisoning. Unfortunately, we have no control over how quickly companies adopt that technology, other than standard consumer pressures that one can exert on a company to get the company to make a decision. If the domain (or any one domain along the DNS authentication chain) does not support DNSSEC, then your ISP falls back to plain old plaintext DNS to look up the IP address for the domain name, so the ISP is still subject to the same DNS cache poisoning attacks.

As an analogy, consider regular websites (e.g. plain old DNS) and encrypted websites (e.g. DNSSEC). Your computer understands how to communicate with an encrypted website, but you have to go to an encrypted website (e.g. a domain with DNSSEC) for that to work. And the website has to be fully encrypted (e.g. the entire DNS authentication chain has to support DNSSEC) for all your transactions to be fully "secured" (in the sense that "security" here means everything is encrypted).
User avatar
Rainier
Posts: 1733
Joined: Thu Jun 14, 2012 5:59 am

Re: Unsecured wifi

Post by Rainier »

I would do it without thinking twice.

I wonder what the responses are by age.

This mis-information here is truly astonishing. Too many other things to worry about.
Post Reply