How risky is https: over public wi-fi?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
nisiprius
Advisory Board
Posts: 42899
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

How risky is https: over public wi-fi?

Post by nisiprius »

Very basic technology question. We are constantly being told not to access sensitive sites over public wi-fi because our passwords, etc. might be stolen. However, sensitive sites invariably use https: and show a "lock" icon on the screen. If you are using https: isn't it true that passwords and other sensitive information are sent within the https: stream and are therefore encrypted? Encrypted within the browser software on the device itself, before being sent out over the the wi-fi network?

Typing P-A-S-S-W-O-R-D does not send eight keystrokes en clair between my tablet and Starbucks' wireless router, does it?

Now obviously passwords could be stolen by hidden video cameras shoulder-surfing your keystrokes. Or stray electromagnetic emissions from the keyboard itself unless you're using TEMPEST-hardened gear. But just as a sort of bedrock, baseline thing--if you see a lock symbol on the screen, isn't it true that your communications are encrypted within your device, before they are sent over wi-fi, and therefore are moderately secure?

(Yes, I know heartbleed was an https: vulnerability).
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
User avatar
tetractys
Posts: 4836
Joined: Sat Mar 17, 2007 3:30 pm
Location: Along the Salish Sea

Re: How risky is https: over public wi-fi?

Post by tetractys »

Use your firewall and don't advertise your passwords. Wi Fi is a medium of transport, all things being equal no more or less secure than any other medium of transport. Typing P-A ....? No. Sometimes though, I have seen websites, and bank websites no less, that switched between https and http at security sensitive times, so that might be something to look out for. -- Tet
User avatar
midareff
Posts: 7417
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: How risky is https: over public wi-fi?

Post by midareff »

Nisi.... methinks you are a candidate for LastPass.
User avatar
HomerJ
Posts: 16036
Joined: Fri Jun 06, 2008 12:50 pm

Re: How risky is https: over public wi-fi?

Post by HomerJ »

nisiprius wrote:if you see a lock symbol on the screen, isn't it true that your communications are encrypted within your device, before they are sent over wi-fi, and therefore are moderately secure?
Yes, that's correct. I still wouldn't access my bank or Vanguard website from a public wifi if I could help it.
User avatar
vectorizer
Posts: 417
Joined: Sat Mar 03, 2007 3:52 pm

Re: How risky is https: over public wi-fi?

Post by vectorizer »

Yes, generally you're fine if you see a lock symbol and the URL starts with https. Your communication is encrypted by the browser and stays encrypted all the way to the server to which you're connecting, including being encrypted over the otherwise-untrustworthy WiFi hop.

As an extra precaution, double-click on the lock to verify the SSL certificate has the name of the site you expect; and don't ignore any errors from the browser like certificate errors or messages about unsecure content.

The problem of course is that it's a pain to verify this on every site you connect to, and easy to forget.

If you'll often be using untrusted WiFi (meaning, all WiFi you don't control) for things other than unauthenticated web browsing, consider getting a VPN for your device. A VPN will encrypt everything from-and-to your device (not just web browser traffic) over the WiFi all the way to the VPN server. I used the Anonymizer commercial service for years until I set up my own VPN at home; there are others.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: How risky is https: over public wi-fi?

Post by ogd »

https is secure over insecure links, it's in fact the primary purpose for it. If you aren't concerned that the wifi is hostile (i.e. you are concerned about eavesdroppers only), you can stop there.

But if you don't trust it at all, there are a few extra precautions. https security relies on the domain name in the URL bar being signed by an authority. You should either double-check it (for typos or URLs that start with something different than what you were expecting) or navigate using manually typed URLs and bookmarks rather than, say, a search or a link from an unprotected site which the hostile provider might be routing to a malicious site. Never "ignore" any certificate warnings that your browser might pop out. Finally, don't download anything from insecure sites and keep your computer up to date. But really this is more about a "visiting North Korea" type of scenario.
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: How risky is https: over public wi-fi?

Post by BYUvol »

I ALWAYS use a VPN when accessing the internet through a router I don't have administrative access to.

The primary danger, in my estimation, of using public wifi is the amount of data leakage that can be passed through the URL, disclosing a lot more info than you would think.

The secondary danger are session fixation attacks. Its not difficult over public wifi to capture cookies, so that when you log into gmail or facebook, they can use that same cookie to hijack your session. From there they can change your security questions, or gain access to a host of information needed to socially engineer their way into other sites.

TL:DR. Yes, most (not all) of the data is encrypted over HTTPS, but that doesn't offer as much protection as most people think.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: How risky is https: over public wi-fi?

Post by ogd »

BYUVol: with https, only the domain part of the URL is visible to an attacker. The rest is already encrypted. Same for cookies, at least for sites that take their security seriously like gmail and facebook (the latter has been more lax at times in the past). Bogleheads sessions are exposed but arguably far less valuable.

I like VPN because it protects me from mental lapses, i.e. doing too much on unencrypted sites or some such. But it's not strictly required if one is careful.
User avatar
Ketawa
Posts: 2331
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: How risky is https: over public wi-fi?

Post by Ketawa »

I use a VPN if I'm concerned. It only costs $40/year through Private Internet Access and setup is foolproof.
rustymutt
Posts: 3976
Joined: Sat Mar 07, 2009 12:03 pm

Re: How risky is https: over public wi-fi?

Post by rustymutt »

Worry about key hackers in the next room over at a real friendly hotel, with a blue tooth receiver.
Or a trojan inside your PC, cause you went to a porn site that was flash friendly.
Your not as well protected at WiFi sites, as some home networks can be made.
Watch out for the so called "Smart TV's". They'll hijack your bandwidth. If your system seems to just crawl, it's mostly crawl with a buggy or two someplace legit.
Is this WiFi site protecting you from denial of service attacks? Does your operating system reconize home networks, from public WiFi?

Some of the many question I've asked myself, and answered. Never leave your PC on when done using it at Wi Fi sites, shut down.

And if your mouse moves, and you're not doing it, buggy time.

I would opt for the VPN option mentioned above, if concerned. Virtual Private Network but you're still be on the public network, lost in the clouds.
Even educators need education. And some can be hard headed to the point of needing time out.
BYUvol
Posts: 120
Joined: Sat Mar 24, 2012 3:06 pm
Location: KY

Re: How risky is https: over public wi-fi?

Post by BYUvol »

ogd wrote:BYUVol: with https, only the domain part of the URL is visible to an attacker. The rest is already encrypted. Same for cookies, at least for sites that take their security seriously like gmail and facebook (the latter has been more lax at times in the past). Bogleheads sessions are exposed but arguably far less valuable.

I like VPN because it protects me from mental lapses, i.e. doing too much on unencrypted sites or some such. But it's not strictly required if one is careful.
If a site uses analytics (Google or Piwik), the full URL query is sent in the referrer header, those connections are often unsecured.

I haven't been asked to do any audits in the past year, so maybe as a result of heartbleed sites have gotten smarter about their use of session IDs, but as recently as a year ago you were able to sniff facebook cookies from those little "Share" buttons you see on news articles.
nhrdls
Posts: 108
Joined: Tue Aug 20, 2013 5:14 pm

Re: How risky is https: over public wi-fi?

Post by nhrdls »

ogd wrote:BYUVol: with https, only the domain part of the URL is visible to an attacker. The rest is already encrypted. Same for cookies, at least for sites that take their security seriously like gmail and facebook (the latter has been more lax at times in the past). Bogleheads sessions are exposed but arguably far less valuable.

I like VPN because it protects me from mental lapses, i.e. doing too much on unencrypted sites or some such. But it's not strictly required if one is careful.
Technically speaking, nothing is visible to the attacker. Browser might be showing URL, but as a protocol, URL is not in plain text. HTTPS starts with negotiating connection with the server first. Validating/accepting server certificates happens first. After that actual communication starts. All we know is someone communicating with port 443 on the other server.

Even usual proxy servers can not intercept https communications. Some organization get over this by adding https proxy that starts two communications - one from browser to proxy and other from proxy to browser. These organizations usually install their own certificate so that browser will accept middle certificate

VPN is really nice idea and recommend if you can do it. HTTPS is pretty safe, but worrying about other things mentioned is right.
User avatar
Ged
Posts: 3931
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: How risky is https: over public wi-fi?

Post by Ged »

It depends on the site. For example there is the Firesheep concept which provides a way to hijack sessions that use encrypted logins but not encrypted cookies.

https://en.wikipedia.org/wiki/Firesheep

https://www.getcloak.com/blog/2013/07/1 ... #?1#agtpwd

There are other attacks against HTTPS that take advantage of users having outdated software or being on a malicious network.

http://arstechnica.com/security/2013/08 ... ted-pages/

Here is a demo of such a tool in operation:

http://www.airtightnetworks.com/fileadm ... l_mkt.html

All in all I'd rather not use an account I care about via wifi.
Last edited by Ged on Wed Jul 02, 2014 5:44 pm, edited 1 time in total.
User avatar
ResearchMed
Posts: 11243
Joined: Fri Dec 26, 2008 11:25 pm

Re: How risky is https: over public wi-fi?

Post by ResearchMed »

Does it make any difference if one is at a hotel, for example, but uses one's own password-protected "hot spot" (or even iPhone) rather than the hotel WiFi, when connecting to an https site?

Or is that not adding any protection at all?

RM
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: How risky is https: over public wi-fi?

Post by ogd »

nhrdls wrote:Technically speaking, nothing is visible to the attacker. Browser might be showing URL, but as a protocol, URL is not in plain text. HTTPS starts with negotiating connection with the server first. Validating/accepting server certificates happens first. After that actual communication starts. All we know is someone communicating with port 443 on the other server.
I mostly agree, but we still know who the other server is. This is usually a negligible leak.

BYUvol wrote:If a site uses analytics (Google or Piwik), the full URL query is sent in the referrer header, those connections are often unsecured.
Analytics has a https option. In fact, if you don't use it, the browser will pop up an "insecure content" warning, spooking your user.
BYUvol wrote:I haven't been asked to do any audits in the past year, so maybe as a result of heartbleed sites have gotten smarter about their use of session IDs, but as recently as a year ago you were able to sniff facebook cookies from those little "Share" buttons you see on news articles.
I'm not up to date on this either, but I was under the impression that firesheep stopped working for facebook logins long ago, including external. I do agree that you probably want to limit your insecure browsing.
User avatar
Ged
Posts: 3931
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: How risky is https: over public wi-fi?

Post by Ged »

ResearchMed wrote:Does it make any difference if one is at a hotel, for example, but uses one's own password-protected "hot spot" (or even iPhone) rather than the hotel WiFi, when connecting to an https site?

Or is that not adding any protection at all?

RM
If your personal network has a strong 16+ digit WPA2 key yes it is much better than unencrypted hotel wifi.

The problem is that both GSM and CDMA encryption have been broken. Now it takes a bit more equipment to listen to but it's definitely not secure. So I'd say it's better but not really robust.
Post Reply