When does an unsecured wireless connection become secure?

Marshall Kass
Marshall Kass used Ask the Experts™
on
Using an UNSECURED wireless connection to take over a remote computer using gotomypc, logmein, VPN or any secured remote software, and then use THAT computer to remote into another computer over a secure or cabled connection, is the second connection secured at all or is it too open?

Here is an example:
PC1 is connected to internet via an unsecured wireless connection.
PC1 remotes into PC2 using logmein. (this is an AES256-SHA 256 bit encryption)
PC2 is then used to take over PC3 via logmein over a secured or cabled network connection. Again this connection is also AES256-SHA 256 bit encryption.

Is the data transmitted between PC2 & PC3 (being viewed and controlled by PC1) secure?  if passwords are exchanged between PC2 & PC3 are they able to be intercepted and viewed due to the unscured connection between PC1 and PC2?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jackie Man IT Manager
Top Expert 2010

Commented:
Your question is a tough one.

Theoretically, all endpoints must be secured if you want all traffic to be secured.

As in pc1, you use unsecured wifi network, it is possible to use https injection to capture the traffic while you rdp via logmein to pc2.

http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/

Technically, if you access from pc1 to pc2 via public unsecured hotspots, you need to locate whether there is any packet sniffer in the vicinity. A discussion is in the link below.

http://www.netstumbler.org/netstumbler/detecting-wifi-users-sniffers-t9747.html
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
PC1 is connected to internet via an unsecured wireless connection
when PC1 connected to Internet PC1 has two type of conenctions,
1) PCI--------WAP/Router (Non Secure)
2) Router----ISP (Secure)
------------------------------------------------
PC1 remotes into PC2 using logmein. (this is an AES256-SHA 256 bit encryption)
when PC1 remotes PC2 has below type of conenctions.

Option (if PC1 in LAN and PC2 on LAN/WAN)
1) PC1--------WAP/Router (Non Secure)
2) Router----ISP (Secure)
3)PC1-----------PC2 (Secure) once PC1 will try to login PC2, all information will be proteced and secured so viewing password information in not possible
-----------------------------------------------------------------------
PC2 is then used to take over PC3 via logmein over a secured or cabled network connection. Again this connection is also AES256-SHA 256 bit encryption.
1) PC1--------WAP/Router (Non Secure)
2) Router----ISP (Secure)
3)PC1-----------PC2 (Secure) once PC1 will try to login PC2, all information will be proteced and secured so viewing password information in not possible
4)Communication between All 3 (PC1----PC2------PC3) will be secure.
--------------------------------------------------------------------------


 

Author

Commented:
So, if I get this right
PC1 (Unsecured WAN) -> logmein Site (Enctypted) the only data available for snooping would be the login info to logmein's website.
Once I get to PC2 (via logmein encrypted link) everything past that point is secured, either to PC2 or (obviously PC2 ->PC3) as that is over a secured wired lan and encrypted between the two PCs.

What about the keystrokes I am sending from PC1 (Unsecured wireless) to PC2 - even though that connection is encrypted, isn't something visible coming off the PC1 through the wireless?  When they say do not use unsecured wireless to login to a bank (for example) is that because they are warning against the INITIAL use of the username and password, and not anything after you enter a secured site?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
Sorry for my late reply.
warning of Unsecured Wireless connection is something else, you can also try enabling Wireless MAC filtering in your wireless router but still you will see warning despite the connetion is secure.

if you are using a non sucure link, then your packet to wap can be open, but if you are using same unsecure connetion for communication to any secure link (web ex, logme in, ipsec) these packets will not be opened, how

lets say you have VPN device @ your office, now  you are in home. you have one vpn software installed in your pc or you have SSL link provided by your ofiice IT, when you try to connect your VVPn or SSL VPN all information will be encrypted regardless of your link (PC---WAP) is secure or not.
     

Author

Commented:
Maybe a little backgound for a simple explaination will help:
I was in the hospital (or starbucks, hotel, etc...) - they had wireless connectivity over an non-secured access point.  My concern was that if I went to https://secure.logmein.com the password I used to get into THAT site and the info transmitted AFTER logging in would be readable by someone more wireless savy than myself.  I understand that if I log into my.yahoo.com (a non-secured/unencrypted site) that that info IS readable by someone (as it is unprotected packets) but I have come to learn that once I hit a secured site ALL data between me and that site is secured, even over an unsecured connection.  Originally I thought to get this security I would need to go layers deep into the secured sites (thus PC2 -> PC3) but PC1->PC2 would be open for snoopers.  SO:
Laptop (over open wireless) -> NON secured site = Visible and open for snooping
Laptop (over open wireless) -> Secured site = Encrypted connection (open for snooping, but transmissions are encrypted so un-readable)

Is this a correct assesment?
System Administrator
Top Expert 2011
Commented:
Laptop (over open wireless) -> NON secured site = Visible and open for snooping
Laptop (over open wireless) -> Secured site = Encrypted connection (open for snooping, but transmissions are encrypted so un-readable)

YES.
Syed_M_UsmanSystem Administrator
Top Expert 2011
Commented:
just to explain futher, when you type "s" after HTTP in your Browser, this doest not mean fully secure site but when login page come with specific User Name & Password mean secure Site.

Author

Commented:
so is the username and password sent to the https site to login open for anyone to see?
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
FULLY SECURE.
the time you receive URL with "s" asking for authentication user name & password (regardless of lenght/type/....), means secure Site.  
Jackie Man IT Manager
Top Expert 2010

Commented:
If I were you, I will not try to access https site in public hotspot unless that you are 100% sure that they are secured.

If I were you, I will try to RDP with my saved credential from my win 7 notebook to my home / work computer running Win 7 before I access other https website.

After all, if the route is not secured, it is not recommended.

According to DNAspark99, it says:-

"Https, while definitely throwing an extra layer of security in the mix, is not the be-all end-all preventive measure some would like to believe.

There are several 'tools' out there that can intercept and alter HTTPS streams. A SSL based MiTM attack usually works by modifying and then signing the server certificate. Because of the cert modification, the user will generally be prompted as to whether or not they'd like to accept a certificate that appears valid, relates to the right site, but is signed by a Certificate Authority they "haven't yet chosen to trust yet". The smart thing would be to click 'no', but then you can't proceed. A simple click of 'yes' and they get their site.... and guess what most users will do? After all, most folks don't know what a Certificate Authority even is! :p

Take it one step further, and if you can register your certificate with a trusted CA then the newly signed server certificate will be trusted automatically by most browsers. On the underground I would expect a handful of valid certificates to be circulating for this purpose. Or I suppose you could trick the user into recognizing your own CA through some basic redirection first, on a non-critical site somewhere where their 'guard' may be lower... and then you've literally '0Wn3D' 'em for whatever site they go to.

So, SSL/HTTPS is not necessarily secure, but then practically nothing is. As with most attack vectors, a lot depends on the users ignorance or impatience. THE USER IS ALWAYS THE WEAKEST LINK AND EASIEST TO EXPLOIT!!"

Source: http://www.bcsportbikes.com/forum/archive/index.php/t-94570.html

Author

Commented:
1. so you are saying that it is NOT secure when I log into a secured site (if there are no certificate warnings) and then connect to a remote PC via an encrypted link?  

2. If the connection between my PC and the other PC shows a certificate warning I would not proceed and try again.  This has happened if I am in a session and lose connectivity (IE the lease expires from the router and I have to revisit the router logon page and then try to resume the previous session which is still open in another window) If I receive this error I close the browser and start from scratch without getting the cert error.  (I NEVER proceed to past a cert error warning)

Without a RDP connection - is it safe to assume that this is "as secure" as I can get with a non secured connection?
Jackie Man IT Manager
Top Expert 2010

Commented:
If it is perfectly secured, why logmein offer LogMeIn Hamachi²?

https://secure.logmein.com/products/hamachi2/

User guide is in the link below.

https://secure.logmein.com/welcome/documentation/EN/pdf/Hamachi2/LogMeIn_Hamachi2_GettingStarted.pdf

As an IT expert, I cannot be pretty sure my notebook is free of malware. Malware can change what and how your OS handles certificate.

Pay a few more bucks to get LogMeIn Hamachi² and follow the guide below if you insist to use public hotspots.

http://www.associatedcontent.com/article/5557188/discover_how_to_browse_the_internet.html

Author

Commented:
Thank you.  I was asking the question due to a situation I sometimes find myself in.  Needing to access a client's PC remotely and not having the option of a secured connection.  I wanted to know the ramifications of connecting via an unsecured access point to a secured and encrypted site and I beleive the question was answered correctly and to my understanding.  I was not requesting a different way of securing a connection which is where some of the answers we leading me as I do not need a VPN to access data on another computer, but my desire is to remotely control a distant PC.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial