Is banking over coffee-shop wifi SAFE?
If my browser shows the padlock and my connection is httpS to the bank, does it matter that I'm banking over public wifi?
My buddy tells me that it would be safer if I was on a VPN, but is that like a tunnel inside a tunnel? Is that over-kill? Is httpS enough?
Is the encryption protection that VPN offers any BETTER than httpS?
Please make my latte / banking experience safer!!
Thanks,
Mike
My buddy tells me that it would be safer if I was on a VPN, but is that like a tunnel inside a tunnel? Is that over-kill? Is httpS enough?
Is the encryption protection that VPN offers any BETTER than httpS?
Please make my latte / banking experience safer!!
Thanks,
Mike
HTTPS protocol may be compromised by "man-in-the-middle" attacks, which an attacker can perpetrate if they get you to choose their WiFi as your connection. Coffee shop WiFi is not as bad as airports, but attacks are possible. You might want to use your phone's WiFi hotspot capabilities for more sensitive communications, it's harder for someone to get between your phone and your other device.
A public VPN adds an additional layer of safety. You may still be vulnerable to bad guys at the VPN provider, but nobody else would be able to get into the "middle" and access to your data. So, yes, it <b>is</b> better than just relying on HTTPS.
A public VPN adds an additional layer of safety. You may still be vulnerable to bad guys at the VPN provider, but nobody else would be able to get into the "middle" and access to your data. So, yes, it <b>is</b> better than just relying on HTTPS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
as to:
"Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.":
@akinsd: Assuming I didn't accept a bogus certificate, and I see the lock and I'm in an SSL session with the bank, if someone sniffed my traffic, wouldn't they just see "white noise"??
Likewise, if I was in a VPN on the same network as someone else, if they sniffed, wouldn't they just see "white noise"??
Thanks for helping me understand useful sniffing,
-Mike
"Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.":
@akinsd: Assuming I didn't accept a bogus certificate, and I see the lock and I'm in an SSL session with the bank, if someone sniffed my traffic, wouldn't they just see "white noise"??
Likewise, if I was in a VPN on the same network as someone else, if they sniffed, wouldn't they just see "white noise"??
Thanks for helping me understand useful sniffing,
-Mike
If your bank has an app, then that's the best (more secure) way to do banking online.
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.
That depends on whether you're forcing all traffic down the tunnel, and more importantly, what type of VPN you're using. PPTP VPNs, for example, are mostly unencrypted. Some VPNs allow split-tunneling. You need to make sure that split-tunneling isn't enabled if taking this approach and that you use an IPSec VPN at the very least which uses secure hashing and encryption methods.
As long as the site you access uses HTTPS and is secured with a certificate using SHA256 and an appropriate key-length you will be ok providing that you are sure though that you're actually verifying the correct certificate before you pass any sensitive information over the SSL-encrypted connection. That comes down to education. If you're unsure, don't do it.
I only use my HUAWEI card or my iPhone as a connection point when not on a known trusted network. I have never had any issues doing this.
My laptop also has commercial antivirus and firewall protection which helps.
My laptop also has commercial antivirus and firewall protection which helps.
You can download wireshark and capture traffic for a few seconds while on the public wifi to analyze it. SSL is no longer as secure as it used to be and most secure government sites now require TLS instead. Google recently retired SSL on hosted domains as well.
Simply put
On a public wifi, everyone shares the same IP range and gateway, eg 192.168.1.1 - 253 and maybe a 254 gateway. Everyone on the network has the ability to see every traffic on the network but may not necessarily have the technology or expertise to crack the information. VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi - not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel).
My goal is to convince you that your information is not safe on any public network. VPN is very broad and I won't go into details to avoid confusing you any further, at least. for now.
Rule of thumb.
No network connection or environment has full proof security. All security measures are meant to make penetration as difficult as much as possible, hence frequent change in certificate (shorter life span), security keys, passwords, etc.
It's your money and your prerogative how you plan to protect it.
Here are some articles that may help
http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-security-flaw/d/d-id/1324521
https://en.wikipedia.org/wiki/POODLE
http://heartbleed.com/
https://freakattack.com/
Simply put
On a public wifi, everyone shares the same IP range and gateway, eg 192.168.1.1 - 253 and maybe a 254 gateway. Everyone on the network has the ability to see every traffic on the network but may not necessarily have the technology or expertise to crack the information. VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi - not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel).
My goal is to convince you that your information is not safe on any public network. VPN is very broad and I won't go into details to avoid confusing you any further, at least. for now.
Rule of thumb.
No network connection or environment has full proof security. All security measures are meant to make penetration as difficult as much as possible, hence frequent change in certificate (shorter life span), security keys, passwords, etc.
It's your money and your prerogative how you plan to protect it.
Here are some articles that may help
http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-security-flaw/d/d-id/1324521
https://en.wikipedia.org/wiki/POODLE
http://heartbleed.com/
https://freakattack.com/
VPN isolates your traffic (uses a separate IP and gateway even though it's still on the public wifi .
As I said, only if it's encrypted, and even then the encryption and hash needs to be good enough.
- not all VPN connection use split tunnelling and if it does, the access list can be modified to include banking sites to pass through the tunnel)
Good luck with that. I wouldn't want to write the ACL to include each bank's IP address :-)
The links you posted, Akinsd, are all pretty-much old news now for banks if they value security. DROWN, Heartbleed and Poodle vulnerabilities have been fixed in any reputable system's X.509 certificates so they're really not an issue now and all recent browsers use SSL/TLS and disable legacy protocols. Of course, they are still an issue for some sites.
As I said, if you don't know what you're doing or know how to properly verify the server certificate, etc, don't do anything that requires security on a public network; wireless or wired. That's not to say that your home network is completely safe though :-)
ASKER
Yikes! Scary @Akinsd: How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?
Separate from where I am, I would like to know if they are securing my transaction in Chrome.
Thx
Mike
Separate from where I am, I would like to know if they are securing my transaction in Chrome.
Thx
Mike
The world is moving to TLS for sure, but SSL is not hopelessly insecure. It is better than nothing for sure. But I still use my own connection and stay away from public connections. Not worth the risk.
ASKER
Thank you everyone!
For whatever it's worth.
Please do NOT use public networks for sensitive transactions.
Most organizations that provide public Wifi usually warn you that your traffic may be visible to others.
Please don't learn the hard way!
That's my 2 cents
Please do NOT use public networks for sensitive transactions.
Most organizations that provide public Wifi usually warn you that your traffic may be visible to others.
Please don't learn the hard way!
That's my 2 cents
How do I know if Wells Fargo, ALLY Bank, Citbank, etc. use older SSL vs. newer TLS?Try online scan which is also at the same time used commonly for compliance snapshot check.
https://www.ssllabs.com/ssltest/
ASKER
Great link @btan !!!
Glad my bank gets an A !!!
Glad my bank gets an A !!!
Thanks mike2401 for sharing if this is a good comment
Your friend is correct
Use VPN if you have that to a private network you are part of instead
The difference in lay man's terms.
While you're on VPN, you're not sharing the same network as others. Technically, you're no longer on the public wifi even though you're connected to it. So traffic leaving your computer cannot be sniffed by others.
Without the VPN, you're sharing network connection with others and everyone has capability to sniff all the traffic on that network including your bank transactions.