I would like to be able to check my bank account while we are on holiday. I know the bank's site is encrypted from the start - the login page is https and Verisign-trust encrypted - but is there any risk in using public wireless networks for jobs like this? It sounds secure enough, but maybe I'm paranoid.... Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20081224/7f273f26/attachment-0003.sig>
Typically SSL secured sites will at least keep your login credentials safe. However, someone can still see where you're going by sniffing your traffic. If you're very concerned, setup an OpenVPN tunnel that routes all of your traffic through it. Then, the only thing they'll see from the start is an SSL connection to somewhere, and that's it. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 ----- "Anne Wilson" <cannewilson at googlemail.com> wrote:> I would like to be able to check my bank account while we are on > holiday. I > know the bank's site is encrypted from the start - the login page is > https and > Verisign-trust encrypted - but is there any risk in using public > wireless > networks for jobs like this? It sounds secure enough, but maybe I'm > paranoid.... > > Anne > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Anne Wilson wrote:> I would like to be able to check my bank account while we are on holiday. I > know the bank's site is encrypted from the start - the login page is https and > Verisign-trust encrypted - but is there any risk in using public wireless > networks for jobs like this? It sounds secure enough, but maybe I'm > paranoid....This is part of my real-life job.... It is relatively easy to attempt a ARP poison attack on a wireless network. Even an encrypted one (of course the attacker has to be a legal user of said encrypted network). Once the attacker has poisoned yours and the routers' ARP cache, he can then use a tool like DSNIFF to insert himself into your HTTP flows. Thing is he cannot fake web site certs, he has to use his own. Be VERY restrictive on what you will accept as certs on a public wireless network. Actually look at their content, making sure who signed them. It is actually wise to store your bank's certs on your system, then only accept stored certs, even to excluding (or at least first reviewing) certs signed by trusted authorities like Verisign. If you validate the cert, the man in the middle SSL attack fails. BTW, at IETF conferences we have had people running bogus SSH servers through DSNIFF and other tools, and you had to watch the SSH fingerprints as well.
On Wed, Dec 24, 2008 at 9:46 AM, Anne Wilson <cannewilson at googlemail.com> wrote:> I would like to be able to check my bank account while we are on holiday. I > know the bank's site is encrypted from the start - the login page is https and > Verisign-trust encrypted - but is there any risk in using public wireless > networks for jobs like this? It sounds secure enough, but maybe I'm > paranoid....I would not consider using a Public terminal, without booting from my own Live CD. If you are bringing your Laptop, use as much encryption as is possible. There is risk and others have and will comment on that.
Lanny Marcus wrote:> On Wed, Dec 24, 2008 at 9:46 AM, Anne Wilson <cannewilson at googlemail.com> wrote: > >> I would like to be able to check my bank account while we are on holiday. I >> know the bank's site is encrypted from the start - the login page is https and >> Verisign-trust encrypted - but is there any risk in using public wireless >> networks for jobs like this? It sounds secure enough, but maybe I'm >> paranoid.... >> > > I would not consider using a Public terminal, without booting from my > own Live CD. If you are bringing your Laptop, use as much encryption > as is possible. There is risk and others have and will comment on > that."as much encryption as is possible" Just strikes me all wrong. "Use the RIGHT amount of intelligence." I have pointed out a MITM attack where no amount of encryption is a protection, as you are social engineered to allow for a MITM listener. My boss, Peter Tippet (author of the first antivirus tool), has long pointed out that your security cost is a product of a number of factors. If any of these factors are zero, your cost is zero. Your goal is thus to make one of the factgors you can control zero instead of running around trying to address every little security event. ARGH, I am rambling here.....
On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:> Lanny Marcus wrote: > "as much encryption as is possible" Just strikes me all wrong. > > "Use the RIGHT amount of intelligence."I agree with you, 100%. Not well written. The goal, obviously, is to be as safe as possible. If she is going to use a Public terminal, I believe my idea of booting from a Live CD is the best thing she can do. And, the easiest. No footprint left on the machine she uses, after she reboots it back to M$ Windows.
On Dec 25, 2008, at 5:43 PM, Lanny Marcus wrote:> On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz <rgm at htt- > consult.com> wrote: >> Lanny Marcus wrote: >> "as much encryption as is possible" Just strikes me all wrong. >> >> "Use the RIGHT amount of intelligence." > > I agree with you, 100%. Not well written. The goal, obviously, is to > be as safe as possible. If she is going to use a Public terminal, I > believe my idea of booting from a Live CD is the best thing she can > do. And, the easiest. No footprint left on the machine she uses, after > she reboots it back to M$ WindowsI am always careful when I travel, but I also realize that the main way that *my* information is *statistically* and *realistically* likely to be stolen is... someone stealing my paper mail. If I were logging into client boxes while I travel that is a different concern of course. B
Lanny Marcus wrote:> On Thu, Dec 25, 2008 at 9:49 AM, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> Lanny Marcus wrote: >> "as much encryption as is possible" Just strikes me all wrong. >> >> "Use the RIGHT amount of intelligence." >> > > I agree with you, 100%. Not well written. The goal, obviously, is to > be as safe as possible. If she is going to use a Public terminal, I > believe my idea of booting from a Live CD is the best thing she can > do. And, the easiest. No footprint left on the machine she uses, after > she reboots it back to M$ Windows.The only way to begin to trust a public system.