Wifi and Computer Security

[Vagabond Vince]

I'm wondering what everyone's experience is using https.  If I am using my own computer (no keylogging risk) and I log onto a website using https is that safe enough?  For example say I check my email, or in the worst case scenario need to do some online banking will I be safe?

I realize that nothing is 100% safe, but has this been safe for you guys? 

[Vagabond Vince]

here's some links I found addressing some of the issues... basically they say that it's supposed to be safe.  I'd still prefer real experiences from real people and not the guys at W3C.

I did find an article about a vulnerability in using gmail with https (SSL)



Articles saying it's safe
http://www.smartcomputing.com/editorial/article.asp?article=articles%2F2006%2Fs1702%2F18s02%2F18s02.asp
http://ask-leo.com/is_an_https_connection_really_all_that_safe.html

Gmail SSL vulnerability
http://blog.wired.com/27bstroke6/2008/01/ssl-gmail-not-a.html
http://www.securityfocus.com/archive/1/475658
http://blog.icir.org/2008/02/sidejacking-forced-sidejacking-and.html

[Greg]

Hey Wincen,

Believe it or not, I used to do network security for a living at IBM back before I turned vagabum.....

SSL is an encryption that is supposed to protect you from people "sniffing" the air for wireless network packets and then analyzing them to get your password. I can say first hand that
its damn hard and requires perfect timing / multiple attempts to do. Its highly unlikely that someone would target you so specifically unless you're really a spy and not telling us.   Sounds like the vulnerability is with the way that GMAIL handles the logins because it tries SSL, then goes to non-SSL and they grab the authentication cookie. That means online banking should be fine.

If you're still worried about it, you can protect your Gmail account by making sure you hit "logout" and deleting the cookies on the browser. If you use Firefox (www.getfirefox.com) which is WAY more secure than Internet Exploder, you can just push ctrl+shift+del to delete them every time.

Are you traveling with your own laptop?  I didn't the first year and was fine using internet cafes but I did see 2 different instances where the icon to start the browser had been changed to start a keylogger script first. It made me more conscious....the kids that work in these cafes could grab traveler's passwords all day long.  I just made it a point to change my passwords every few weeks and when I got home, just in case they wanted to play.

[Vagabond Vince]

yeah i brought my own because i dont want to worry aabout things like keyloggers.  plus i do love being online...

i brought a tiny netbook because it's cheap (relatively speak) and really small.  i'm using an asus eeepc, the original 701 model.  i managed to install eeexubuntu on it so i have a full blown computer at my finger tips.  it is linux and so it's good for just basic tasks for most people or just not for them at all.

if other people are intereted in one, newer models and competiors have versions with windows xp and vista.

i used to work in tech too actuall, specifically software engineering.  maybe there's something about our field that drives us away from it.  hmmmm.....

yeah, so working with tech made me a little extra paranoid i think.... because while i know Ssl is supposed to be really difficult to hack. i also know that nothing is 100% secure with computers.  that's why i was wondering if anyone ever ran into problems. 

i mean, some guy parallelized a bunch of ps3, used their own parallel processors and found a way to crack encrytions even faster than ever before due to their cell processors. 

but anyay, thanks, i feel more secure knowing that at least you've used it securly and confidently.  i think the most important thing is have people actually used https (SSL) over an unencrypted wifi singal and been safe more than theory.

changing passwords frequently is good... but  hate it when you finally have a really good secure password and have to think of a new one every 6 weeks (does that sound familiar to anyone else... it's only every workplace ever)

[Greg]

Excellent setup....I run Fedora myself...it feels so good not to put any more money into Microsoft's coffers.

If I'm not mistaken the issue with HTTPS is based around a cookie sent in the clear, so that's easy enough to manage.

You're right about the tech industry making people snap and find themselves slirping Pad Thai on an island somewhere. I wasn't the first....and
I won't be the last. 

[IndieTravel]

There's a setting in the gmail account which forces it to use SSL all the time. I think it addresses this vulnerability, but I'm not sure. In any case it's worth turning on.

[Vagabond Vince]

Generally as long as the website uses encryption, ie https://whatever.com, you should be fine.  I believe sites that use paypal do use encryption.  I didn't visit the site, but as long as it's not a scam and uses https you should be fine.

I posted this topic before I left because I had never traveled before.  I've done it, and I used the internet everywhere.  As long as you are smart and only connect to vital websites using encryption you should be fine.

[Marc]

Wherever you connect to the internet that service is your ISP for the duration of your connection and can see mostly what they like. Use a VPN (virtual private network) and encrypt all your traffic. HTTPS or not if your connection is through a VPN everything you do is encrypted.

There are free VPN's such as TOR but like anything free there are always drawbacks and in this case it will be speed. A paid VPN is very cheap, iPredator is what I use.