5

I have friends andfamily that travel/live in foreign countries and compromised unsecure wireless networks and credit card scanners have always been a problem. I was recently asked a question about logging into personal bank accounts and other secure websites from these insecure locations.

I was under the impression that if you are using your own machine and connecting to a site that utilizes HTTPS from the moment you hit (compared to some that just use it on payment or login pages) that you were safe from most "reasonable" threats associated with a compromised wireless network. Am I wrong?

BenW301
  • 153
  • 5

4 Answers4

4

First of all, you need to disable SSLv3 on your browser, to prevent POODLE attack (SSL3 "POODLE" Vulnerability)

Then, there's no issue using HTTPS even in "not safe" areas, because TLS protect you from Man In The Middle attack, with handshake, end-to-end encryption and Certificate Chain verfication.

One common problem you could encounter, is SSL stripping: the proxy you are connected to can force you to communicate with HTTP only, giving it everything in clear text and then simulate an HTTPS connection with your targeted site. HSTS may prevent such downgrade attack, but it's not widespread actually and presents some limitations with initial requests.

Community
  • 1
fmgp
  • 199
  • 4
  • 2
    TLS by itself will not protect you from a MITM attack, think fraudulent certificates issued by compromised (i.e. DigiNotar) or government owned CAs. As a side note SSL stripping is a form of MITM attack. – Eugen Constantin Dinca Jan 29 '15 at 06:46
  • 2
    @EugenConstantinDinca We are looking at securing banking transactions, not national secrets. I don't think that we are up against adversaries of that level. – limbenjamin Jan 29 '15 at 15:55
  • 1
    @limbenjamin To me somebody getting to my bank account is more important than somebody getting to national secrets. And I see fraudulent certificates be created for banks and such. ymmv – Eugen Constantin Dinca Jan 30 '15 at 00:54
  • 1
    @EugenConstantinDinca Yes, you might value your bank account at $1 million, but remember, the adversary is looking for a profit. He is not going to spend $500,000 to hack an account with a $100,000 balance – limbenjamin Jan 30 '15 at 01:48
  • 1
    @limbenjamin True, but they will if they think they can get 10 $100,000 ones or 100 $10,000 ones. What I'm saying is that TLS in itself, without certificate pinning and/or extra certificate verification (think Perspectives Project or Convergence.io), will not protect you from MITM attacks. – Eugen Constantin Dinca Jan 30 '15 at 18:25
  • @EugenConstantinDinca Everyone has different levels of paranoia. We'll just have to agree to disagree – limbenjamin Jan 30 '15 at 18:47
  • I think this goes back to the golden rule of IT Security, "there is always an exception". The key is not necessarily to be secure, it's just to be more secure than anyone else around you and have a very good back up plan for when your security is inevitably compromised. – BenW301 Jan 31 '15 at 03:06
2

For ultimate security you should disable HTTP in your browser when on untrusted networks. This can often be achieved by setting an invalid proxy address for HTTP traffic (e.g. 127.0.0.1) and leaving the HTTPS one to directly connect.

This is only really an issue if any of the sites you use are vulnerable to cookie poisoning attacks. See my answer here regarding an example where there is an XSS vulnerability due to the cookie value being reflected. Normally this cookie would be secure because it is only ever browseable over HTTPS. However, as cookies share the same origin over protocols (i.e. the Same Origin Policy for cookies is slightly more relaxed - http cookies can be read under https on the same domain), it could be poisoned by a MITM on an untrusted network to exploit the vulnerability.

If disabling HTTP is a step too far (as it would cause many sites to be inaccessible), then always using a VPN would be the way to go.

To avoid any CSRF vulnerabilities on sites you navigate to on an untrusted network you should open each trusted site in a new incognito or private session. This will stop any other websites from forging requests to your trusted site as the cookie will no longer be passed.

The above will also prevent POODLE attacks as a MITM attacker can't "get in the middle" due to HTTP not being enabled *, and also won't be able to include cookies in any cross-site traffic as your logged in session is in its own private session with isolated cookies.

Also note that a bank's website is unlikely to contain vulnerabilities that might loosen security of itself on an untrusted network, the above are really tips to make you more secure on other, more vulnerable sites you may browse on untrusted networks that you may need to log into.

* By "get in the middle" I mean an MITM now cannot intercept a plain HTTP request and use that as the platform to inject HTTPS requests into the POODLE vulnerable site because plain HTTP is now disabled. The attacker would instead need to entice the user to visit the attacker's HTTPS site directly in order to have a platform available to send cross origin AJAX requests to the POODLE vulnerable site.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • POODLE is a downgrade attack *within* HTTPS (from TLS to SSLv3), and POODLE-again is an attack within HTTPS/TLS against certain bad implementations. Blocking or restricting HTTP-clear is good for other things but irrelevant to POODLEs. – dave_thompson_085 Feb 26 '15 at 19:14
  • 1
    @Dave I meant the attacker would not be able to MITM a plain HTTP connection to another site and inject JavaScript to make requests to the vulnerable site. – SilverlightFox Feb 26 '15 at 20:27
1

I would say that you should tell them to use a trusted VPN.

Although they may think they are secure using HTTPS, it is possible for an attacker to setup a rogue Wi-Fi hotspot and then intercept SSL connections, removing the protection that HTTPS offers and seeing the data in plaintext.

If you use a VPN you know about and are sure that no-one can get into a Man-in-the-Middle position, you don't need to worry about this.

TimC
  • 552
  • 5
  • 12
0

Use certificate pinning. (What is certificate pinning?, e.g. use browser plugin http://patrol.psyced.org/)

Then you can be 100% sure that you are talking to the bank server without anybody intercepting your conversation (on the network), even if the attacker uses a compromised root CA. The precondition is that your bank does not change it's certificate too often (but banks shouldn't do that anyway).

Community
  • 1
fex
  • 31
  • 3