21
1
This is something I've wondered for a long time. If I am, say, using Gmail over https, can someone read my IM conversations and emails if I use an unsecured wireless network? I assume that the data would be secure, since it is using an encrypted connection. Is there anything else to consider?
davidscolgan
Posted 2010-10-28T15:32:16.707
Reputation: 714
21
I would think that someone could still perform a man-in-the-middle attack if you're on unsecured wifi (or even secured wifi, if they happen to find a way to be allowed on). This is why you need to always check that the SSL connection shows up green in your address bar and/or manually double-check that the certificate is valid when using unsecured wifi. Assuming that the certificate is correct, then the SSL should protect your data.
Darth Android
Posted 2010-10-28T15:32:16.707
Reputation: 35 133
@ewanm89 in real-time then yes MITM is impossible, but replay attacks still are. If the goal is to decrypt some information out of the traffic (as opposed to spoofing in real-time), this can always be done off-line at the attacker's leisure assuming he/she also sniffed the initial handshake by using a replay attack.
– Breakthrough – 2015-07-16T05:00:42.0537if truly SSL encrypted with properly checked non compromised SSL certificates then MITM attack is impossible. – ewanm89 – 2010-10-28T17:53:31.630
@ewanm89 Which is why I iterate that one needs to check the certificate when doing banking/email/anything sensitive over unsecured networks. If you don't notice that the certificate fails to validate, MITM is possible. Luckily webbrowsers these days make it very hard to not notice. – Darth Android – 2010-10-28T19:56:42.493
1To add to @ewanm89, it isn't impossible to be a MITM and sniff packets -- just impossible to read them because they are encrypted. – None – 2011-06-24T20:04:18.497
Okay, that's splitting hairs. MITM and having a packet that looks just like random data is as pointless as not doing it in the first place in most cases. But yes, one could track what domain a computer is connecting too, but not know the actual data sent/recieved. Also, if we are going to be perfectly honest, I could in theory brute force the AES keys with enough computing power (hint it takes a lot). – ewanm89 – 2011-10-26T16:29:36.803
Also, I assume the CA isn't compromised, one checks that the CA the site administrators did in fact go to that CA and asked the administrators what the certificate fingerprint should be by another channel. As one can see, properly checking an SSL certificate is rare (though is done in applications like openvpn where the admin distributes the certs before connection, client too to totally verify it). – ewanm89 – 2011-10-26T16:35:11.723
2
I think your reasoning is correct; to read your information they would need to decrypt the SSL. There would just be one less level of encryption for them to break, in order to access the encrypted data.
PeterT
Posted 2010-10-28T15:32:16.707
Reputation: 298
2
As long as your DNS and your browser's SSL rootkey servers are valid, then an attacker on the same unsecure wireless network as you cannot get into your SSL pipe with a server.
DNS is the big vulnerability in this area - if your DNS chain of servers gets infected by an attacker than can make all manner of things appear to be secure but in fact be insecure.
But if your question is whether a random hacker at an airport or coffee shop is going to be able to hack into your SSL pipe to your bank, the answer is almost certainly not.
stevemidgley
Posted 2010-10-28T15:32:16.707
Reputation: 545
1
Anyway have in mind that only the data inside the http stream is encrypted but the URLs are not, so maybe someone can impersonate you.
Ignacio Soler Garcia
Posted 2010-10-28T15:32:16.707
Reputation: 1 729
2This is simply not true. Everything in the requested URL except the domain name is encrypted before being sent through the secured connection. That includes the GET request itself. – Andrew – 2010-10-29T18:46:02.727
1
You also need to consider that the initial non-SSL pages are not protected.
Most secured sites you visit will redirect you from an http to an https url when you go to the login page, but on an untrustworthy network, you might be sent somewhere else by a man in the middle instead.
Consider that you could visit http://firstoverflowbank.com, which would usually redirect you to https://login.firstoverflowbank.com but on the unsecured network is set instead to send you to https://login.flrstoverflowbank.com instead. You likely won't notice, even if you take the time to check and the browser will show everything as being secure.
To avoid this sort of thing, bookmark or type the https:// url directly, never rely on that redirect.
Andrew
Posted 2010-10-28T15:32:16.707
Reputation: 388
3
Related must-read article: Firesheep
– Sathyajith Bhat – 2010-10-28T15:46:16.5371I think that it was the article that prompted him/her to ask such a question on this subject. – JFW – 2010-10-28T16:11:52.517