5
If someone is monitoring all of the traffic on a network, and then I connect to it, and log into a website that is protected with SSL - is there any security risk?
Rob
Posted 2011-05-20T16:42:53.323
Reputation: 747
How Safe Is SSL In a Public Place (Airport/Coffee Shop)
Answers
9
Some, but there is risk everywhere.
Extra diligence is required, however, to ensure that your certificate is valid.
Never accept a self-signed or expired certificate in this scenario(you'll see security warnings from modern browsers). Click on the lock next to your URL to ensure everything looks good!
Ensure the the site is using complete SSL and not mixed mode(Some elements encrypted others not or login via HTTPS and pop back to HTTP after) and you should be alright to use it.
Jeff F.
Posted 2011-05-20T16:42:53.323
Reputation: 4 293
0
If you haven't pruned the CA root list in your browser then you shouldn't feel great about having privacy from government entities - otherwise if your system is patched/current and so is the sever's and you are doing reasonable validity checking (expiration, chain validity, certificate status) you are probably in reasonable shape against unsophisticated attackers.
Ram
Posted 2011-05-20T16:42:53.323
Reputation: 977
5To elaborate on this some, the site must be using an SSL certificate issued by a legitimate and trusted CA (if it is, your browser will silently accept it), and you must make sure that you don't ignore any warnings that the certificate may not be legit. If the site is using a self-signed certificate, an expired certificate, or one that is issued by a CA your browser doesn't know/trust, verifying that you're connected to the site and not an attacker's computer becomes extremely difficult. – Kromey – 2011-05-20T16:51:54.210
@Kromey True enough. And make sure your using a modern browser. – Jeff F. – 2011-05-20T17:24:18.923
3For what its worth, there are concerns about the "chain of trust" concept used by the CA system, as it turns out that several smaller CAs have been issuing incorrect certificates for major websites. You aren't likely to be affected, but it is possible. – Lukasa – 2011-05-20T17:24:43.313
@Lukasa True, but exploiting this would require quite the conspiracy and there are easier ways to gain access to data. – Jeff F. – 2011-05-20T17:27:38.657
@ Jeff F.: Oh, absolutely, and I don't spend my day-to-day life panicking about every SSL certificate I see. Nevertheless, it is worth noting that an SSL-based impersonation is not theoretical. – Lukasa – 2011-05-20T17:33:48.470
For Firefox, Certificate Patrol and Perspectives can help in such situations.
– user1686 – 2011-05-21T10:13:45.887