Don't use public wifi?

[ford 1]

I read an article from a security expert stating people should not use public wifi, especially for email or banking.

https://hbr.org/2017/05/why-you-really-need-to-stop-using-public-wi-fi

Surely everyone's banking site uses https nowadays, and for email as well (if they're using one of the main services like gmail). 

Is there really a problem?

And yes, I have eset on my phone and my laptop, so I can split my question into:

a) Am I safe with eset running?

b) Is https not going to encrypt all your passwords etc over the public wifi anyway?

[Thomas Fecke 3]

Hello Ford,

the connection between your Client and the Target Homepage is SSL encrypted. 

But if u use Public WLANS, ur Traffic could be manipulated. Before the Signal reaches the Internet. 

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

So the Attacker just can replace ur SSL Certificate and redirect your Traffic. 

Are you Safe with ESET?

The Phishing Filter will help you a lot. If the Router gets  replaced by a MITM Router your Client will " Auto reconnect" and ESET will warn you about this.

But, if you connect to every Random WIFI there is a possibility your Traffic gets manipulated. So always proof to which WIFI u try to connect  

 

[ford 1]

Thanks for answering.

I don't connect to every random wifi, only one's I know, such as the Cloud network - assuming they're not being spoofed.

I've heard of man in the middle attacks but never realised anything could tamper with SSL. I thought you were safe seeing the green padlock in the browser and the correct domain name.

Thought those certificates were tamperproof - they were either correct or they weren't. That's a little concerning.

I'll have a read of the link you posted, cheers.

Edited May 5, 2017 by ford

[Marcos 5,070]

SSL certificates can be obtained by anybody. I'd say there are still many users who don't even check the padlock icon in the address bar for https connections and even less those who check which CA actually issued the certificate. A green padlock does not automatically indicate 100% trustworthiness as it's easy to obtain a certificate for anybody these days (let's mention just "Let's encrypt" CA issuing certificates used by many scam websites).

On the other hand, EV certificates can be generally trusted; they are mainly issued for bank institutions and it's not that easy to obtain one.

[itman 1,659]

There is also a man-in-the-middle technique know as "dual forking." Your encrypted traffic can be intercepted an decrypted on one "fork" while the original encrypted traffic is held in suspense by the other fork. This allows the hacker to extract for example, your logon and password data. Once the desired data is extracted, the suspended encrypted traffic is released. This technique bypasses any SSL encryption tampering validations since the original SSL encrypted traffic is never manipulated.

Below is an excerpt from an article on the subject of public Wi-Fi use. I recommend you read the entire article here: https://www.howtogeek.com/178696/why-using-a-public-wi-fi-network-can-be-dangerous-even-when-accessing-encrypted-websites/ 

Malicious Hotspots

Most dangerously, the hotspot you connect to itself may be malicious. This may be because the business’s hotspot was infected, but it may also be because you’re connected to a honeypot network. For example, if you connect to “Public Wi-Fi” in a public place, you can’t be entirely sure that the network is actually a legitimate public Wi-FI network and not one set up by an attacker in an attempt to trick people into connecting.

Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop.

In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi. For example, sslstrip can transparently hijack HTTP connections. When the site redirects to HTTPS, the software can convert those links to use a “look-alike HTTP link” or “homograph-similar HTTPS link” — in other words, a domain name that looks identical to the actual domain name, but which actually uses different special characters. This can happen transparently, allowing a malicious Wi-Fi hotspot to perform a man-in-the-middle attack and intercept secure banking traffic.

The WiFi Pineapple is an easy-to-use device that would allow attackers to easily set up such attacks. When your laptop attempts to automatically connect to a network it remembers, the WiFi Pineapple watches for these requests and responds “Yes, that’s me, connect!”. The device is then built with a variety of man-in-the-middle and other attacks it can easily perform.

Someone clever could set up such a compromised hotspot in an area with high-value targets — for example, in a city’s financial district or anywhere people log in to do their banking — and attempt to harvest this personal data. It’s probably uncommon in the real world, but is very possible.

[ford 1]

So in a public location you're safer using your phone as a mobile hotspot for doing anything secure.

I imagine that's pretty safe? :-)

 

 

 

[m4v3r1ck 113]

I never use public wifi on my iPhone, strictly 4G with a 20GB/month dataplan! ?

Cheers