Open WIFI points

[Cheetah Designs]

Given most things are HTTPs now - is it still a risk using an open WIFI network? (with the assumption that SSL is secure)

 

[bremen1874]

Given that using a VPN is so easy why would you risk it?

 

[WYNIR0]

Given that using a VPN is so easy why would you risk it?

This X roughly a billion.

 

[ubern00b]

Never heard of a "man in the middle" attack then?

Some information if you haven't: https://en.m.wikipedia.org/wiki/Man-in-the-middle_attack

 

[Steveocee]

Never heard of a "man in the middle" attack then?

Some information if you haven't: https://en.m.wikipedia.org/wiki/Man-in-the-middle_attack

OP was implying that this wouldn’t be as much of an issue with the higher use of HTTPS though.

@Cheetah Designs whilst I see where you are coming from, far safer just to throw up a VPN make make certain anyway.

 

[ubern00b]

OP was implying that this wouldn’t be as much of an issue with the higher use of HTTPS though

But that quite literally is what a "man-in-the-middle" attack is. Any decent proxy pretty much can terminate the client ssl and establish its own server ssl session and read traffic between the two in plain text and you wouldn't know.

 

[Steveocee]

But that quite literally is what a "man-in-the-middle" attack is. Any decent proxy pretty much can terminate the client ssl and establish its own server ssl session and read traffic between the two in plain text and you wouldn't know.

Apart from the browser expects a signed certificate. You’d get an SSL error and hopefully would be sensible enough to navigate away.

I guess the semi safeguard is only there for https browsing though (dns-sec as well now?) but I agree, it’s not considered “safe”.

If you must use open WiFi, use a VPN.

 

[neil_g]

Wouldn't be too hard to trick a cert onto a client device (either user error or I think html5 can script it).

 

[ubern00b]

Wouldn't be too hard to trick a cert onto a client device (either user error or I think html5 can script it).

Yea, a lot of people (especially if asking a question like this) would just click "accept' when asked to install a security cert when joining the network. I mean, it's a SECURITY cert after all

 

[Cheetah Designs]

Yea, a lot of people (especially if asking a question like this) would just click "accept' when asked to install a security cert when joining the network. I mean, it's a SECURITY cert after all

That's a pretty large assumption. I am familiar with what a security certificate is. I didn't realize it was possible for joe bloggs to pretend to be Google though using some simple HTML5 - that doesn't sound right?

Are you all not assuming your VPN is secure?

 

[ubern00b]

That's a pretty large assumption. I am familiar with what a security certificate is. I didn't realize it was possible for joe bloggs to pretend to be Google though using some simple HTML5 - that doesn't sound right?

Are you all not assuming your VPN is secure?

I never mentioned HTML5 but we use GPO at work and to join our public WiFI it prompts you to install an SSL cert. That SSL cert is issued by our proxy for the sole purpose of SSL termination. This allows the proxy to inspect SSL traffic and is transparent.

I did say 'a lot of people' and if this does not apply to you then you don't fit that demographic so no need to feel offended.

 

[Cheetah Designs]

I never mentioned HTML5 but we use GPO at work and to join our public WiFI it prompts you to install an SSL cert. That SSL cert is issued by our proxy for the sole purpose of SSL termination. This allows the proxy to inspect SSL traffic and is transparent.

I did say 'a lot of people' and if this does not apply to you then you don't fit that demographic so no need to feel offended.

Ah right - so you'd still have to install a cert.

I'll rephrase my question then. Assuming I haven't installed an misc. certifications, is it still a risk to use open wifi points when using HTTPs...my understanding is that it is end-to-end encryption.