Linked by Igor Ljubuncic on Mon 2nd Apr 2012 15:41 UTC
Features, Office You have just bought tickets to an exotic vacation spot. You board the flight, you land safely, you pull your netbook from your backpack, fire it up, and then check if there are any available Wireless networks. Indeed there are, unencrypted, passwordless, waiting for you. So you connect to the most convenient hotspot and start surfing. Being addicted as you are, you want to login into your email or social network just to check if something cardinal happened in the world during your four-hour flight. You're about to hit the sign in button. Stop. What you're about to do might not be safe.
Thread beginning with comment 512755
To read all comments associated with this story, please click here.
Firefox and Chrome
by WereCatf on Mon 2nd Apr 2012 21:52 UTC
WereCatf
Member since:
2006-02-15

One thing that I personally like to use even at home is HTTPS Everywhere; an addon that tries to always use HTTPS on every possible site so that none of your details actually go over the wire in plaintext. I'm fairly certain most of the people here have heard of e.g. the Firefox addon that allows you to browse Facebook as an another user as long as the user is logged in on the same network. Well, this addon thwarts that one and many similar ones.

Good thing about this addon is that it requires no set-up, can be safely installed on computer-luddites' devices, and atleast so far I have not found a single website that would've experienced any glitches due to it.

Reply Score: 2

RE: Firefox and Chrome
by rhavenn on Tue 3rd Apr 2012 00:05 in reply to "Firefox and Chrome"
rhavenn Member since:
2006-05-12

Do you actually look at the certs given to your HTTPS connections? In a "hostile" environment trusting HTTPS to be secure isn't much better and often gives a false sense of security. It's pretty trivial to just proxy any HTTPS traffic for a user and unless you actually look at the cert you'll never know. I will admit that if your data stream between you and siteA is legit that people in between can't sniff it, but if you're starting out in a hostile area it can't be trusted.

The only way to be secure in a hostile environment is a key based structure (SSH, VPN, etc..) where you already know the key on the other end. ie: you SSH to your home box and get a prompt for a new key, that you know you've been to before, one would be a fool to continue.

A bootable CD distro and a USB key with your various keys (SSH, VPN, etc...) pre-setup is a good way to go.

I'm not saying this isn't a pain in the ass, but unfortunately real security normally is these days.

Reply Parent Score: 2

RE[2]: Firefox and Chrome
by WereCatf on Tue 3rd Apr 2012 03:04 in reply to "RE: Firefox and Chrome"
WereCatf Member since:
2006-02-15

Do you actually look at the certs given to your HTTPS connections? In a "hostile" environment trusting HTTPS to be secure isn't much better and often gives a false sense of security. It's pretty trivial to just proxy any HTTPS traffic for a user and unless you actually look at the cert you'll never know. I will admit that if your data stream between you and siteA is legit that people in between can't sniff it, but if you're starting out in a hostile area it can't be trusted.


How do you plan to proxy SSL traffic without having the browser complain about incorrect certificate? Besides, you'd need to actually be able to intercept the data stream first to even set up a proxy, meaning that you'd need to be in control of the wifi hotspot, the machine issuing dhcp replies, or one of the machines between the user and the target website. A random machine in the same network can't just start routing your traffic.

Reply Parent Score: 2