0

If I'm using a device which isn't mine for accessing a website, then I assume the administrator of that device/LAN could read anything I do on it, no matter if it's an HTTPS connection or not.

But, what if I use my own device but I'm connected through a router of a private company? Could I be MITMed (assuming my device doesn't already have any kind of malware or so)?

Anders
  • 65,052
  • 24
  • 180
  • 218
Franzech Domâs
  • 985
  • 1
  • 8
  • 10

2 Answers2

0

Yes. This is why you should use a VPN if you're working on an untrusted network and connect to a trusted network.

Jesse K
  • 1,068
  • 6
  • 13
  • 1
    Could you please explain why/how I can be MITMed in that scenario? – Franzech Domâs Jul 05 '16 at 21:44
  • There are a number of possibilities. First of all, standard HTTPS actually uses basic TLS authentication, which is designed to prove to you that the remote server is who it says, but not that you are who you say you are. If an adversary controls the network, they could maliciously proxy your traffic through something like a BlueCoat appliance and intercept or alter it. – Jesse K Jul 06 '16 at 14:22
  • Another possible attack scenario is that generally you'll be using their DNS, which gives them a lot of possibilities for badness. For example, if you visit www.bank.com, they could intercept that request, not follow the https redirect and instead redirect you to http ://www.bamk.com, which might be enough to snare the unwary user. – Jesse K Jul 06 '16 at 14:26
  • More: Again via proxy, they can misrepresent the ciphers that you support, forcing you to something insecure (SSLv3 for example), capture that traffic, and then decrypt it later. – Jesse K Jul 06 '16 at 14:30
0

Maybe ... its best to use a SSH Tunnel or a VPN

See Also: Is visiting HTTPS websites on a public hotspot secure?

Ref:

Community
  • 1
CaffeineAddiction
  • 7,567
  • 2
  • 21
  • 41