1

Because of my job I keep traveling around Europe, which means I keep connecting to all kinds of public wireless. In principle I could use a VPN and that should be always safe (is this statement right? This is my current approach)

But I also know (superficial google/wiki knowledge) about how https and mitm attacks work. My understanding is that as long as I'm browsing on https (ie, never going from http to https so I can't be attacked with something like sslstrip) and I don't accept/install any certificates when connected to these public networks, I should be fine. Is this right? Is https safe enough nowadays?

Is there anything else other than certificates and being always under https I should be caring about?

Scarlehoff
  • 13
  • 3

2 Answers2

0

There are plenty of places that have Wi-Fi systems riddled with problems and if you are using them a lot, I would say - NO that's not enough by a long way.

My reasoning is that HTTPS is hard to get right and relatively easy to break. In addition, you are still leaking a fair bit of information when browsing over HTTPS.

Apart from the usual protections (anti-virus, etc). Running the latest OS fully patched. Using full disk encryption. That is the starting point. BTW, if using Windows, do yourself a favour and make sure it is W10 latest version.

Next up is hardening your browser. Firstly get a great ad-blocker - too many drive-by attacks now come via rogue adverts.

But the thing you should most invest in is a VPN solution. This is really the only realistic way to retain a good level of security when travelling a lot. Run your own or buy a decent 3rd party solution but that's the need.

If you are travelling to certain locations and have high-value data on your PC, even that may not be enough. In those locations you need a hardened VPN solution that kicks in before login. You should also ensure that you never walk away from your PC with it left in standby or on the login screen.

Oh, one other thing. Check local laws before you go. I think everywhere in Europe is OK but in some other countries, it might be illegal to use some of that technology. Also be careful if you take the same laptop from Europe to the USA. US Border staff are notorious for demanding access to laptops and that could put you at odds with the EU data protection laws. Better in those cases to empty all data from the laptop (with a secure delete program) and then securely download it (via VPN of course) when in-country.

Enjoy your travels!

Julian Knight
  • 7,102
  • 18
  • 23
  • Assuming one pays attention to make sure one actually is on an https page, what exactly are you worried about in terms of getting https wrong or breaking it? – Ben Sep 15 '16 at 00:37
  • The OP is talking about a lot of travelling. It only takes a single mistake or loss of attention to be compromised. Not worth the risk even if you don't think you might be a specific target. There are also plenty of attacks that can slip in malware even from a compromised Wi-Fi with an infected captive portal page. – Julian Knight Sep 15 '16 at 05:35
  • One correction (you forgot a NOT): "BTW, if using Windows, do yourself a favor and make sure it is NOT W10." /Fixed. No, it's not sarcasm, it's proven bad practice from W10 to report anything higher up. – Overmind Sep 15 '16 at 08:06
  • 1
    @Overmind So you're suggesting that a Windows user should not use the latest and up-to-date software? Sounds like bad advice to me. – Jordan Melo Sep 15 '16 at 15:39
  • Thanks for the advice, luckily I use either Linux or Os X. Still, as far as I understand from the answer https will only be broken if there's a mistake on my side. I'm going to keep using the VPN but it's good to know that https is _mostly_ safe if I can't use the VPN for whatever reason. – Scarlehoff Sep 15 '16 at 18:33
  • @Overmind: Sorry, I'm not getting you there I'm afraid. While W10 has concerns over what data is sent to MS, there is no doubt that it contains many security improvements overall, especially the latest release. – Julian Knight Sep 15 '16 at 19:43
  • @Scarlehoff: Not just on your side I'm afraid. There are MANY things that can go wrong with HTTPS. VPN helps but unless you have a high-security VPN client that deals with the initial handshake problem, it isn't perfect by any means. Linux & OS/X are really no more secure than W10 now. Be sensible, check for malware regularly, if in doubt switch to 4/5G. If away for extended periods, carry a USB stick that has hardware read-only with a reset for your OS and any recovery tools. – Julian Knight Sep 15 '16 at 19:47
0

The main weakness of web browsing in regards to plain HTTP and encrypted HTTPS is that the Same Origin Policy does not protect cookies.

That is, if any site you visit is vulnerable to cookie poisoning attacks then you are vulnerable across an insecure network.

This is because the Same Origin Policy for cookies is more lax than elsewhere, meaning that a plain HTTP connection can set cookies that are read by an HTTPS connection to the same domain.

If you wish to mitigate this, you should disable plain HTTP within your browser. To do this, set the plain HTTP proxy to a closed port on your local machine. e.g. 127.0.0.1:1984.

An alternative is to use an external VPN service, and only allow network traffic once this has been established. A less drastic approach would be to use HTTPS Everywhere, however make sure that rules exist for all sensitive sites that you visit.

Also see:

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185