19

Suppose I log into a website, such as Twitter, from a 3G-enabled smartphone or similar device. How secure is this from interception? Can someone steal my password or login?

What if I use HTTPS? What if my device can only get a 2G signal or similar? Does it differ by country?

forest
  • 65,613
  • 20
  • 208
  • 262
Joe Dovahkiin
  • 293
  • 2
  • 5

3 Answers3

19

For HTTP, you rely on nobody being able to spy on your packets (or alter/drop/duplicate them) between your device (your smartphone or computer) and the target server. 2G and 3G offer some encryption, but only from your device to the nearest base station; encryption is "over the air". From the base station to the target server, there is no encryption (or, at least, nothing is standard-enforced), so you cannot assume that the data is protected. Besides, the 2G encryption is based on A5/1, which is known to be weak (and there are ways to force a given cell phone to switch back to A5/2, which is weak by design, and can be cracked in real-time). 3G uses KASUMI which, while academically weakened, is still beyond cracking with today's technology. However, I repeat, 2G/3G encryption is only against nearby adversaries, who limit themselves to the radio link between your device and the station. Don't use HTTP for transfers of valuable data.

HTTPS is HTTP-within-SSL. SSL has been designed to offer security (server authentication, confidentiality and data integrity) regardless of the transport medium. 2G/3G is irrelevant to the security of HTTPS. It depends on your browser / operating system (and, in particular, which certification authorities are accepted as "trusted roots"), not on the network.

Sean Newell
  • 103
  • 4
Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I wouldn't say 2G/3G is *completely* irrelevant. In particular in light of recent vulnerabilities exposed with TLS it might be useful to have the extra network layer security offered by these, were it possible your HTTPS session could otherwise be compromised. The 3G encryption scheme is more secure still. – robert Aug 19 '15 at 16:28
11

If HTTPS is being used, regardless of what the carrier network is, the functionality is the same. So, even if someone can actually sniff data that you send over 3G, they would have to do the same amount of work they would have to do to decrypt it when they get the encrypted data on an ethernet cable. This currently cannot be done. Hence, to answer your question, using HTTPS is secure and it does not differ by country.

On the other hand, if a simple HTTP connection is used, per https://serverfault.com/questions/311873/can-3g-networks-be-packet-sniffed-analyzed then definitely anyone can see your credentials.

sudhacker
  • 4,300
  • 5
  • 23
  • 35
  • 1
    not to mention, the server end probably isn't on the same 3G network, so that is http/https the same across the open net the same as your broadband connection. – ewanm89 Oct 10 '12 at 00:40
3

The HTTP or HTTPS protocol will be just as secure over 3G as with any other type of network (WiFi, wired, etc).

As ewanm89 points out, the 3G portion of the connection is only between your device and the phone network. Packets will still be sent between the phone network and the remaining servers along the path to the server you are trying to reach. If these packets are unencrypted then anyone along that route can potentially steal your credentials.

All things being equal, the country you are connecting from should not matter, unless a country were to take extreme measures such as blocking HTTPS.

Justin Ethier
  • 1,968
  • 3
  • 15
  • 20